Reviewing what makes a smart city smart

Beatriz Sanz Baños    29 July, 2015

Smart Cities are no longer a promise of the future but an increasing priority for local, regional and countrywide governments and a flourishing business area for technological firms and CSPs with interests in the IoT market.

The European Union is so far the part of the world where more efforts have been made to develop smart cities. At the same time, we find a higher degree of scrutiny and follow-up of how well they rank and abide to predefined European standards. Despite being a conglomerate of various countries with different legislations, areas that affect smart city legislation, such as environment or mobility are normally legislated at Union level, easing the path to creating a more homogeneous standard for Smart Cities, and helping EU based companies to bid for projects in different countries.

LATAM is following this trend and starting to understand the different European experiences in order to begin building the most adequate ecosystem for the development of Smart Cities.

Telefónica has a four pillar guideline that serves as a best practices guide of how to successfully turn Cities into Smart Cities.

  1. Go hand in hand with citizens

The citizen must perceive Smart City improvements as advances that provide better and more efficient municipal services enhancing life in the city. Smart Cities must inevitably improve pre-existent conditions substantially in order to justify investment and the logical inconveniences during the initial deployment.

  1. Open for Business

It is key to adopt an integrating vision when planning Smart Cities. The best option is to opt for open standards with a holistic perspective that easily integrate any potential technological partners in the platform and ensure continuity in time. Smart Cities should always use top down design approaches with the citizen in the center: the final objective is always to offer better services to the citizenship.

Each layer of technology is set to serve the next in a four tier architecture:

Sensors > Connectivity > Management Platform > Analysis and Intelligence

  1. The best partnerships provide the best results

Having solid technological partners with proven know-how to efficiently deploy these services and maintain them in good shape is fundamental in order to meet citizen’s expectations

Expect the best from the best. Seeking expertise and market leadership implementing solutions is a sound approach to achieve optimal results. Best in class partners provide their portfolio of top class solutions and the necessary experience to successfully deliver projects within the planned scenario timeframe and budget.

  1. Involving startups and SMEs 

It takes more than a group of large corporations to deploy and maintain Smart Cities. Disruptive technology is often introduced by smaller startups with bold and innovative ideas. It would be a mistake to rule small companies out of this transformation process as they have an important role to complement successful Smart City developments.

https://www.youtube.com/watch?v=O4n3RIuKOXc

Trend Ransomware Report

Florence Broderick    29 July, 2015
21st Century Extortion
The scourge of crypto-ransomware malware featured prominently in threat predictions for 2015, and the 165% increase reported in Q1 2015 indicate that these fears were well founded. Using a criminal model that runs counter to many of the others included in the threat predictions, crypto-ransomware is not concerned with exfiltrating valuable data, instead surreptitiously encrypting files to subsequently employ an abrupt, confrontational extortion demand. While on the surface the technique may seem crude, the evolution of crypto-ransomware and the criminal marketplace which has served as its incubator, it is actually a calculated operation, abusing technologies long upheld by privacy advocates. The propagation statistics of the CTB-Locker variant are broadly illustrative of the overall geographic spread of this subversive threat to date during 2015.

The infection vector criminals use to distribute crypto-ransomware varies, and is often symbiotic with prior malware infections; during 2014 it would often be a result of the Gameover Zeus botnet, and 2015 has seen an increase in ransomware as part of a malware lifecycle encompassing ‘click fraud’ and ‘malvertising’.

Once infected, asymmetric encryption is employed to create a public-private key pair for the malware to encrypt files. The key used to encrypt the files is often itself encrypted again, in a process often using a combination of RSA and AES cryptography, and ultimately without access to the attacker’s private key it is next to impossible to decrypt the data.

Over time the price point of the ransom demand has been adjusted by criminals, and is now commonly around $400 (€360) to be paid in Bitcoin, which appears to be close to the price ceiling at which untargeted ransomware balances likelihood of payment with the maximum ransom demand from an average user. However in June 2015 the FBI issued an advisory stating the CryptoWall variant had caused $18 million in damages including ransom payments of $200-$10,000 from both individuals and businesses.

Crypto-ransomware epitomises the nexus between the modern cyber-criminal and effective use of age-old psychological intimidation, and is a model that appears to scale well to technologies like mobile, cloud and IoT. Indeed the potential for this threat to develop further, nurtured within the cyber-criminal ecosystem is perhaps more sinister than viewing propagation statistics alone.

The only way to nullify the criminal business model is if no-one paid a ransom; however such idealism is of no compensation to an individual or business who have been infected and lack sufficient safeguards. Security awareness and system hardening are preventative measures, but the only contingency to rely on should infection occur is to have sufficient backups; ideally three copies, in two different formats, with one stored offline. Coding errors and seizures by law enforcement relating to specific variants may offer a chance of decryption in a small percentage of cases, but a ‘cure’ should be regarded as non-existent. The criminals may never even intend to provide decryption, but the trajectory of ransomware is testament to the number of unprepared victims who felt they had no other choice.

» Download the “Cyber Security Pulse and Ransomware report”

Ben Walton 

Top of the app charts. Shuabang: automated malware made in China

Florence Broderick    28 July, 2015
Have you ever wondered how some apps rocket up the charts so quickly? Sometimes you’ll spot one that seems like a curveball, like a pub rock covers band hitting number one in the download charts. At the Barcelona eCrime symposium ElevenPaths presented some new thinking on new Android malware trend called “Shaubang” – a term used in China to describe the shady methods whereby certain apps are being “gamed” in app stores to get them to the top of charts.

