Expert Insight: Half a Billion potentially at Risk due to WinRAR Vulnerability

Details have been released on new software vulnerability, discovered in a hugely popular compression program – WinRAR, that’s used typically used to reduce file sizes or bundle up a collection of files for faster and easier data transfers.

Gavin Millard, Technical Director of Tenable Network Security explains, “The fact that there is a vulnerability in a hugely popular compression program is cause for concern as they are used by many to reduce file sizes or bundle up a collection of files for faster and easier transfers.

“This particular bug, discovered in WinRAR which reportedly runs on 500 million systems, is relatively easy to exploit and could lead to malicious file execution by anyone clicking on an archive containing the code – from a key logger trying to steal credentials, to ransomware that encrypt the files you care about.

“Compressed files sent as email attachments is one way malware authors could be considering as a potential use of this flaw. However, even movies and TV shows offered out on Bittorrent – the popular file sharing protocol, could just as easily have malicious code bundled in with the download.

“Our advice is that unexpected self extracting archive (SFX) files sent via email should always be opened with caution, no matter how enticing the alleged contents, and this diligence should extend when downloading music, videos and apps online.”



Upatre Trojan coming for XP Users

A new phishing campaign, loaded with the Upatre Trojan is circulating that seems to be specifically targeting Windows XP machines (Upatre is a Trojan Downloader family that, once installed, is responsible for stealing information and downloading additional malware onto victim machines.)

Fred Touchette, senior security analyst of AppRiver explains, “We’ve been seeing yet another offering from the Upatre guys. One interesting detail about this line of attack is that they seem to be targeting older, out of date PCs. After running the samples on a couple of different operating systems, they only seemed to want to carry out their malicious intent on machines running Windows XP (I was using SP3). On newer versions it would shut itself down almost immediately after execution. Once operational though, this malware begins to hijack system processes to get a foothold on its new victim. It then reaches out to check its IP address and then looks to communicate with the IP on port 12299 where it reports back with information about the new target such as the IP it had just looked up and the computer name. Following this, the malware adds a good number of registry entries dealing with security certificates, mostly disallowing them and peeks around for debugging tools.”

Detailing the delivery email itself, Fred adds, “It comes in with a rather lengthy, by comparison, email with the subject line ‘Attorney-client agreement’. This story line certainly leaves out a few major details as it begins with a lawyer apparently already in court fighting against some sort of breach of contract suit against the recipient. The opening paragraph even forgives the intended targets for missing court this morning, citing that the court ‘understood’. This must come as a real shock to those of us who don’t keep a lawyer on retainer and those who didn’t realize they were being sued. It probably would’ve been really nice of this mystery lawyer to let you know that this was going on before it got to this point, I would think.”


While this phishing campaign is a classic, although slightly long-winded, social engineering technique employed by cyber thieves the payload in this attack lives in an accompanying attachment with each quasi randomly named by stringing together three different words from an apparent wordlist supplied by the command and control server. This randomization makes it slightly harder to nail down these files, simply because organisations cannot block based on the file name alone. Otherwise, it’s business as usual when it comes to stopping these nuisances.

Fred concludes, “Even on Windows XP these samples seemed a little rickety as they tended to crash after a fairly short period of time, but they did have the best success rate on the XP machines. I wouldn’t be surprised though if this little issue is quickly resolved and we start seeing the next campaign from these guys within the day. Seeing several different themes from this particular family of malware has been commonplace and happening on a daily basis for quite sometime now. My advice, as always, is do not click on links, open or download attachments from unknown senders.”



Five Things You Need to Know About the Proposed EU General Data Protection Regulation

By Cindy Ng, technical analyst, Varonis

European regulators are serious about data protection reform. They’re inches away from finalising the General Data Protection Regulation (GDPR), which is a rewrite of the existing rules of the road for data protection and privacy spelled out in their legacy Data Protection Directive (DPD). A new EU data world is coming.

