IT NEWS

While exploit kit activity has been fairly quiet for some time now, we recently discovered a threat actor creating a copycat—fake—Malwarebytes website that was used as a gate to the Fallout EK, which distributes the Raccoon stealer.

The few malvertising campaigns that remain are often found on second- and third-tier adult sites, leading to the Fallout or RIG exploit kits, as a majority of threat actors have moved on to other distribution vectors. However, we believe this faux Malwarebytes malvertising campaign could be payback for our continued work with ad networks to track, report, and dismantle such attacks.

In this blog, we break down the attack and possible motives.

Stolen template includes malicious code

A few days ago, we were alerted about a copycat domain name that abused our brand. The domain malwarebytes-free[.]com was registered on March 29 via REGISTRAR OF DOMAIN NAMES REG.RU LLC and is currently hosted in Russia at 173.192.139[.]27.

Examining the source code, we can confirm that someone stole the content from our original site but added something extra.

A JavaScript snippet checks which kind of browser you are running, and if it happens to be Internet Explorer, you are redirected to a malicious URL belonging to the Fallout exploit kit.

Infection chain for copycat campaign

This fake Malwarebytes site is actively used as a gate in a malvertising campaign via the PopCash ad network, which we contacted to report the malicious advertiser.

Fallout EK is one of the newer (or perhaps last) exploit kits that is still active in the wild. In this sequence, it is used to launch the Raccoon stealer onto victim machines.

A motive behind decoy pages

The threat actor behind this campaign may be tied to others we’ve been tracking for a few months. They have used similar fake copycat templates before that act as gates. For example, this fake Cloudflare domain (popcashexhange[.]xyz) also plays on the PopCash name:

There is no question that security companies working with providers and ad networks are hindering efforts and money spent by cybercriminals. We’re not sure if we should take this plagiarism as a compliment or not.

If you are an existing Malwarebytes user, you were already safe from this malvertising campaign, thanks to our anti-exploit protection.

Copycat tactics have long been used by scammers and other criminals to dupe online and offline victims. As always, it is better to double-check the identity of the website you are visiting and, if in doubt, access it directly either by punching in the URL or via bookmarked page/tab.

Indicators of compromise

Fake Malwarebytes site

malwarebytes-free[.]com
31.31.198[.]161

Fallout EK

134.209.86[.]129

Raccoon Stealer

78a90f2efa2fdd54e3e1ed54ee9a18f1b91d4ad9faedabd50ec3a8bb7aa5e330
34.89.159[.]33

The post Copycat criminals abuse Malwarebytes brand in malvertising campaign appeared first on Malwarebytes Labs.

The Internet of Things (IoT) is a term used to describe a wide variety of devices that are connected to the Internet to improve user experience. For example, a doorbell becomes part of the IoT when it connects to the Internet and allows users to see visitors outside their door.

But the way in which some of these IoT devices connect invites serious security and privacy concerns. This has led to pleas for laws and regulation in the production and marketing of IoT devices, including increased security features and better visibility into the security of those features.

Our loyal readers have seen our regular complaints about the built-in security of IoT devices and know how concerned we are about products that are designed to optimize functionality and cost over security. Many manufacturers expect consumers to care more about ease-of-use than about security.

But while this may be true for many consumers, the apparent indifference can also be explained by a lack of comparable options. If consumers were given the choice between a device that’s cheap, easy to use, and insecure and a device that’s a bit more costly but keeps users protected—our bet is there’d be a good chunk of consumers who’d select the more secure option.

While some states and countries do have laws demanding manufacturers produce “safe” products, this doesn’t help consumers in making a choice. At best, it limits their choice as some unsafe products will not make it to the market. To help users make an informed decision, some countries have decided to introduce a new cybersecurity labeling scheme (CLS) that provides consumers with information about the security of connected smart devices.

Countries introducing a cybersecurity labeling scheme

In November 2019, Finland became the first country in Europe to grant information security certificates to devices that passed the required tests. Their reasoning was that the security level of devices in the market varies a lot, and there’s no easy way for consumers to know which products are safe and which are not. As a service to the public, a website was launched to make it easy to find information about the devices that have been awarded the label.

On January 27, 2020, the UK’s Digital Minister Matt Warman announced a new law to protect millions of IoT users from the threat of cyberattack. The plan is to make sure that all consumer smart devices sold in the UK adhere to rigorous security requirements for the Internet of Things (IoT).

Shortly after the UK, the Cyber Security Agency of Singapore (CSA) announced plans to introduce a new Cybersecurity Labeling Scheme (CLS) later this year to help consumers make informed purchasing choices about network-connected smart devices.

As part of the initiative, CLS will address the security of IoT devices, a growing area of concern. The CLS, which is a first for the Asia-Pacific region, will first be introduced to two product types: WiFi routers and smart home hubs.

Recommended reading: 8 ways to improve security on smart home devices

The goals of a cybersecurity labeling scheme

The cybersecurity labeling scheme will be aligned to globally-accepted security standards for consumer Internet of Things products. It will mean that robust security standards will be introduced from the design stage and not bolted on as an afterthought.

The scheme proposes that such devices should carry a security label to help consumers navigate the market and know which devices to trust, and to encourage manufacturers to improve security. The idea is that—similar to how Bluetooth and WiFi labels help consumers feel confident their products will work with wireless communication protocols—a security label will instill confidence in consumers that their device was built according to security standards.

The Singapore CLS is a first-of-its-kind cybersecurity rating system in the APAC region, and is primarily aimed at helping the consumers make informed choices. The rating of a product will be decided on a series of assessments and tests including, but not limited to:

• Meeting basic security requirements (e.g. unique default passwords)
• Adherence to software and hardware security-by-design principles
• Common software security vulnerabilities should be absent
• Resistant to basic penetration testing activity

The same is true for the law that is under preparation for the UK. Their primary security requirements are:

• All consumer Internet-connected device passwords must be unique and not resettable to any universal factory setting.
• Manufacturers of consumer IoT devices must provide a public point of contact so anyone can report a vulnerability, and it will be acted on in a timely manner.
• Manufacturers of consumer IoT devices must explicitly state the minimum length of time for which the device will receive security updates at the point of sale, either in store or online.

As you can see in both cases, the main worry was the omnipresence of default passwords that were the same for a whole series of devices. And on top of that, users were not clearly informed that they needed to change the default password, and often it was hard to change them for the average user.

Optimizing the CLS

We applaud the efforts made by governments
to improve on the overall security of IoT devices, but there are some
improvements we would like to suggest.

