Shock News: Trusted Sites Serve Malware in Ads

Yes, I know. We shouldn't really be particularly surprised that a legitimate site - even one the size of Yahoo - has ended up mistakenly serving some form of badware through their advertising networks. It’s not the first time. Yahoo hit the headlines for malware related problems in 2014, when an affiliate traffic pushing scheme targeted Yahoo users with malware served through adverts on the Yahoo website, and now it’s happened again. 

Ad revenue on the Internet is hard to live on at the best of times, and we can expect "lowest cost" behaviours, including, but not limited to, fairly rudimentary checks on the intentions of advertisers.

The obvious thing to do here is to bleat on about the efficacy of having a web filter in fighting some of those attacks - you've read that before, hey, you may have even read it before from me. Fill in this section on your own, as an exercise for the reader.

You probably also know how important HTTPS interception is - of course, this malware was served over HTTPS, wouldn't want any pesky insecure mixed content now, would we? Again, I’ve expounded at length on the subject. No HTTPS scanning = no security. Don't accept "blacklists" of sites that get MITM scanned: the delivery site won't be on that list, and your malware sails on through free and easy.

The thing I want to mention today is the other big secret of content filtering: some web filters only apply the full gamut of their filtering prowess to sites that are not already in their blocklists. This is wonderful for performance. It might even mean you only need a single web filter to provide for a huge organisation - but when a "trusted" site, that's already "known" to the web filter, bypasses some of the content filtering in order to save a few CPU cycles you may be getting a false economy.

It's no Fun Being Right All the Time

Last week, I finally got around to writing about HideMyAss, and doing a spot of speculation about how other proxy anonymizers earn their coin. Almost immediately I hit "publish" I spotted this article pop up on Zdnet. Apparently/allegedly, Hola subsidise their income by turning your machine into a part-time member of a botnet.
Normally, I really enjoy being proved right - ask my long suffering colleagues. In this case though, I'd rather the news wasn't quite so worrying. A bit of advertising, click hijacking and so forth is liveable. Malware? You can get rid... but a botnet client means you might be part of something illegal, and you'd never know the difference.

"Hide My Ass" Comes Out of Hiding

The Internet has a chequered history with the humble ass. Kim Kardashian attempted to “break the Internet” with hers, and now we see VPN service “Hide My Ass” sold for £40 million to AVG. This subscription driven VPN service is an interesting case study. Many VPN services are surprisingly coy about where they get their revenue, and about why they exist. HMA, on the other hand, are pretty up front: It was started as a way to bypass school filters, and it is subscription based. It’s nice to see the articles finally showing what we’ve long known - these services are, in the main, used for bypassing school or workplace filtering, and not only by oppressed revolutionaries in a far off land. Nor is Hide My Ass a way to avoid the long arm of the law, they have, in the past, given up users’ browsing details under court orders. What of other VPN providers - the “free” ones? Even subscription supported HMA admit freely they use affiliate marketing schemes to help keep the cost of plans down - what are the others doing to support the cost of bandwidth? Selling data, perhaps? For those with client software, they could be inspecting your secure connections! There’s even been cases where proxy/VPN software has inserted malware. Our advice - block ‘em all - and think twice if you are a user attempting to connect to a VPN service. Despite the name, and the youth of its creator, HMA is a pretty grown-up VPN system - the others, well - who knows? 

Pukka Firewall Lessons from Jamie Oliver

In our office I’m willing to bet that food is discussed on average three times a day. Monday mornings will be spent waxing lyrical about the culinary masterpiece we’ve managed to prepare over the weekend. Then at around 11 someone will say, “Where are we going for lunch?” Before going home that evening, maybe there’s a question about the latest eatery in town. 

I expect your office chit chat is not too dissimilar to ours, because food and what we do with it has skyrocketed in popularity over the past few years. Cookery programmes like Jamie Oliver's 30 minute meals, the Great British Bake-off and Masterchef have been a big influence. 

Our food obsession, however, might be putting us all at risk, and I don’t just mean from an expanded waistline. Cyber criminals appear to have turned their attention to the food industry, targeting Jamie Oliver’s website with malware. This is the second time that malware has been found on site. News originally broke back in February, and the problem was thought to have been resolved. Then, following a routine site inspection on the 13th of March, webmasters found that the malware had returned or had never actually been completely removed. 

It’s no surprise that cyber criminals have associated themselves with Jamie Oliver, since they’ve been leeching on pop culture and celebrities for years. Back in 2008, typing a star’s name into a search engine and straying away from the official sites was a sure fire way to get malware. Now it seems they’ve cut out the middleman, going straight to the source. This malware was planted directly onto JamieOliver.com.

Apart from bad press, Jamie Oliver has come away unscathed. Nobody has been seriously affected and the situation could have been much worse had the malware got into an organisational network. 

Even with no real damage there’s an important lesson to be learned. Keep your firewall up to date so it can identify nefarious code contained within web pages or applications. If such code tries to execute itself on your machine, a good firewall will identify this as malware.