We’ve been writing about the GDPR’s long, epic  journey over the last two years. But with the EU Council—kind of the EU’s executive branch—approving its own version, the stage is set for a final round of discussions with the EU Parliament to split the differences. The GDPR will likely be approved by the end of 2015 (or early 2016) and go into effect in 2017. Organisations, including U.S. multinationals that handle EU personal information, will soon be required to comply with tougher rules to prove they’re actively protect personal data.

Based on the latest proposal from the Council, we now have a good idea of what the final GDPR will look like. So your homework assignment is to start thinking about these five items below.

Start Implementing Privacy by Design Principles

Developed by former Ontario Information and Privacy Commissioner Ann Cavoukian, Privacy by Design (PbD) has had a large influence on security experts, policy makers, and regulators. Cavoukian believes big data and privacy can live together. At the core, her message is that you can take a few basic steps to achieve the PbD vision: minimise data collected (especially PII) from consumers, not retain personal data beyond its original purpose, and give consumers access and ownership of their data.

The EU likes PbD as well. It’s referenced heavily in Article 23, and in many other places in the new regulation. It’s not too much of a stretch to say that if you implement PbD, you’ve mastered the GDPR.
Need to get up to speed quickly? Use this cheat sheet to understand PbD principles and guide you through key data security decisions.

Right to be Forgotten

The controversial “right to be forgotten” will soon be the law of the EU land. For most companies, this is really a right of consumers to erase their data. Discussed in Article 17 of the proposed GDPR, it states that “the (…) controller shall have the obligation to erase personal data without undue delay, especially in relation to personal data which are collected when the data subject was a child, and the data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay”.

I think that clearly spells out the right to erasure.

What if the data controller gives the personal data to other third-parties, say a cloud-based service for storage or processing? The long arm of the EU regulations still apply: as data processors, the cloud service will also have to erase the personal data when asked to by the controller.

Translation: the consumer or data subject can request to erase the data held by companies at any time. In the EU, the data belongs to the people!
U.S. Multinationals Need to Safeguard Data

It’s worth reiterating Andy’s previous blog post where he urges large U.S. multinationals that collect data from EU citizens to implement data security policies as if those servers were in the EU.
Known as “extraterritorially”, this principle is addressed in the beginning of the proposed GDPR. For legally-minded types, here’s the actual language in all its bureaucratic beauty:
Cross-border flows of personal data…are necessary for the expansion of international trade and international cooperation….when personal data are transferred from the Union to controllers, processors or other recipients in third countries or to international organisations, the level of protection of individuals guaranteed in the Union by this Regulation should not be undermined.

There are some issues and complexities about how this will enforced. But with the U.S. saying its data storage laws apply to data held in Irish servers, it seems only natural that the EU can make a similar type of claim about its citizens’ data held in the U.S.!

How Much Will You Be Fined?

For serious violations (such as processing sensitive data without an individual’s consent or on any other legal grounds) regulators can impose penalties. There are differences between the EU Council’s version and the Parliament’s. The EU Council allows fines up to €1 million or 2% of the global annual turnover—i.e., revenue–of a company.  The Parliament fines are far steeper at up to €100 or 5% of global turnovers. These two bodies will have to work this out in the coming months.

The important point, regardless of the final rule, is that the GDPR penalties will amount to serious money for US multi-nationals.

Consider Hiring a Data Protection Officer

Important projects – yes the proposed EU GDPR is a huge project – need owners. In the proposed EU GDPR, the Data Protection Officer (DPO) is supposed to be responsible for creating access controls, reducing risk, ensuring compliance, responding to requests, reporting breaches – within 72 hours, and even creating a good data security policy.

Will you need to designate a DPO in your company? At this point, there are differences again in the proposals from the EU Council versus the one from the Parliament. The Council would like to make this a discretionary position, allowing each member state to decide whether it should be a mandatory requirement or not.

Our view: informally give someone in your company the powers of a DPO. It just makes good sense to have a manager or high-level executive as a focal point for EU rules.



Security flaws with life-threatening implications require alternative methods of disclosure – survey

If security researchers get no response from manufacturers when disclosing vulnerabilities with life-threatening implications, the majority of IT security professionals (64%) believe that the information should then be made public, according to new research conducted by AlienVault™.