• The Finnish site is available in Finnish and Swedish. For an outsider, it is hard to make out which products are approved and why. An English version would be a big step forward.
• The laws in the UK and California are a good start but could have been more restrictive. And they don’t inform a customer about the security of a device when they are looking to buy from a web shop that might be abroad.
• The Singapore CLS for now focuses on routers and smart home hubs because they consider them the gateways to the rest of the household. While this makes sense, it is a limited scope.

What all these regulations have in common
is that they only inform the customer whether a device has passed muster in a
certain state or country. Certainly, we can come up with a global scheme that gives
customers a security level between “don’t buy this” and “very safe” like we have
for energy efficiency in the EU.

But let’s rejoice for now that these governments are making a start in a much-needed effort to improve devices and inform customers. Let us hope that the various security labeling schemes will help consumers make an informed choice and drive manufacturers to focus more on security. And that other governments will follow their examples.

Stay safe, everyone!

The post Cybersecurity labeling scheme introduced to help users choose safe IoT devices appeared first on Malwarebytes Labs.

Last week on Malwarebytes Labs, we offered readers tips for safe online shopping now that cybercriminals are ramping up Internet-based attacks, showed the impact that GDPR has around the world, and helped users understand how social media platforms mine their personal data. We also hosted our bi-weekly podcast, Lock and Code, with guest Adam Kujawa, who discussed the state of data privacy today.

Other cybersecurity news:

• Two zero-day vulnerabilities were used by two different groups to infiltrate DrayTek Vigor enterprise routers and switch devices. (Source: SCMagazine)
• An organisation, Cyber Volunteers 19 (CV19), is being set up to help people volunteer their IT security expertise and services to healthcare. (Source: Graham Cluley)
• Organizations globally are exposing their networks to risk by using insecure RDP and VPN to go remote due to COVID-19. (Source: Hot for Security)
• Houseparty is offering a $1 million reward to anyone providing proof it was the victim of a paid commercial smear campaign. (Source: TechSpot)
• The Marriott hotel chain announced that it had suffered another data breach exposing 5.2 million guest records. (Source: SiliconRepublic)
• Online threats have risen by as much as six times their usual levels over the past four weeks as the COVID-19 pandemic provides new ballast for cyberattacks. (Source: InfoSecurity)
• The Internet is rife with online communities where users can go and share Zoom conference codes to organize Zoom-bombing raids. (Source: ZDNet)
• After being criticized about several problems, Zoom itself decided to dedicate all the resources needed to better identify, address, and fix issues proactively. (Source: Zoom Blog)

Stay safe everyone!

The post A week in security (March 30 – April 5) appeared first on Malwarebytes Labs.

It’s almost impossible not to rely on social networks in some way, whether for personal reasons or business. Sites such as LinkedIn continue to blur the line, increasing the amount of social function over time with features and services resembling less formal sites, such as Facebook. Can anyone imagine not relying on, of all things, Twitter to catch up on breaking coronavirus news around the world instantly? The trade off is your data, and how they profit from it.

Like it or not—and it’s entirely possibly it’s a big slab of “not”—these services are here to stay, and we may be “forced” to keep using them. Some of the privacy concerns that lead people to say, “Just stop using them” are well founded. The reality, however, is not quite so straightforward.

For example, in many remote regions, Facebook or Twitter might be the only free Internet access people have. And with pockets of restriction on free press, social media often represents the only outlet for “truth” for some users. There are some areas where people can receive unlimited Facebook access when they top up their mobiles. If they’re working, they’ll almost always use Facebook Messenger or another social media chat tool to stay in touch rather than drain their SMS allowance.

Many of us can afford to walk away from these services; but just as many of us simply can’t consider it when there’s nothing else to take its place.

Mining for data (money) has never been so profitable.

But how did this come to be? In the early days of Facebook, it was hard to envision the platform being used to spread disinformation, assist in genocide, or sell user data to third-parties. We walk users through the social media business model and show how the inevitable happens: when a product is free, the commodity is you and your data.

Setting up social media shop

Often, Venture Capital backing is how a social network springs into life. This is where VC firms invest lots of money for promising-looking services/technology with the expectation they’ll make big money and gain a return on investment in the form of ownership stakes. When the company is bought out or goes public, it’s massive sacks of cash for everybody. (Well, that’s the dream. The reality is usually quite a bit more complicated).

It’s not exactly common for these high-risk gambles to pay off, and what often happens is the company never quite pops. They underperform, or key staff leave, and they expand a little too rapidly with the knock-on effect that the CEO suddenly has this massive service with millions of users and no sensible way to turn that user base into profit (and no way to retain order on a service rife with chaos).

At that point, they either muddle along, or they look to profit in other ways. That “other way” is almost always via user data. I mean, it’s all there, so why not? Here are just some of the methods social networks deploy to turn bums on seats into massive piles of cash.

Advertising on social media

This is the most obvious one, and a primary driver for online revenue for many a year. Social media platforms tend to benefit in a way other more traditional publishers cannot, and revenue streams appear to be quite healthy in terms of user-revenue generation.

Advertising is a straight-forward way for social media networks to not only make money from the data they’ve collected, but also create chains where external parties potentially dip into the same pool, too.

At its most basic, platforms can offer ad space to advertisers. Unlike traditional publishing, social media ads can be tailored to personalized data the social network sees you searching for, talking about, or liking daily. If you thought hitting “like” (or its equivalent) on a portal was simply a helpful thumbs up in the general direction of someone providing content, think again. It’s quite likely feeding data into the big pot of “These are the ads we should show this person.” 

Not only is everything you punch into the social network (and your browser) up for grabs, but everything your colleagues and associates do too, tying you up in a neat little bow of social media profiling. All of it can then be mined to make associations and estimations, which will also feed back to ad units and, ultimately, profit.

Guesstimates are based on the interests of you, your family, your friends, and your friends’ friends, plus other demographic-specific clues, such as your job title, pictures of your home, travel experiences, cars, and marriage status. Likely all of these data points help the social network neatly estimate your income, another way to figure out which specific adverts to send your way.

After all, if they send you the wrong ads, they lose. If you’re not clicking through and popping a promo page, the advertisers aren’t really winning. All that ad investment is essentially going to waste unless you’re compelled to make use of it in some way.

Even selling your data to advertisers or other marketing firms could be on the table. Depending on terms of service, it’s entirely possible the social platforms you use can anonymise their treasure trove and sell it for top dollar to third parties. Even in cases where the data isn’t sold, simply having it out there is always a bit risky.

There have been many unrelated, non-social media instances where it turned out supposedly anonymous data, wasn’t. There are always people who can come along afterwards and piece it all together, and they don’t have to be Sherlock Holmes to do it. All this before you consider social media sites/platforms with social components aren’t immune to the perils of theft, leakage, and data scraping.