Red Letter Day for Onanists and Internet Fraudsters

Yesterday a number of explicit photographs of celebrities, including Jennifer Lawrence, were leaked on the Internet. I'll get to that in a moment. First, if you read no further, read this:

Don't go looking for these photographs, and don't click any links sent to you purporting to be them.

If you must look, we've hosted them all here. Seriously, we have been out a-searching since the news broke, in order to protect our users from the inevitable tide of malware links that have already begun to spring up. The major search engines work hard to keep malicious sites seeded with "current event" keywords from popping up, but this time will be harder, as the sites offering these images will often be similar to those offering the malware.

Now I am going to break from the norm. Most security blogs include the advice "don't take nude photos". I'm not going to ask you to quit. If that's your bag, keep at it — but bear in mind that your photo collection is now worth more. It's now worth more to an attacker who wants to populate their porn site, or to  blackmail you. It is also worth more to you, for the peace of mind of those images being kept private.

If we said the answer was "don't do it" every time doing something on the Internet resulted in a problem, we wouldn't have Internet banking. Or the Internet, come to think of it. So no, you absolutely should store your personal photos on the Internet. You just need to take further steps to ensure they are secure.

These steps include:

1. Make sure you know where your photos are. Many phones now automatically send your images to the NSA/GCHQ etc. under the guise of backup. This can be turned off. Weigh up your dismay at not having your photos any more, vs. the chance of them being stolen. Personally, I vote for backup, as anyone who pinches my pictures will find a heady combination of safari shots, and pictures of serial numbers for things I need to fix. Remember any other backup services (DropBox, Mozy, Backblaze, Crashplan et al) that you use here as well.

2. Secure the photos on-device. If your PC has no password, and your phone regularly sits around unlocked, there's no point hacking your backups. Seems obvious, but the proportion of people who take nude selfies is greater than those who use a lock screen. Apparently.

3. Use a password you use nowhere else. No, really. I mean it this time. I know you ignored me when I said "use a different password everywhere". Look, I forgive you, because I like you. But this one is pretty serious. Don't share the password with the one you use on a messageboard, or for grocery shopping.

4. Turn on "two step verification", "two factor authentication" or whatever anyone's calling it these days.

5. Secure the reset channel. Password resets are a good way to break an account. This could be email (password and 2 factor advice applies here), phone (PIN protect your voicemail!), or silly security questions that anyone with access to your Facebook can answer (make like Graham Cluley and tell them your first pet was called "9£!ttty7-").

A final word on this: watch for those malware links. They're already out there.

For an Internet of Things, We Are Going to Need Better Things

There's a lot of hype around at the moment about "The Internet of Things" (IoT), which, I suppose, is all about attaching, uh, things to the Internet. By "things", it seems we are supposed to be thinking household goods, vehicles; basically anything with electrical current running through it is a candidate for the "internet of things".

While setting up a cheapo DVD player last week, I couldn't help thinking of Chief Brody in the film "Jaws"... "You're going to need a bigger boat", he says, on seeing the enormous shark. We're going to need a bigger mindset on security if we are to survive the onslaught of "things". The firmware in the kind of devices we are already routinely connecting up is drivel. I mean some of it is absolute garbage. I know there are exceptions, but most of it is badly built, and almost none of it is ever updated.

Each of these devices is likely perfectly capable as a host in a botnet - for DDoS, for sending SPAM, SPIM and SPIT (OK, we are yet to see much in the way of unsolicited Internet Telephony... but with the IoT, devices built to make calls/send texts are likely to get hijacked), so each of these devices has a value to the Internet's vast supply of wrongdoers.

Researchers at Eurcom recently completed a study showing up vulnerabilities in the 30 thousand or so firmware images they scraped from vendor websites. Apparently one image even contained a linux kernel whose age had just hit double figures. Ouch. The "Nest" next-gen thermostat hasn't been without issues either, a high profile target, at least we can expect firmware updates from them!

Synology's NAS storage devices are among the early victims of malware attacking non-traditional computing devices, and may be an indication of IoT issues to come. Users of these storage devices have found themselves victim of a crypto-ransomware attack: their files are encrypted, and the encryption keys offered for sale back to them! Other early warnings come in the form of attacks on SCADA industrial control systems. These are all places that traditionally, little or no emphasis has been placed on security.

What can we do to help ourselves here? My advice is be careful before you buy anything you're going to add to your network. Look to see if the vendor has a firmware download, and if there's a recent-ish update. If they're the fire'n'forget types, you're probably not going to want to deploy it.

Footnote: Gartner appears to believe the Internet of Things to have reached "peak hype". Reminds me of an old saying about those dwelling in vitreous abodes launching masonry...

Mobile Malware: 3 Key Differences and 3 Top Tips

Traditional malware is relatively easy to spot - well, ok, I am sure most security vendors would disagree, but it is. Compared to mobile malware - I did say “relatively”, didn’t I?

