Google has eliminated 300 apps from its online store after discovering a secret plugin silently installed across several Android devices. The seemingly innocuous apps were all secretly outfitted with the WiredX botnet. WiredX commandeers vulnerable Android phones and tablets, using the gadgets to kick off a DD0S attack. While Google does not yet have an official account of just how many devices currently host the WiredX botnet, Chad Seaman, a senior engineer at Akamai, a cyber security firm, estimates the number could reach 70,000 or more. “I know in the cases where we pulled data out of our platform for the people being targeted we saw 130,000 to 160,000 (unique Internet addresses) involved in the attack,” said Seaman. Silent, but Deadly The initial WiredX outbreak occurred on August 17th, when several Content Delivery Networks (CDNS) reported similar DDoS attacks. A search for the source eventually landed at the doorstep of Google’s Play Store, prompting the tech firm to pull hundreds of affected applications from its store and initiate procedures to remove the malware from infected devices. “We identified approximately 300 apps associated with the issue, blocked them from the Play Store, and we’re in the process of removing them from all affected devices,” a Google spokesperson said. “The researchers’ findings, combined with our own analysis, have enabled us to better protect Android users, everywhere.” The apps chosen to host the plugin provided genuine services, like ringtones and video players, but included hidden malware designed to commandeer the device for potential DDoS attacks. Once powered on, any infected phone or tablet mainly served as a soldier in a broader DDoS army – all unbeknownst to the user. While the apps themselves operated as promised, the malware surreptitiously connected to an internet server run by the WiredX...
Ransomware Rundown
Healthcare Security
Though some experts predicted the final payoff would hit one billion dollars, Friday’s ransomware attack – believed to be one of the largest ever perpetrated – ended with a fizzle over the weekend with the hackers barely pulling in $26,000 before being temporarily stopped in their tracks by an anonymous cyber security expert. Summarizing the situation Monday morning, Jan Op Gen Oorth, senior spokesman for Europol, told the AFP, “The number of victims appears not to have gone up and so far the situation seems stable in Europe, which is a success.” “It seems that a lot of internet security guys over the weekend did their homework and ran the security software updates.” A Simple Fix According to Gizmodo the damage was mitigated, in part, due to the quick action of an “anonymous 26-year-old security researcher” named MalwareTech, who managed to temporarily slow the spread of the ransomware attack late Friday. After discovering the domain name associated with the ransomware, iuqerfsodp9ifjaposdfjhgosurijfaewrwergwe- a.com was available for purchase for just $10.69, MalwareTech bought the domain and halted the attack. “Initially someone had reported the wrong way round that we had caused the infection by registering the domain, so I had a mini freak out until I realized it was actually the other way around and we had stopped it,” MalwareTech told The Guardian. According to Matthieu Suiche, founder of cybersecurity firm Comae Technologies, MaltechWare’s registration of the domain stopped the malware from spreading throughout the US. “The kill switch is why the U.S. hasn’t been touched so far,” he told the New York Times on Saturday. “But it’s only temporary. All the attackers would have to do is create a variant of the hack with a different domain name. I would expect them to do that.” A Global Attack The flurry of ransomware attacks shut down several...