More than 650 IT security professionals were surveyed at the Black Hat 2015 Conference in Las Vegas and asked what was the best course of action when a vulnerability is found on an internet-connected device that has potentially life-threatening implications (e.g. vulnerabilities on cars or planes), but disclosure to the manufacturer hasn’t worked. 64% of the respondents supported different methods of making the research public, including proving the vulnerability with willing participants in a public space (19%), fully disclosing details to the media (19%), disclosing details in a talk at a public conference (13%), and proving the vulnerability on a live system (13%). By contrast 36% of respondents felt that the vulnerability should only be demonstrated in a private space with willing participants.

The traditional process for responsible disclosure when a hacker finds a vulnerability is to allow all stakeholders to agree to a period of time for the vulnerability to be patched before details are published. But when the vulnerability has life-threatening implications, such as the potential to assume control of a moving vehicle such as a car or a plane, attitudes appear to be changing.

The survey follows the public hacking of a Jeep by security researchers earlier this summer, which resulted in an immediate software fix and 1.4million vehicles being recalled by Chrysler. But when a different group of security researchers from the University of California and University of Washington privately informed General Motors of a similar flaw on a Chevy Impala in 2010, GM took nearly five years to fully protect its vehicles from the technique – meaning that drivers of that model of car were unknowingly vulnerable to being hacked during that period.  

Javvad Malik, security advocate at AlienVault, said: “Rightly or wrongly, there seems to be a race by manufacturers of nearly every kind of device to include the ability to connect to the internet. As history has proved, the security of such devices is more often than not a low priority, which has resulted in these devices being exploitable. This becomes particularly concerning in cases where the exploitation of an internet connected device can result in life-threatening situations such as an external entity being able to tamper with, for example, auto-targeting functions or sniper rifles, or the operational features of cars and even airplanes.”

Other approaches to threat sharing

The survey also examined other attitudes towards aspects of threat sharing, including opinions  about the use of data that has been dumped by hackers into the public domain after a company has been breached. When asked how data should be treated, the largest number of respondents (23%) said that this data should be considered stolen property and no one should be entitled to  utilize it. By contrast 18% of respondents believed that everyone should be able to access and use such data, once it has been placed in the public domain. An additional 22% opted for the middle course – saying that the data was not for general public use but could be used by security professionals for research purposes.

Javvad Malik continues: “The recent Ashley Madison breach has made us all consider the use of stolen data once it is placed in the public domain. Making such data available for security research might seem like having your cake and eating it, but it’s also vital that the security industry keeps up with criminals who have no qualms about harvesting and analyzing such data.”

While most people agree in principle that sharing threat intelligence benefits everyone, the survey results showed that many organizations are still reluctant to share threats externally. Of those who do share threat data, the vast majority will only share with their trusted peers (49%), or only internally (34%).

Javvad Malik concludes: “Security vulnerabilities and their exploitation have evolved rapidly and become much more widespread over the last few years. Whilst exploits are having an impact on daily life, or have at least risen in profile amongst the general public, security professionals are still at odds as to the best way to collaborate to prevent breaches, and how to react in the aftermath of one.

“Threat intelligence is not a new discipline, and while virtually every company claims to utilize it to some degree, there is no uniformity yet in how it is gathered, shared or applied. By adopting a collaborative approach to threat intelligence and vulnerability disclosure, companies and professionals can take advantage of the many benefits that a combined security ecosystem can provide.”