As any cursory glance of a security news source will tell you, there’s an awful lot of rogue advertisers out there to offset the perfectly legitimate ones. Whether by purchase or stumbling upon data leaked online, scammers are happy to take social media data and tie it up in email/phone scams and additional fake promos. At that point, even data generated through theoretically legitimate means is being (mis)used in some way by unscrupulous individuals, which only harms the ad industry further.

Apps and ads

Moving from desktop to mobile is a smart move for social networks, and if they’re able to have you install an app, then so much the better (for them). Depending on the mobile platform, they may be able to glean additional information about sites, apps, services, and preferred functionalities, which wouldn’t necessarily be available if you simply used a mobile web browser.

If you browse for any length of time on a mobile device, you’ll almost certainly be familiar with endless pop-ups and push notifications telling you how much cooler and awesome the app version of site X or Y will be. You may also have experienced the nagging sensation that websites seem to degrade in functionality over time on mobile browsers.

Suddenly, the UI is a little worse. The text is tiny. Somehow, you can no longer find previously overt menu options. Certain types of content no longer display correctly or easily, even when it’s something as basic as a jpeg. Did the “Do you want to view this in the app?” popup reverse the positions of the “Yes” and “No” buttons from the last time you saw it? Are they trying to trick you into clicking the wrong thing? It’s hard to remember, isn’t it?

A cynic would say this is all par for the course, but this is something you’ve almost certainly experienced when trying to do anything in social land on a mobile minus an app.

Once you’re locked into said app, a brave new world appears in terms of intimately-detailed data collection and a huge selection of adverts to choose from. Some of them may lead to sponsored affiliate links, opening the data harvesting net still further, or lead to additional third-party downloads. Some of these may be on official platform stores, while others may sit on unofficial third-party websites with all the implied risk such a thing carries.

Even the setup of how apps work on the website proper can drive revenue. Facebook caught some heat back in 2008 for their $375USD developer fee. Simply having a mass of developers making apps for the platform—whether verified or not—generates data that a social network platform can make use of, then tie it back to their users.

It’s all your data, wheeling around in a tumble drier of analytics.

Payment for access/features

Gating access to websites behind paywalls is not particularly popular for the general public. Therefore, most sites with a social networking component will usually charge only for additional services, and those services might not even be directly related to the social networking bit.

LinkedIn is a great example of this: the social networking part is there for anybody to use because it makes all those hilariously bad road warrior lifestyle posts incredibly sticky, and humorous replies are often the way people first land on a profile proper. However, what you’re paying for is increased core functionality unrelated to the “Is this even real?” comedy posts elsewhere.

In social networking land, a non-payment gated approach was required for certain platforms. Orkut, for example, required a login to access any content. Some of the thinking there was that a gated community could keep the bad things out. In reality, when data theft worms started to spread, it just meant the attacks were contained within the walls and hit the gated communities with full force.

The knock-on effect of this was security researchers’ ability to analyse and tackle these threats was delayed because many of these services were either niche or specific to certain regions only. As a result, finding out about these attacks was often at the mercy of simply being informed by random people that “X was happening over in Y.”

These days, access is much more granular, and it’s up to users to display what they want, with additional content requiring you to be logged in to view.

Counting the cost

Of the three approaches listed above, payment/gating is one of the least popular techniques to encourage a revenue stream. Straight up traditional advertising isn’t as fancy as app/site/service integration, but it’s something pretty much anybody can use, which is handy for devs without the mobile know-how or funds available to help make it happen.

Even so, nothing quite compares to the flexibility provided by mobile apps, integrated advertising, and the potential for additional third-party installs. With the added boost to sticky installs via the pulling power of social media influencers, it’s possibly never been harder to resist clicking install for key demographics.

The most important question, then, turns out to be one of the most common: What are you getting in return for loading an app onto your phone?

It’s always been true for apps generally, and it’ll continue to be a key factor in social media mobile data mining for the foreseeable future. “You are the product” might be a bit long in the tooth at this point, but where social media is concerned, it’s absolutely accurate. How could the billions of people worldwide creating the entirety of the content posted be anything else?

The post How social media platforms mine personal data for profit appeared first on Malwarebytes Labs.

A little more than one month after the European Union enacted the General Data Protection Regulation (GDPR) to extend new data privacy rights to its people, the governor of California signed a separate, sweeping data protection law that borrowed several ideas from GDPR, sparking a torch in a legislative data privacy trend that has now spanned at least 10 countries.

In Chile, lawmakers are updating decades-old legislation to guarantee that their Constitutional data protections include the rights to request, modify, and delete personal data. In Argentina, legislators are updating a set of data privacy protections that already granted the country a “whitelist” status, allowing it to more seamlessly transfer data to the European Union. In Brazil, the president signed a data protection law that comes into effect this August that creates a GDPR-like framework, setting up rules for data “controllers” and “owners,” and installing a data protection authority to regulate and review potential violations.

Beyond South America, India is mulling a new law that would restrict how international companies use personal data, but the law includes a massive loophole for government agencies. Canada passed its first, national data breach notification law, and in the United States, multiple state and federal bills have borrowed liberally from GDPR’s ideas to extend the rights of data access, deletion, and portability to the public.

GDPR came into effect two years ago, and its impact is clear: Data privacy is the law of the land, and many lands look to GDPR for inspiration.

Amy de La Lama, a partner at Baker McKenzie who focuses her legal practice on global privacy, data security, and cybersecurity, said the world is undergoing major shifts in data privacy, and that GDPR helped spur much of the current conversations.

“At a high level, there’s a huge amount of movement in the privacy world,” de La Lama said, “and, without a doubt, the GDPR has been a huge driver.”

The following laws and bills are a sample of the many global efforts to bring data privacy home. Often, the newer laws and legislation are influenced by GDPR, but several countries that passed data privacy laws before GDPR are still working to update their own rules to integrate with the EU.

This is GDPR around the world.

South America

Several countries in South America already grant stronger
data protection rights to their public than in the United States, with several
enshrining a right to data protection in their constitutions.

In 2018, Chile joined that latter club, supplementing its older,
constitutional right to privacy with a new right to data protection. The constitution
now says:

“The Constitution ensures to every person: … The respect and protection of private life and the honor of the person and his family, and furthermore, the protection of personal data. The treatment and protection of this data will be put into effect in the form and conditions determined by law.”

That last reference to “conditions determined by law” matters
deeply to Chileans’ actual data protection rights because even though the Constitution
protects data, it does not specify how that data should be protected.

Think of it like the US Constitution, which, for instance, protects US persons against unreasonable searches. Only within the past few decades, however, have courts and lawmakers interpreted whether “unreasonable searches” include, for instance, searches of emails sent through a third-party provider, or searches of historical GPS data tracked by a mobile phone.