Smart Homes, Dumb Security
Safeguarding the Internet of Things
On October 21, 2016, many of the world’s most popular websites were incapacitated by a series of distributed denial of service (DDoS) attacks. Users trying to blast off a tweet or listen to their favorite track on Spotify suddenly found themselves stranded on 404-error pages or stalled by perpetual “loading” messages on their browser. The culprit? Massive denial of service attacks overwhelming servers and cutting off access. While DDoS attacks are actually quite commonplace (though not always as widespread), this time the method of was a little different. Rather than travel along traditional online pathways, the attackers commandeered all manner of unsecured Wi-Fi-enabled devices to turn the internet of things into a battering ram. By exploiting the security vulnerabilities of connected gadgets, from fridges to DVRs, the latest attack highlighted the smart home’s Achilles heel. Major DNS host Dyn told CNBC in October the attack was “well planned and executed, coming from tens of millions of IP addresses at the same time.” Taking Down Twitter Why are DDoS attacks so effective? It starts the how Domain Name Services (DNS) work. The DNS operates in many ways like a traffic controller at a busy intersection. When users click a link to a webpage, the DNS directs that user to twitter. During a DDoS attack, the webpage itself is left unscathed, but all the roads leading to it are jammed with service requests in something akin to rush hour traffic. In effect, users are left stranded on the service highway, their destination in sight but with no means to get there. As security expert Bruce Schneier explained in a recent blog post, “Over the past year or two, someone has been probing the defenses of the companies that run critical pieces of the Internet.” “These probes take the form of precisely calibrated attacks designed to determine exactly how well these companies can defend themselves, and what would be required to take them down.” Assessing the Damage The October 21 attack incapacitated DNS providers across the US and Europe. Almost no type of website was spared, from consumer products to real estate listings to news sites. Pinterest, Zillow, Kayak, the New York Times…all found themselves cut off from users as the DDoS ambush spread across the western hemisphere. The entire event lasted for hours, and while the damage hasn’t been fully assessed, the greatest fear is what this level of infiltration means for the future of the internet. This is because the October attack significantly differed from previous incursions by groups like hacker collective Anonymous. In the past, perhaps one individual website was incapacitated for a short amount of time, like CNN. In this case, the DDoS attack was massive, taking out “a major piece of the internet backbone for the entire morning – not once, but twice.” “This event was not your conventional DDoS attack, writes Gizmodo’s William Turton. “ Instead, it seems to be the first large-scale attack using IoT devices.” “Because of the estimated billions of available unsecured IoT devices,” he continues, “these attacks could allow for an unprecedented amount of DDoS power—enough power to take down major pieces of internet infrastructure protected by some of the best DDoS mitigation in the business. That’s exactly what we saw on [October 21].” A New Era of Threats Assessing the aftermath of the October attack, Gizmodo writer Turton warns of a bleak future full of political conspiracies and foreign hackers waging online war against their adversaries. “Details of the how the attack happened remain vague,” writes Turton, “but one thing seems certain. Our internet is frightfully fragile in the face of increasingly sophisticated hacks.” “This could be the beginning of a very bleak future,” he concludes. “If hackers are able to take down the internet at will, what happens next?” Unfortunately, it’s the smart devices intended to make our lives easier that may pose the biggest threat. A new report by Akamai,...
Security Reminder
Yahoo Data Breach
The latest Yahoo breach holds the record for the largest single breach of user account. The hack, which occurred in 2014, enabled hackers to collect personal information associated with at least half billion Yahoo accounts—names, email addresses, phone numbers, birth dates, and even security questions and answers, according to Yahoo’s press release. What’s even scarier is that encrypted passwords, which are jumbled so only a person with the right passcode can read them, were also stolen. As consequence, Yahoo users are encouraged to review their accounts for suspicious activity, change their passwords and security questions, avoid clicking on suspicious links and consider using a new authentication tool called Yahoo Account Key. Of course, there is always the option to switch to Gmail or iCloud. According to research from Alertsec, about 97 percent of Americans lose trust in companies like Yahoo after massive data breaches, so it will take Yahoo quite some time before it starts rebuilding their users’ trust. However, when a company has allowed their customers’ data to fall into the hands of criminals, regaining trust is difficult, and in some cases, impossible. This breach serves as a reminder of how widespread hacking is and raises again the question of whether the current system of passwords and security questions provides the best kind of protection, and the answer seems pretty obvious, something needs to change. Cybersecurity specialists recommend using a different password for each account, while other experts are working on alternatives to passwords such as one-time passwords, biometrics and the two-factor authentication process. “Cybercriminals know that consumers use the same passwords across websites and applications, which is why these millions of leaked password credentials are so useful for perpetuating fraud,” said Brett McDowell, executive director of the FIDO Alliance, an organization that...