Cyber Risk getting lost in translation  

Auriga Consulting Ltd (Auriga), recently warned that cyber risk continues to be poorly communicated to C-suite executives. The monopolisation of the risk management function by IT and security consultants and poor knowledge transference through the use of jargon, acronyms and buzzwords is frustrating efforts to move risk into the board room. This misinterpretation of risk is endangering the decision making process and ultimately future economic development. To counter this, Auriga recommends risk should be treated as a strategic dynamic process and a dialogue created and maintained with the board, with risk regularly assessed and the risk register adjusted accordingly.
Communication from the IT team to the board is essential in ensuring risk is understood, managed and acted upon effectively. According to a recent survey of large and medium sized businesses in the UK, board level ownership of cyber risk numbers just 19.4 percent, and only 16.6 percent place cyber risk in the top five on the risk register, despite the severity a realisation of cyber risk poses. To overcome obstacles in communication, risk needs to be:
·      Couched in business terms that lay out risk as a strategy, with business impact analyses, projection forecasts and outcomes, and with repercussions explained;
·      Referenced to people and processes within the organisation to provide a business context and not just a technological one;
·      Appraised without self-censorship, such as the desire to protect existing processes or budgets, as a bias could affect the perception of risk;
·      Supported by an education program which aims to improve the board’s cyber awareness now and in the long term.
In a recent interview with The Telegraph Business Leaders, Louise T. Dunne, Managing Director at Auriga, states: “there is a knowledge gap when it comes to translating cyber risk into business language for business leaders… but a third party can help bridge that gap. Developing an inhouse capability, looking at what you need, how you are going to deliver it and doing a sanity check to see if what they are delivering is appropriate and is going to provide you with the defense you need can take you away from your core business. And that’s where a third party comes in because they are focused on and offer undiluted risk management expertise enabling them to communicate threats relevant to your business.”

Jamal Elmellas, Technical Director at Auriga adds: “I have not met one business leader that isn’t highly educated and knowledgeable about risk management and the threat cyber poses to their businesses. It’s the specialists who lack the ability to translate cyber and its risks into business language that the leaders can understand and see value in. Translating cyber threats into corporate risk management and business enabling remediation is a skill set only few are able to achieve.”

To see the full interview with The Telegraph Business Leaders please go to:

For further advice on communicating risk management to the board see:

GCHQ also provides further guidance on Board Level Responsibility and how to adopt an enterprise-wide information risk management regime:



Law of virtual behaviour

By Christian Berg

“Do the features of anonymity and connectivity free the darker sides of our nature?” Jamie Bartlett, The Dark Net, 2014.

The Internet has nearly always been an unrestricted space where people can present themselves with any identity. Anonymity online is either considered as a blessing or a curse, it is protective but it is also dangerous.

One of the most valuable aspects of anonymity online is that it allows freedom of speech. Concealment of real identity means that individuals feel empowered to liberate their voice without having to fear the repercussions. People are often able to challenge political barriers with views that could put them in danger.

Anonymity also allows people to discuss sensitive issues, subjects that some may shield in real life, such as religion, mental illness, sexual orientation. The expression of feelings online often lifts the burden in real life.

The nature of the Internet means that people behave seemingly as they please, and not necessarily how they would do in real life. Individuals link being anonymous to being undetectable and therefore not accountable for their actions online. This is where we start to see the destructive side effects of anonymity.

Anonymity is the best disguise for most cyber criminals. More often than not, criminals cannot be traced as layers of encryption mask them. Most of the illegal activity occurring via the Internet is, at first glance, obscured or hidden.

Cyber criminals legitimise their illegal online behaviour by separating the virtual world from reality. Users of the dark-net hide behind their computer screens and rarely face up to the severity of the crimes. In particular, the Internet has significantly changed the way many sex offenders operate, with an alarming number of cases now involving an element of interaction online.

Whether this is the sharing of an image, the grooming of a child or the viewing of live-streamed abuse, we are increasingly seeing paedophiles hiding behind their computer screens.

What is interesting, is that many only act on the fantasies of their online personas via the Internet. They have little or no intention to take part in physical abuse initially. But as they normalise the behaviour over time, many will physically commit the crime, thus fuelling the cycle of online abuse.

To stop child sexual abuse means that we must nip it in the bud quickly before it grows out of control. Whilst possessing and sharing explicit images is still a crime, early offenders are less likely to take part in physical abuse. By halting the spread of illicit content in the first place, we can prevent physical abuse from happening in the long term.

This is the point where the virtual world meets real life where we can make a difference.