Why is mobile malware so different to regular “desktop”  malware? Well, for a start, there’s the environment. Even on our most lightweight laptops, we’re willing to leave an antivirus running 100% of the time. Sure we’ll bitch and moan about it slowing the whole show down from time to time (usually poor software, or underwhelming tin... but still...) , but in the end, it stays. On our ‘phones however, small is king (don’t get me started on “phablets”, if I wanted to walk around with a plasma telly in my pocket i’d shoplift at dixon’s). Small devices mean small batteries, and we generally can’t afford to keep cpu chewers around “unnecessarily”. This means that anti-malware often takes a back seat: most users won’t run it.

Second up, there’s the homogeneity of the devices. Android often gets slated for a “fragmented platform”, but if you’re looking to have the same fundamental attack vectors, mobile is a great place to be. This was a criticism levelled at the Microsoft environment 5 years ago, but while Windows is still highly popular, the software stack is much more varied - Outlook is no longer de-facto, and nor is IE. iOS is going to give you even more of a predictable basis for attack, so as a malware author, it’s a great place to be. Our user has less control of the OS too, coming behind the vendor and the network in the pecking order - often a good thing, less rope to hang one’s self, but it means any AV has less foothold in the OS, and makes it hard for the user to spot “interesting” issues: the diagnostic tools aren’t readily available.

Finally, we come to the killer feature - the ability to make calls. If I “own” (or pwn, if you’re 17) your PC, you’re going to make me work to turn a profit: I can sell it, but for peanuts, I need 1000s. You probably don’t have your bank details in a text file on the desktop (do you? If so, please send your IP address on a postcard...), or at least I can’t rely on it. Your phone, however has the ability to spend money on your behalf right out of the box by placing calls to premium numbers, or signing up to text services. Even the appstore is more likely to be an easy place to slyly spend your coin than anything I can find on your PC.

So - before this post becomes “TL;DR”, i’ll leave you with a few tips on how to avoid getting your phone hacked (russian mafia style hack, rather than lazy journalist style hack)...

Rule Zero: The fundamental rule of safety - if it looks too good to be true, that’s because it is. If an app is normally 70p, and there’s a free copy offered: pony up, you tightwad. Best case, the free/cheap one’s ad supported, worst case, it’s worse. If an app offers you something for nothing that you know normally costs money, well, you’re paying somewhere. See also: Free lunch, existence or otherwise thereof.

Rule One: Check the permissions. Both iOS and Android apps will state what the app is allowed to do. Be especially cautious with things that could cost you money. Sadly, most things need network capability for something or other, so that’s not really a good red flag, but think: does this app need this permission? Why?

Rule Two: Follow the crowd. Wildebeest know there’s safety in numbers, and you should too. If an app has many users it is more likely to be kosher, but if an app is brand new to the app store and has very few downloads, tread carefully - especially if it looks like a mature app. Check the reviews while you’re at it.

Finally: Anonymizer Caught "Up To No Good"

At Smoothwall we have long speculated why anyone would choose to host a proxy anonymiser. For those who don't know, these are services which allow a web user to browse anonymously, and often bypass any local network filters. You can see why the service may be in demand, but inevitably there are going to be bandwidth costs associated with making that extra hop between user and target website - and these costs could be non trivial. So why do people do this? Let's talk about three possibilities...

1. They're studying at a School with a URL list web filter which catches the majority of well known anonymisers. They think that running an anonymiser (which isn't on the filter's URL list, and unlikely to hit their radar) and sharing it with their friends will make them popular and seem cool. Neither of these benefits actually come to pass, however, but that doesn't stop them trying.
Motivation: Realistic
Incidence: Low - most schoolkids have neither the aptitude nor inclination
Usage/Impact: Very low - only a handful of people know it exists

2. They're hoping to help oppressed people get access to the web, in countries where you can get locked up for posting on Twitter (like Britain ;)). This shows a fair level of altruism, so naturally, i'm sceptical
Motivation: Unlikely
Incidence: Low - the costs put off all but the most hardened altruist
Usage/Impact: Low

3. To make money. Now we're talking. This is the reason 90% of proxy anonymisers exist.
Motivation: Universal
Incidence: High, there is little barrier to entry
Usage/Impact: Widespread and varied, often distributed through lists of 0-day proxies

So... how do these make money for their host? Well, advertising is a first port of call, and this is also extremely common. Advertising is made slightly harder by the fact that Google - whose ads are most lucrative - forbid their ads from being shown on proxies (though the homepage is generally exempt).

For this reason, we have long believed that some proxy anonymisers could be run by folks with much more nefarious intentions. Specifically, those with no visible means of support. No ads, no revenue... so who is paying for your bandwidth? Either it's an altruist or a student, and those are rare, so what is it? Well, we think either your browsing history is sold to the highest bidder, or you're getting a few bits of malware served in the mix.

Finally - we have proof of this long held suspicion:
http://threatpost.com/en_us/blogs/proxy-service-front-malware-distribution-100812

Moral of the story: Don't use anonymizer services, and don't let your users use them. Even ad supported  variants could be looking to make a few extra coins on the side.