Cybersecurity
Shortage + Growth
Your organization manages sensitive information every day. You rely on cybersecurity specialists to protect your data from misuse. The demand for security specialists is skyrocketing, yet a shortage in candidates leaves the industry—and your organization—vulnerable. Symantec reports that the global demand for the cybersecurity workforce is expected to rise to 6 million by 2019, with a projected shortfall of 1.5 million. The profession is slated to grow by 36.5 percent through 2022. While that is a notable improvement, it is still woefully short. Reports by the Bureau of Labor Statistics suggest that the demand for information security specialists is expected to grow by 53 percent as soon as 2018. Currently, 209, 000 cybersecurity jobs in the U.S. remain unfulfilled. The result is a lack of 24×7 monitoring by nearly 75 percent of security enterprises. There simply aren’t enough specialists to supervise your data around the clock. The shortage of talent causes many security teams to fall short of their goals. A report by 451 Research compiled responses from more than 1,000 IT professionals. The outcomes revealed that 34.5 percent of security managers couldn’t implement desired security projects due to a lack of staff expertise. More than 26 percent fall short of objectives due to inadequate staffing. To fill the void, many organizations opt to cross-train existing IT staff. Chris Cochran, Threat Intelligence Leader at IronNet Cybersecurity expounds: “The great thing about cross-training is that IT technicians already have a background in a cyber craft. This shortens the time it would take to make someone operational in a given task or field. The downside is that, more often than not, you find cyber experts stretched for time and expertise. They are being spread too thin across the landscape. We need resident experts. We need people...
Password Fast Forward
What does the future hold?
These days, traditional passwords are suspect in their ability to handle the safety of our valuable online data. This isn’t a new problem. Nearly a decade ago, in 2004, Bill Gates was predicting the demise of the alpha-numeric password, calling it a weak spot in security and identity authentication. He was one of the first to propose moving security onto smartcards and biometrics. With few exceptions, most programs, websites and protected databases are still using the standard-issue username/password combination for access. But with recent high-profile hackings like that of Wired tech writer Mat Honen last summer, the issue of changing password technology is a hot one again. So what are the current options? Behavior based gestures The government’s Defense Advanced Research Projects Agency (DARPA) is on the lookout for other forms of authentication based on behaviors, like the way people type or make other hand gestures. Security researchers are investigating the way people are using their machines so that their identity can be verified at all times: “for example, how the user handles the mouse and how the user crafts written language in an e-mail or document” they say on their website. DARPA’s program manager Richard Guidorizzi explains what makes this method different from the current password format: “My house key will get you into my house, but the dog in my living room knows you’re not me. No amount of holding up my key and saying you’re me is going to convince my dog you’re who you say you are. My dog knows you don’t look like me, smell like me or act like me. What we want out of this program is to find those things that are unique to you, and not some single aspect of computer security that an adversary can use to compromise your system.” Multi-step verification This is an option Google made available a while ago, and if you haven’t activated it, now would be a good time to do it. Google offers a two-step verification – it asks for the classical password, and also sends a text message with a code to your personal cellphone. According to Honen, who has taken on the issue of online security fallacy with a vengeance since his hack, this is just the beginning. The future of passwords means a combination of different identifiers that extend far beyond the password. The more pieces required for verification, the stronger the security of a system gets. Smartcards Google researchers are experimenting with a tiny Yubico cryptographic card that works somewhat like a car key: you slid it into a USB reader and it automatically logs a web surfer into Google opening your web mail and online accounts. They have modified Google’s web browser to work with these cards, but the best part is that there is no software download and once the browser support is there, it’s quite easy to use. Biometrics Facial Recognition. This option already exists under the form of a photo-based system that needs a picture of your face as login for the computer. Basically, if your computer is stolen and someone attempts to hack it, the software takes a photo of the person who tried and failed. For websites, Silicon Republic reports that teenagers Niall Paterson and Sam Gaulfield have created Viv.ie, a facial recognition system, available through an open API that website owners can deploy to allow their users to log in without a password. The technology is quite simple, it takes a photo of your face and then analyses it against the database of registered users. There are two problems though: whoever wants to hack your computer could show a photo of your face thus opening all channels to the uninvited guest, and it hasn’t yet been finalized due to high costs and little experience in the business world for the two 17 year-olds. It is definitely a start. Voice recognition. This one...