Apple works to cleanse iOS App Store of malware, security expert takes a closer look at the findings

As Apple looks to finalise it’s clean-up of its iOS App Store to remove malware that has infected numerous iPhone and iPad programmes. The malware, dubbed XcodeGhost, was discovered by several cyber security companies which found it embedded in hundreds of legitimate apps. Stephen Coty, chief security evangelist at Alert Logic takes a deeper look at the issue and says”

“Brilliant find, and great analysis, from the team at Palo Alto Networks. XcodeGhost is the first code compiler malware to affect Apple’s Application Store’s infrastructure. The malicious code is located in the Mach-O object file that was packaged with some versions of the Xcode installer. First question is what is Xcode? Xcode is an integrated development environment (IDE) containing development tools developed by Apple for use by Apple and third party developers to build applications for OS X and iOS. Xcode is downloaded directly from Apple at no charge to people who want to write applications for the store. Due to bandwidth and convenience, some developers will download the toolkit from file sharing sites like Baidu Yunnan, which hosted code that had a few extra lines than the same version downloaded from the actual Apple store.

Its quite brilliant of the attackers to think of maliciously infecting the development toolkits that are being used to build the applications for the Apple store. For years malicious actors have been attempting to penetrate the Apple app store unsuccessfully, but now they have. Using the Mach-O file layout, they can utilise the multi-architecture binaries that allow the application file to launch multiple programs in the background while installing the primary application.

This give an attacker several options of malicious code that can accompany the intended application for your iOS device. Although this attack seemed to be focused in Asia, this same type of attack vector can be used throughout other stores. This could lead to dozens of applications being developed by trusted developers that had malicious code installed and distributed in all their packages that they build on the Xcode tool base.

Interesting that they used domains like these as part of their command and control (C&C) infrastructure:




Makes you think that, besides the actual malicious code loaded on the devices, they had to conduct some type of DNS hijacking or local IP tables that redirected the traffic to the actual malicious IP addresses made under the above domains. That is based on the thought that Apple does use the above domains to fulfil services they offer. According to a the researchers that wrote the report, there are currently about 39 applications that are available on the Chinese Apple application store that are deemed malicious. So far I have not heard of any detected malicious apps in the US or EU instance of the application store.”


Share served malicious ads to visitors.

It came to light, according to a FireEye blog, a malvertising campaign that was running on earlier this month, which led visitors to landing pages ran by the Neutrino and Angler exploit kits. At first, the Neutrino kit was the primary source of delivered malware (after exploiting Flash vulnerabilities), but additional investigation discovered the Angler exploit kit being used as well.

Fraser Kyne, principal systems engineer at endpoint security firm, Bromium offered @Dfmag useful insight into this issue and discusses why approaches like micro-virtualisation can be helpful moving forward, commenting;

“There is still a growth in attacks via malicious advertising.  This is where the attacker ends up creating an advert which contains some malicious content. Typically what they are going to do is redirect you to a website, which then launches the second stage of the attack.  Then they’ll place that advert with a number of ad agencies, and use one of the ad placement firms to actually enable the attack. It is actually a very interesting attack, because it gives you the opportunity to target particular groups. 

For example, supposing you had a conference which had a particular name that, perhaps, you knew was going to be frequented by people in the Department of Defence, or the Army. You could then create one of these malicious adverts, buy the ad-word for that particular conference and then anyone searching for it would be likely to see that particular advert.  There might be a white list of sites you can go to, but even if you are going to a well known website, whether it’s Forbes, CNN or BBC, there are being adverts inserted into those web pages and those adverts themselves can be malicious. 