Now, Chile is working to determine what its data protection
rights will actually include, with a push to repeal and replace a decades-old
data protection law called the “Personal Data Protection Act,” or Act No.
19.628. The latest legislative efforts include a push to include the rights to
request, modify, and delete personal data, along with the right to withdraw
consent from how a company collects, stores, writes, organizes, extracts,
transfers, and transmits personal data.

Revamping older data protections is not unique to Chile.

Argentina implemented its Personal Data Protection Law (PDPL) in 2000. But that law, unlike Chile’s, drew inspiration from the European Union long before the passage of GDPR. Instead, Argentina’s lawmakers aligned their legislation with the law that GDPR repealed and replaced—Data Protection Directive of 1995.

This close relationship between Argentinian and European
data protection law made Argentina a near shoe-in for the GDPR’s so-called
“whitelist,” a list of countries outside the European Union that have been
approved for easier cross-country data transfers because of those countries’ “adequate
level of data protection.” This status can prove vital for countless companies
that move data all around the world.

According to the European Commission, countries that currently enjoy this status include Andorra, Argentina, Canada (for commercial organizations), the Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, and Uruguay. The US is also included, so long as data transfers happen under the limited Privacy Shield framework—an agreement that replaced the previous, separate data transfer agreement called “Safe Harbor,” which itself was found invalid by the Court of Justice for the European Union.  

(Privacy Shield also faces
challenges of its own, so maybe the US should not get too comfortable with
its status.)

Despite Argentina’s current whitelist status with the
European Commission, the country is still trying to update its data protection
framework with a new piece of legislation.

The new bill, Bill No. MEN-2018-147-APN-PTE, was introduced to Argentina’s Congress in September 2018. Its proposed changes include allowing the processing of sensitive data with approved consent from a person, expanding the territorial reach of personal data protections, creating new rules for when to report data breaches to the country’s data regulator, and drastically increasing the sanctions for violating the law.

Within South America, there is still at least one more
country influenced by GDPR.

In August 2018, Brazil’s then-president Michel Temer signed the
country’s General Data Privacy Law (“Lei Geral de Proteção de Dados Pessoais”
or LGPD). The law comes into effect August 2020.

The similarities to GDPR are many, de La Lama said.

“Like the GDPR, the new law, when it comes into effect, applies extraterritorially, contains notice and consent and cross-border transfer requirements as well as obligations with regard to data subject rights and data protection officer appointment,” de La Lama said. “EU Standard Contractual clauses may be recognized under the new law but this step has not yet been taken.”

The LGPD defines “sensitive data” as personal data that
reveals racial or ethnic origin, political opinions, religious or philosophical
beliefs, and trade union membership, along with genetic data, biometric data
used for uniquely identifying a natural person, health and medical information,
and data concerns a person’s sex life or sexual orientation.

Similar to GDPR, Brazil’s LGPD also creates a distinction
between data controllers or owners, and data processors, a framework that has
quickly rolled out in proposed laws around the world, including the United
States. Brazil’s LGPD also applies beyond the country’s borders. The law
applies to companies and organizations that offer goods or services to those
living within Brazil, much like how GDPR applies to companies that direct
marketing towards those living inside the European Union.

The law also, following amendments, includes the creation of
the Brazilian Data Protection Authority. That body will have the sole authority
to issue regulations and sanctions for organizations that violate the law
because of a data breach.  

India

In late 2019, India’s lawmakers introduced a data protection
law two years in the making, which included minor similarities to the EU’s
GDPR. The Personal Data Protection Bill of 2019, or PDPB, would require
international companies to seek the consent of India’s public for many uses of
personal data, and grant the people a new right to have their data erased.

The similarities stop there.

While portions of the law feint the main purpose of GDPR,
the data protections actually included suffer from an enormous loophole. As
written, though the law’s data restrictions apply to government agencies, the
law also allows the newly-created data protection authority to pick any
government agency that it wants exempted.

The law would permit New Delhi to “exempt any agency of government from application of Act in the interest of sovereignty and integrity of India, the security of the state, friendly relations with foreign states, public order,” according to an early, leak draft of the law obtained by TechCrunch.

This exceptionally broad language is
akin to any loophole in the United States that applies to “national security,”
and it is one that digital rights activists in India are fighting.

“This is particularly concerning in India given that the government is the largest collector of data,” said Apar Gupta, executive director of the Internet Freedom Foundation, in talking to the New York Times.

Salman Waris, who leads the technology practice at the New
Delhi law firm TechLegis, also told the New York Times that the new Indian law
purports to protect the public while actually accomplishing something else.

“It gives a semblance of owning your data, and having the
right to know how it is used, to the individual,” Waris said, “but at the same
time it provides carte blanche to the government.”

GDPR in the United States

Though we’ve focused on GDPR’s impact on a global scale, it
is impossible to deny the influence felt at home in the United States.

While Congress’s efforts to pass a comprehensive data privacy law date back to the Cambridge Analytica scandal of 2018, some of the ideas embedded in more current data privacy legislation relate directly to GDPR.

One clear example is the California Consumer Privacy Act
(CCPA), said Sarah Bruno, partner at Reed Smith who works at the intersection
of intellectual property, privacy, and advertising. Though the law was signed
less than one month after GDPR took effect in the EU, it was drafted with more
than enough time to borrow from GDPR after that law’s earlier approval, in
2016.

“GDPR did have an impact on CCPA,” Bruno said, “and it has a
lot of components in CCPA.”

CCPA grants Californians the rights to access and delete
data, the right to take their data and port it to a separate provider, along
with the right to know what data about them is being collected. Californians
also enjoy the explicit right to opt out of having their data sold, which is
not verbatim included in GDPR, though that law does give residents protections
that could result in a similar outcome. And though CCPA does not grant rights
to “data subjects,” as written in GDPR, it does have a similar scope of effect.
Much of the law is about giving consumers access to their own information.

“Consumers are able to write to a company, similar to GDPR,
to find out what information [the company] is collecting on them, via cookies,
about their purchase history, what they’re looking at on websites when on
there,” Bruno said. She added that CCPA contends that “all that information, a
California consumer should have access to that, and that’s new in the US, but
similar to GDPR.”

But California is just one state inspired by GDPR. There’s
also Washington, which, earlier this year, introduced a remodeled version of
its Data Privacy Act.

“It’s similar as well to CCPA,” Bruno said about Washington’s revamped bill. “As I call it, CCPA plus.”

The Data Privacy Act scores close to GDPR, in that it borrows some of the EU law’s language on data “controllers” and “processors,” which would both receive new restrictions on how personal data is collected and shared. The law, much like GDPR, would also provide Washingtonians with the rights to access, control, delete, and port their data. Much like CCPA, the Data Privacy Act would also let residents specifically opt out of data sales.