Even if you go to a website that you believe will be secure, it could actually be made insecure by adverts which are being delivered by third parties.  The way the whole economy and the web is built on this advertising infrastructure is really quite horrible from a security point of view.  It is enabling third parties that have no relationship with the website provider to be able to inject adverts and quite complex code.  Most of these adverts are Flash, basically enabling complicated things to be done within the environment of the webpage and really rely on the very fragile security of the Flash, the Flash engine and the browser and these other technologies. With this level and amount of code, and the complexity, it  is very challenging to make secure.  In fact, basically impossible.  And that is what we rely on every day! We are browsing the web, we are relying on this very fragile security. I just don’t think it is possible to secure an attack surface that is that large. That is why we need approaches like micro-virtualisation to actually enable the whole thing to be run in a micro –vm, so you don’t care what happens there.  That advert may turn out to be malicious, it may compromise the web browser or the environment. The web browser might have a second stage export which compromises the whole operating system, but then I don’t really care because it is running in a micro-vm. It’s not going to impact any other website I visit, it’s not going to have any access to my documents and it’s not going to have access to my internet.  So that’s the kind of approach we need to take to solve these problems and it’s a huge vulnerability the way the web advertising works today.”



Healthcare industry responsible for more data breaches in the past 10 years than any other industry sector

It’s been reported that the healthcare industry has been the biggest offender in the last decade when it comes to data breaches. Missing devices and untrustworthy insiders made the healthcare industry responsible for more reported data breaches than any other sector in the last ten years. Of this issue Ryan Wilk, director at NuData Security said;

“The industry simply isn’t doing enough to protect patient, client, agent, and other user data – from PII, to PHI, even PCI – from known, much less emerging, security threats. The industry must seek out future-proof solutions that will counter these quickly-morphing fraudsters and hackers, as they discover new methods to make money. The healthcare industry is becoming a much riper target because of the ability to buy and sell large batches of personal data for profit, and medical facilities often don’t have systems in place to predict and prevent unusual activity. Predictive measures, such as behavioural analytics (looking at hundreds of intricate details about how a user acts), works to protect the range of online risks facing healthcare such as account takeover, fraudulent account registration, and more.”

What do you think the solution is? Open the discussion by leaving your comments.



OPM says up to 5.6 million fingerprints stolen

the Office of Personnel Management admitted that the number of federal employees’ fingerprints compromised in the massive breach of its servers over the summer has grown from 1.1 million to a whopping 5.6 million. When hackers steal data such as passwords, you can change it. However, when they steal your fingerprints, they have a credential that never changes, which means they could use your identity indefinitely.

Commenting on this news, Ryan Wilk, director at behavioural biometrics firm, NuData Security said:

“Although usernames and passwords can be changed, and compromised cards replaced, victims of a breach need to understand that every bit of information exposed is becoming more critical by the day.

By combining the information stolen from these breaches, the hackers have the potential to piece together comprehensive user identities. One frightening example is the “Facebook of Everything” that China’s intelligence service is compiling from the personal data stolen over several high-profile U.S. cyber breaches including OPM, and is being indexed by into a massive Facebook-like network to build a profile of with more details than Facebook.

In other words, they’ve now got a full database of information that could be used for multiple fraudulent and nefarious purposes into generations to come. They are able to use the stolen information and fingerprints to create more comprehensive ‘identity bundles’ which sell for a higher value to hackers. With more complete information, more damaging fraud can take place. As an example, if I’m a hacker and gain access to geographical data on John Smith from breach one, and bank account information from breach two, I can fill out a loan application or apply for a new credit card as John regularly would. This is true for the millions of stolen fingerprints as well, especially with the increased adoption of touch/fingerprint-based authentication for mobile banking and payment apps. Unlike passwords, fingerprints last a lifetime and are usually associated with critical identities.

Identity protection services or credit monitoring aren’t enough particularly for biometric identity theft. Fingerprints cannot be changed. Spoofing fingerprints is no longer something from a sci-fi movie. It is happening and will increase more as cheaper tools make their way onto the dark web.

Fortunately, user behaviour analytics can provide the extra layers of protection even after hacks have occurred. Online fraud detection solutions can stop fraudsters in their tracks by identifying suspicious activity, in a completely passive and non-intrusive way. This is accomplished by understanding how a legitimate user truly behaves in contrast to a potential fraudster with legitimate information.  Even if the fraudster has your spoofed fingerprint, and all of your account information, organisations can look at behavioural events, biometrics, device, geography and other layers to determine the real actor behind the device or fingerprint. Without even interrupting a user’s experience, fraud can be predicted and prevented from occurring.”