Though the bill initially drew a warm welcome from Microsoft and the Future of Privacy Forum, shortly after, Electronic Frontier Foundation opposed the legislation, calling it a “weak, token effort at reining in corporations’ rampant misuse of personal data.”

The bill, introduced on January 13 this year, has not moved
forward.

GDPR’s legacy: Fines or fatigue?

GDPR’s passage came with a clear warning sign to potential violators—break the law and face fines of up to 2 percent of global revenue. For an Internet conglomerate like Alphabet, which owns Google, such an enforcement action would mean paying more than a billion dollars. The same is true for Apple, Facebook, Amazon, Verizon, and AT&T, just to name a few.

Despite having the tools to hand down billion-dollar penalties, authorities across Europe were initially shy to use them. In early January 2019, France’s National Data Protection Commission (CNIL) slapped a €50 million penalty against Google after investigators found a “lack of transparency, inadequate information and lack of valid consent regarding the ads personalization.” It was the largest penalty at the time, but it paled in comparison to what GDPR allowed: Based on Alphabet’s 2018 revenue, it could have received a fine of about €2.47 billion, or $2.72 billion in today’s dollars.

Six months later, regulators leaned more heavily into their powers. In July 2019, the Information Commissioner for the United Kingdom (which was at the time still a member of the European Union) fined British Airways $230 million because of an earlier data breach that affected 500,000 customers. The penalty represented 1.5 percent of the airline’s 2018 revenue.

But regulatory fines tell just one side of GDPR’s story, because, as de La Lama said, after the law’s passage, her clients tell her of fatigue in trying to comply with every new law.

The nuances between each country’s data protection laws have produced guide after guide from multiple, global law firms, each attacking the topic with their own enormous tome of information. De la Lama’s own law firm, Baker McKenzie, released its annual, global data protection guide last year, clocking in at 886 pages. A quick glance reveals the subtle but important differences between the world’s laws: Countries that adopt a framework that separates data restrictions between “controllers” and “processors,” countries that protect “consumers” versus “data subjects,” countries that require data breaches to be reported to data protection authorities, countries that create data protection authorities, and countries that differ on just what the hell personal information includes.

Complying with one data protection law can be hard enough, de La Lama said, and there’s little assurances that the current data privacy movement is coming to a close.

“There’s difficulty in trying to bring a company into compliance with a wide variety of privacy and technical specifications and finding internal resources to do that is a daunting task,” de la Lama said. “And when you’re trying to replicate that across multiple jurisdictions, we’re seeing a lot of companies just trying to wrap their arms around how to do that, knowing that GDPR isn’t the end game, but really just the start.”

The post GDPR: An impact around the world appeared first on Malwarebytes Labs.

As more and more countries order their citizens inside in response to COVID-19, online shopping—already a widespread practice—has surged in popularity, especially for practical items like hand sanitizer, groceries, and cleaning products. When people don’t feel safe outside, it’s only natural they’d prefer to shop as much as possible from the safety of their own homes. Unfortunately, you can bet your last toilet paper roll that cybercriminals anticipated the rush and were ready to take advantage of our need to buy supplies of all kinds online.

Because we know how cybercriminals think and have already seen an uptick in web skimmers and coronavirus scams, we wanted to prepare our readers for a safer online shopping experience. We have rounded up some tips for staying secure, as well as some landmines to avoid during your online shopping spree.

Dangers to avoid while shopping online

There are a few dangers that always lurk for online shoppers, and some of them increase in severity during particular events, such as holidays or summer travel season, known shopping periods like Cyber Monday or Singles’ Day, or tragic incidents, including natural disasters and the current global pandemic. Here are a few red flags to watch out for:

Raised prices

It’s only natural to expect a small raise in prices as some companies cope with economic fallout from closing brick-and-mortar shops and lack of personnel. Combine that with an increase in demand for specific items, plus the increased cost of delivery to compensate for added danger, and the totals at checkout are probably creeping up all over the place. But it’s one thing to raise prices responsibly. It’s quite another to price gouge, and cybercriminals and scammers are opting for the latter to profit from misfortune.

During times like these, it’s easy to click “purchase” on the first webpage peddling scarce or highly sought-after commodities. For example, two brothers tried to make a fortune selling hand sanitizer for $70 per bottle. People were desperate enough to buy before the attorney general shut down the site. But don’t fall for the hype. Take a deep breath and research an item before jumping at the first opportunity to purchase.

Pro tip: If a price seems wildly out of line, open up a new tab on your browser and search the item name and pricing. You can also check sites such as Tom’s Guide or Consumer Reports for fair prices.

Delays in delivery time

If items are scarce, there may be a long waiting time before delivery. Know your rights in case a supplier can’t deliver within the agreed time frame, and don’t fall for scammers promising they can help you cut the line. Usually, you can claim a refund if the article doesn’t arrive by the date you were promised. But a scammer couldn’t care less about your claims for a refund. They will make sure they are nowhere to be found when the claims come in and the going gets rough.

Pro tip: Search a website’s customer service page to find out delivery and return policies before purchasing, especially items in short storage. Typically, these policies are found on shipping, support, help, or FAQ webpages.

Counterfeit goods

Selling counterfeit goods is another common type of web crime that will likely see an uptick during the coronavirus pandemic. From a photograph it is nearly impossible to tell whether an item is faux or the real deal. For all we know, the scammer could put a picture of the original on their site and ship you a cheap replica—or nothing at all. A good rule of thumb is: If it’s too good to be true, it usually isn’t.

Pro tip: Check the reviews of the seller, reseller, and product—not just on the site, but in a separate search. If someone has been duped before, chances are, they’ll post pictures or a review.

Web skimmers

Ever since shelter-in-place orders have sent millions of shoppers online, the Malwarebytes threat intelligence team has noticed an uptick in the amount of digital credit card skimmers, also known as web skimmers. Web skimmers are placed on shopping cart pages and collect the payment data that customers enter when they purchase an item online.

Cybercriminals can hack the websites of legitimate brands to insert web skimmers, so avoiding resellers or little-known boutiques won’t protect shoppers from web skimmers. Instead, consider using an antivirus with web protection or browser extensions that block malicious content.

Jérôme Segura, Malwarebytes Director of Threat Intelligence is an internationally
renowned expert on web skimmers. He was kind enough to share some of his
knowledge with us:

“The vast majority of people, including those familiar with computers, would not be able to see that an online merchant has been hacked and that a skimmer is going to harvest their information.

But there are certain things you can do to minimize risks. For example, check that the site looks up to date by looking at things such as copyright information. If it says something like Copyright 2015, this may be an indication that the site owner is not paying attention to details.

I also believe it’s essential to use some kind of web protection. Based on our telemetry, we stop hundreds of attempts to steal credit card data on a daily basis by blocking malicious domains and IP addresses associated with web skimming infrastructure.”

Pro tip: Keep an eye on your bank account for unexpected payments, and know what to do when your information has been stolen.

Recommended reading: How to protect your data from Magecart and other e-commerce attacks

Precautions and possible pitfalls

While not outright dangers, there are a few somewhat shady behaviors that could signal further trouble down the road. Here are a few you might want to avoid or take into account when you consider online shopping.

Security certificates

A significant surge in the number of requested security certificates indicates that more fraudulent websites are being created. As we have mentioned before on the blog, the green padlock alone does not guarantee a safe site. Free or cheap security certificates are an indication that the site might be fraudulent or built without any attention to real security.

Use trusted sites and visit them directly, not through a search. Using legitimate sites with a good reputation does have obvious advantages. You know it’s a real shop and they deliver on what they promise.

Pro tip: Bookmark favorite URLs to save on manually typing. By saving the URL rather than searching for a shop name, you are less likely to be fooled by impersonators.

Targeted ads

Targeted advertising should not be rewarded. Usually it’s better to ignore it. Pretty much for the same reasons as above. Visit the site directly instead of clicking a link in your Facebook feed. Since many shops use cookies for targeted advertising, they will soon pick up that you are looking for a certain item and try to lure you to site by offering it to you in your timeline.

Pro tip: Consider purchasing insurance for high-value products. With insurance, you can at least get your money back if your purchase never arrives or is damaged or otherwise below expectations. Insurance does not have to be expensive. PayPal and many credit cards offer this service free of charge.

Information overload

Be wary of web shops asking you for information they don’t need to service you. They might be up to no good. And even if they are not, they have no right asking you for details that are unnecessary for the shopping and delivery process. Even if they do not plan to sell your data to third parties, they may experience a breach and spill your personal information anyway.

Pro tip: Only fill in required sections of any data forms for an online purchase. And if a form starts asking for social security numbers, pet’s names, or other weirdly personal information, do not enter the content and back out of the purchase.

Recommended reading: 10 tips for safe online shopping on Cyber Monday

Preventative measures

As always, it’s important to take the normal security precautions while shopping online. These include the following:

• Use up-to-date software, especially your operating system and your browser. Check that both are updated before you venture online.
• Disregard overly aggressive pop-ups, push notifications, and other annoying cries for attention. Usually, unsolicited advice in the form of persistent advertisements, browser extension downloads, coupon programs, and other assorted spam are aiming for trickery and not actually trying to help.
• Pay extra attention when using public Wi-Fi, and avoid making payments while you are on unprotected Wi-Fi.
• Where possible, use a VPN during online shopping. A good VPN will encrypt the traffic between you and the online shop, so nobody can spy on it.

Stay safe, everyone!

The post Important tips for safe online shopping post COVID-19 appeared first on Malwarebytes Labs.

This week on Lock and Code, we discuss the top security headlines generated right here on Labs and around the Internet. In addition, we talk to Adam Kujawa, a director of Malwarebytes Labs, about the state of data privacy today, including how users and businesses can protect sensitive information when there are few laws to help them out, and whether we could foresee the many problems with today’s rampant data sharing when we first built the Internet.

Tune in for all this and more on the latest episode of Lock and Code, with host David Ruiz.

You can also find us on the Apple iTunes store, on Google Play Music, plus whatever preferred podcast platform you use.

We cover our own research:

• A deep dive into a bogus “Corona antivirus” claiming to have a cure to the actual coronavirus.
• An exploration of “What now?” for Windows 7 users, now that the OS has reached end-of-life.
• Our discovery of a live credit card skimmer on Tupperware’s official website, which has since been taken down.
• An opinion piece by our own CPO, digging into better ways for enterprise organizations to answer security challenges.
• A warning about dubious Coronavirus spam mails.

Plus other cybersecurity news:

• Housing association spills data: A “please update your details” missive has horrible data exposure consequences for a UK-based organization. (Source: The Register)
• The age-old problem of password reuse: Shockingly, it’s a problem for Fortune 500 companies, too. (Source: Help Net Security)
• Homework equals router mayhem: With many worldwide retreating to their home environment, it figures that hackers would follow them there. (Source: Cyberscoop)
• Compromised news sites lead to malware: A variety of backdoor files are offered up by hijacked news portals. (Source: Bleeping Computer)
• Netflix and phish: The increase in work-from-home employees is also giving rise to a bump in attacks on streaming services. (Source: RapidTV News)

Stay safe, everyone!

The post Lock and Code S1Ep3: Dishing on data privacy with Adam Kujawa appeared first on Malwarebytes Labs.

In the last week, we’ve seen multiple coronavirus scams pushed by bad actors, including RAT attacks via fake health advisories, bogus e-books working in tandem with Trojans, and lots of other phishing shenanigans. Now we have another one to add to the ever-growing list: dubious coronavirus Bitcoin missives landing in your inbox.

Reworking a classic spam tactic

This is a retooling of an older spam run involving British comedian Jim Davidson, the older form of which was seen bouncing around in November 2019. As they put it, “Jim Davidson bounced back from bankruptcy with Bitcoin.” Even before that, in the first half of 2019, he was being used alongside other well-known British celebrities such as Jamie Oliver and daytime TV presenters to promote a variety of misleading Bitcoin get-rich schemes. This is common for Bitcoin scams, and you can dip into any year you like and find a few of these floating around at any given time.

What do we have this time?

In short, these coronavirus Bitcoin scams are older attempts to have people part with their cash hastily retooled to make hay with the current global pandemic. It’s incredibly lazy—the landing pages and follow on websites seem to be untouched from whenever they first appeared. The only new ingredient is the email content mentioning coronavirus, but sadly, that’s often more than enough to have people part with their money.

Click to enlarge

It begins with a non-stop drip-feed of emails, from many different addresses pumping out spam. In the above mailbox, it’s a total of 11 in six days. All of the email addresses are rather optimistically called “coronavirus positives”, letting you know that staying at home thanks to a global pandemic can actually make you rich beyond your wildest dreams.

Some of the subject lines read as follows:

Staying at home because of COVID-19!! Spend your time making thousands on Bitcoins. 

The positive impact of staying home (Corona-virus), Make thousand a day trading Bitcoin.

Join 1000s of Brits making 1000s a day. Bitcoin is back – and this time you can make a million.

Without a larger sample selection to go from, we can’t say which missive is the most popular subject line, but the one mentioning “work from home” is at least the most popular in this particular mailbox and a few others that we’ve seen. 

Coronavirus Bitcoin email style

The emails are formatted in much the same way, emulating the British newspaper “red top” style—most specifically, The Sun.

Here’s the text from one of the samples we looked at:

Click to enlarge

Click to enlarge

The text reads as follows:

Jim Davidson Reveals How He Bounced Back After The Bankruptcy – He claims anyone can do it & shows ‘Good Morning Britain’ How!

Appearing on ‘Good Morning Britain’ show, Jim Davidson, a man who has recovered from Bankruptcy thanks to an automated Bitcoin trading platform, called BTC Profit . The idea was simple: allow the average person the opportunity to cash in on the Bitcoin boom. Even if they have absolutely no investing or technology experience.

A user would simply make an initial deposit into the platform, usually of £200 (or $250, as the platform works with USD) or more, and the automated trading algorithm would go to work. Using a combination of data and machine learning, the algorithm would know the perfect time to buy Bitcoin low and sell high, maximising the user’s profit.

To demonstrate the power of the platform Jim had Kate Garraway deposited £200 on the live show.

Here’s one that emulates The Sun to a high degree, complete with almost-but-not-quite name using the same font as the well-known newspaper:

Click to enlarge

In the above mail, a student reveals how “he earns more than £40,000 every month working from home.” Some of the links are now seemingly broken, and a few redirect to Google or random shopping sites such as the below if you presumably visit from a region they’re not interested in:

Click to enlarge

Not all of the links are broken, however. A few will indeed lead you to the supposed Bitcoin promised land.

Getting rich quick?

What you’ll see on a live page is essentially a rehash of the information in the email, complete with a few more familiar faces from UK daytime television. At this point, the coronavirus hook has been entirely abandoned:

Click to enlarge

Click to enlarge

After a lot of urging the visitor to sign up to some sort of wonderful Bitcoin system, clicking the links will finally take them to the end game:

Click to enlarge

It’s a landing page promoting something called “Bitcoin Revolution.” This has been around for a while, usually in relation to dubious ads featuring the previously mentioned celebrities.

Access is given to a trading platform, a fair amount of money is deposited into it over time, an “investment manager” asks you to deposit their commission into a bank account so they can release your funds, and…oh dear. This is the part where people report the funds never arrive and now they’re massively out of pocket.

Profiting from chaos

Endlessly spamming these “get rich quick” emails to people in normal circumstances is bad enough, but jumping on the coronavirus bandwagon to claim people can make a fortune from working from home is dreadful. This is absolutely the worst time to end up losing a significant amount of savings—they may prove to be absolutely essential further down the line.

If you receive one of these mails and they’re not automatically placed into your spam folder, report, delete, and move on. We have a feeling you won’t be making your millions from this one.

The post Coronavirus Bitcoin scam promises “millions” working from home appeared first on Malwarebytes Labs.

Update: Following our blog post, we continued to monitor the Tupperware website. As of 03/25 at 1:45 PM PT, we noticed that the malicious PNG file had been removed, followed later by the JavaScript that was present on the homepage.

On March 20, Malwarebytes identified a targeted cyberattack against household brand Tupperware and its associated websites that is still active today. We attempted to alert Tupperware immediately after our discovery, but none of our calls or emails were answered.

Threat actors compromised the official tupperware[.]com site—which averages close to 1 million monthly visits—as well as a few of its localized versions by hiding malicious code within an image file that activates a fraudulent payment form during the checkout process. This form collects customer payment data via a digital credit card skimmer and passes it on to the cybercriminals with Tupperware shoppers none-the-wiser.

Digital credit card skimmers, also known as web skimmers, continue to be one of the top web threats we monitor at Malwarebytes. For the past several years, a number of criminals (usually tied to organized Magecart groups) have been actively compromising e-commerce platforms with the goal of stealing payment data from unaware shoppers.

In light of the COVID-19 outbreak, the volume of people shopping online has dramatically increased, and there is little doubt that a larger number of transactions will be impacted by credit card skimmers moving forward.

There was a fair amount of work put into the Tupperware compromise to integrate the credit card skimmer seamlessly and stay undetected for as long as possible. Below, we walk you through how we discovered the skimmer, and analyze the threat and its attack techniques.

Rogue iframe container

During one of our web crawls, we identified a suspicious-looking iframe loaded from deskofhelp[.]com when visiting the checkout page at tupperware[.]com. This iframe is responsible for displaying the payment form fields presented to online shoppers.

There are a few red flags with this domain name:

• It was created on March 9, and as we see with many fraudulent websites, newly-registered domains are often used by threat actors prior to a new campaign.
• It is registered to elbadtoy@yandex[.]ru, an email address with Russian provider Yandex. This seems at odds for a payment form on a US-branded website.
• It is hosted on a server at 5.2.78[.]19 alongside a number of phishing domains.

Interestingly, if you were to inspect the checkout page’s HTML source code, you would not see this malicious iframe. That’s because it is loaded dynamically in the Document Object Model (DOM) only.

One way to reveal this iframe is to right click anywhere within the payment form and choose “View frame source” (in Google Chrome). It will open up a new tab showing the content loaded by deskofhelp[.]com.

There is one small flaw in the integration of the credit card skimmer: The attackers didn’t carefully consider (or perhaps didn’t care about) how the malicious form should look on localized pages. For example, the Spanish version of the Tupperware site is written in Spanish, but the rogue payment form is still in English:

Below is the legitimate form (in Spanish):

More trickery to dupe shoppers

The criminals devised their skimmer attack so that shoppers first enter their data into the rogue iframe and are then immediately shown an error, disguised as a session time-out.

This allows the threat actors to reload the page with the legitimate payment form. Victims will enter their information a second time, but by then, the data theft has already happened.

Upon close inspection, we see the fraudsters even copied the session time-out message from CyberSource, the payment platform used by Tupperware. The legitimate payment form from CyberSource includes a security feature where, if a user is inactive after a certain amount of time, the payment form is cancelled and a session time-out message appears. Note: we contacted Visa who owns CyberSource to report this abuse as well.

You can still spot a slight difference between the legitimate time-out page (loaded from secureacceptance.cybersource.com) and the fake one. The former contains the text “Session timed out” in bold, black text while the latter features gray text that is both smaller and a different font.

The stolen data is sent to the same domain used to host the rogue iframe. Fraudsters are now in possession of the following data from unaware shoppers:

• First and last name
• Billing address
• Telephone number
• Credit card number
• Credit card expiry date
• Credit card CVV

Another case of steganography

In order to identify how the card skimmer attack worked, we needed to go back a few steps and examine all web resources loaded by tupperware[.]com, including image files.

This process can be time-consuming but is necessary to figure how the rogue iframe is injected. We found a snippet of code on the homepage that dynamically calls an FAQ icon from Tupperware’s server, which is loaded silently (and is therefore not visible to shoppers). The image contains a malformed PNG file that is quite suspicious.

Looking at this file using a hex editor, we can see the different sections of the image. While IEND should mark the end of the file, after some blank spaces, there is a large JavaScript blurb that includes several parts which have been encoded.

At this point, we did not yet know what the code was meant to do, but we could tell it was some kind of steganographic attack, a technique we observed in web skimmers late last year. One way to find out is to debug the JavaScript code, despite the malware author’s attempts to crash the debugger.

Once we got past that hurdle, we could finally confirm that the code embedded in this PNG image is responsible for loading the rogue iframe at the checkout page:

There is additional code so that the skimmer is loaded seamlessly and covertly. The threat actors are actually hiding the legitimate, sandboxed payment iframe by referencing its ID and using the {display:none} setting.

The fake payment form is also referenced so that it fits in its place and looks exactly the same (except on localized versions). This required some effort from the fraudsters to mimic the same style and functionality.

The domain deskofhelp[.]com contains a set of JavaScript, CSS, and image files to that effect, and of course, the code to check for and exfiltrate the payment data.

Site compromise

One question we haven’t answered yet is how the malicious PNG image is loaded. We know that the embedded JavaScript loads code dynamically in the DOM, but something needs to call that PNG file first, and that would have to be visible in the HTML source code.

To make identification slightly more difficult, the code has been broken down. However, we can reconstruct it and see how the URL loading the PNG file is built by using string concatenation, for instance.

This code is helpful to determine a time frame for when the website compromise happened. Although we don’t have archives, we know from external sources, such as this WayBackMachine crawl, that the code was not present in February. The hack most likely happened after March 9, which is when the malicious domain deskofhelp[.]com became active.

We do not know exactly how Tupperware got hacked, but a scan via Sucuri’s SiteCheck shows that they may be running an outdated version of the Magento Enterprise software.

Disclosure and protection

Upon identifying this compromise, we called Tupperware on the phone several times, and also sent messages via email, Twitter, and LinkedIn. However, at time of publication, we still have not heard back from the company and the site remains compromised.

Malwarebytes users are protected against this attack, including those running our free Browser Guard extension.

We will update this blog if we receive any additional information.

Indicators of compromise

Malicious PNG file hosted on Tupperware sites (US and Canada):

tupperware[.]com/media/wysiwyg/faq_icon.png
es.tupperware[.]com/media/wysiwyg/faq_icon.png

tupperware[.]ca/media/wysiwyg/faq_icon.png
fr.tupperware[.]ca/media/wysiwyg/faq_icon.png

SHA-256 of malicious PNG

d00f6ff0ea2ad33f8176ff90e0d3326f43209293ef8c5ea37a3322eceb78dc2e

Skimmer infrastructure

deskofhelp[.]com
5.2.78[.]19

The post Criminals hack Tupperware website with credit card skimmer appeared first on Malwarebytes Labs.

A version of this article originally appeared in Forbes on February 12, 2020.

Consumerization: The specific impact that consumer-originated technologies can have on enterprises. 

Gartner

More and more, enterprises are coming to understand that they need to adopt the agile processes and product strategies of startups in order to compete in today’s markets. But there is a parallel problem in enterprise security that is not being addressed. Simply tweaking your internal processes won’t solve this problem: A different approach is needed.

We read the stories every day. The number and severity of cyberattacks keep growing. More and more businesses are being breached more and more often—and it’s happening in schools, hospitals and clinics, and major cities, too.

For example, in December 2019, the city of New Orleans told employees to “power down computers, unplug devices, and disconnect from Wi-Fi” after a cyberattack struck its computers. Although 911 emergency services were not affected, the police department had to shut down its entire IT network.

Increasingly, we see governments, organizations, and enterprises struggling to keep up with cyberattacks. And, disturbingly, they are increasingly failing to stop them.

The fact is, agile processes and improved efficiency won’t solve the growing security problem. Nor will throwing more personnel at it. That’s what organizations are attempting now, and it’s not working. Businesses are falling behind the attackers. Something has to change.

What is needed is a new way of thinking about security.

When you get millions of alerts, and you respond by looking for more trained technicians to troubleshoot the alerts, you’re pursuing a faulty strategy. For one, you won’t find the talent. For another, the strategy doesn’t scale. As you add security tools and staff, you multiply the complexity of your security operation. What you need is to reduce the complexity.

It’s helpful to step back and ask, “What would a desirable, effective security solution look like?” I suggest that it should be as intuitive as using an iPhone app.

“Hold on,” you say. “The IT market is not like the consumer market. There are different problems to solve, unique expectations to meet, and technical skillsets required to operate.” And that’s all true. But that’s just a description of the challenges inherent with the old model of security thinking.

Consider the security and privacy challenges in the consumer space. Consumer products have to be easy to use, or they won’t sell—particularly for a problem that is mostly invisible to the consumer (until it bites them). Security tools need to be easy enough for consumers to use, yet powerful enough to give them ownership of their privacy and security. That’s hard to achieve, but consumer software development is all about empowering users without overwhelming them with complexity.

And that has to be the goal in the enterprise as well. It should be just as easy for a company to protect itself and have a strong cybersecurity posture as it is for a consumer to use an app. Organizations should strive for top protection using fewer staff members that require specialized training. That should be the target of enterprise security solutions.

We call this goal the democratization, or consumerization, of cybersecurity. It’s the right goal in today’s market. It’s also quite difficult. To write robust cybersecurity products that provide organizations with comprehensive coverage and are as simple to use as consumer technology is so difficult that no one has been up to the task.

It’s easy to generate a new security tool that handles lots and lots of alerts. But making it prioritize threats so that you only address real dangers while simplifying user interface so that it doesn’t require extensive training—that’s the hard part. And that’s what we’re talking about when we refer to the consumerization of IT security.

It reminds me of the famous saying by French mathematician Blaise Pascal, which is often attributed to Mark Twain: “I would have written a shorter letter, but I did not have the time.” Simple is hard.

But it can be done. We know what consumer-grade tools look like. And we know what cybersecurity challenges businesses face. The task before us as an industry is to fit these two puzzle pieces together. It will require greater attention to user interface design and highly-automated threat detection. It will call for combining technical excellence with human intuition. But it can be done.

The consumerization of IT security—consumer-grade ease of use, plus enterprise security expertise—can meet the cybersecurity challenges of today.

The post Consumerization: a better way to answer cybersecurity challenges appeared first on Malwarebytes Labs.