Get downloading – a whole industry in China

“Shuabang” is to app markets what “Black SEO” is to search engines and is sold as a service sometimes for a few hundred or thousands of dollars.

http://www.theverge.com/2015/2/12/8024861/top-10-app-store-manipulation-photo

This image of a factory line process, with workers employed solely to download apps to boost their ranking, was picked up widely in the media earlier in the year. But there’s a stumbling block to the number of downloads you can get… Google accounts. In Google Play a Gmail account is needed to download an app. Moreover, you not only need a Gmail account (that requires CAPTCHA authentication) but you need this account to be associated with a device ID.

But to get their fake download rate up, companies would need thousands of registered accounts. There’s only so many people you can employ to hit download all day and that isn’t exactly an efficient way to run a business. This brings us to the question – “where can we get the other thousands of accounts?” It’s possible to steal them or buy them in the black market but that carries all sorts of risks. Then, of course, there’s always malware – a malicious program that can do much of the heavy lifting for you by infecting numerous devices. There’s already services in China that can break CAPTCHAs, but device IDs, which are harder to get, are also required for downloading. You can’t just invent device IDs either, as Google will spot them and ban the account from the outset taking you back to square one.

The big (Shua)bang

What Eleven Paths found (thanks to Tacyt) was a new kind of malware spread via Google Play that associated fake accounts with existing device IDs. People infected with the malware were unknowingly giving away their own device’s ID to the malware creators, which were then associated with these fake Gmail accounts.

The attacker created more than 12,000 Gmail accounts and made them available to malware providers via simple web requests. They then created a malicious app that sent a request for a Gmail account every ten minutes in the attackers’ server. The program then simulated the whole registry process against Google services – thereby creating a new, seemingly human, profile. With this the attacker had all they needed to automate the Shuabang system. These apps were disguised as downloads and spread in Google Play between September and November 2014, getting millions of downloads in the process. Users who thought they were downloading a wallpaper, for example, were actually feeding this army of fake accounts for a Shuabang company.

Steal, buy or… do it yourself with malware

ElevenPaths found and alerted Google about these apps, which were then removed. The team studied them and even had access to attackers servers. The apps showed a reversing of how Android worked during the account registering process. The server got millions of hits with results fuelling the 12,000 registered accounts over millions of innocent devices. Victim’s real accounts were not compromised, but the harm for them came in consumed traffic and the potential that their device ID could be banned for fraudulent use. The attacker created a whole system connected to a “legal” company in China that offered “positioning services” for Android apps.

New malware methods

This attack was extremely interesting, not only for the code of the malware itself, but because they managed to fool Google Play by uploading these apps hundreds of times. Antiviruses were not aware of the attack until ElevenPaths told them, and they had to invent a new variant of malware to find them.

But the work did not stop there. ElevenPaths has been following the gang since the apps were removed and got to know about their new plans. They have found new malware that does not just associate an account with a device ID, but creates the Gmail account from scratch, although it’s not believed this particular malware has spread yet. This time the new malware does not get assigned Gmail accounts but, using data from the attackers server, asks Google to create the Gmail account, sends the CAPTCHA to this service, breaks it and associates the device ID… all without the victim noticing anything.

What can the user do?

Common sense is always the best policy. It’s still very unusual for malware to take advantage of Android vulnerabilities so wider prevention is all about making users aware that they have to physically install the malware themselves. We’d recommend that people whitelist their apps, so they only install the most reputed programs. Here’s a couple of tips to make sure you don’t become a victim:

  • Never install apps from outside Google Play, or markets you really trust. If in doubt, research the developer.
  • Never trust very “new” apps. Wait until they’ve been around few months and had a few thousands downloads.
  • Ban apps you do not feel comfortable with. If an app requires too many permissions, downloading it is probably a bad idea.
  • Use an antivirus on your phone

So next time you see an app that’s simply too good to be true, the chances are it probably is. Prevention is always the best cure, so exercise due caution and don’t let the Shaubangers get the better of you.

* A version of this article has originally been published by SCMagazine, here.

The Turkish behind pr0nClicker, uploads badware to Google Play for the fourth time

Florence Broderick    27 July, 2015
During last week, the Turkish (maybe a gang, maybe just a person) behind the pr0nClickers malware got to avoid Google Play defenses and upload again dozens of fake apps that visit pornographic links in the background. During 2015, this is the fourth time that, slightly modifying the code, the attacker gets to fool the defenses in Google Play.

February, the first time

It all started in February. ElevenPaths detected at least 32 apps that used an old known technique in the PC world, but not so used in Android badware. Between the simulated apps, we could find a fake Talking Tom (that was online for just a few hours) and a “Cut the Rope”. In this case they visited ads and porn websites and simulated clicking in the banners, so they got some benefit. This schema affects the data plan of the user, because the apps will keep on requesting pages in the background and the victim will not be aware. The gang or person behind was operating since December, uploading apps to Google Play, with the only intention of booting with the device and making GET requests in the background.

App general schema

We made a deep research on them, and published this article about it. The attacker used domains with real names. It is easy to find even their Facebook profile.

Name of the registrar, common for most of the domains used

The first domain used for the attack still works as a “porn domain generator”. Since the beginning, it showed some preference for movie related apps, domains, etc.

Click F5…

Apps related to the attacker, found thanks to Tacyt

April, the second time

Avast detected the attacker using again Dubsmash 2 as a fake app to spread these clickers. The way the apps worked were very similar, using the same JavaScript functions, part of the code, and Turkish addresses. But different enough to fool not only antivirus but Google Play again.

May, the third time

This time was Lukas from ESET, who alerted that the Turkish people were using same techniques and decoy (Dubsmash 2) to install clickers in victim’s devices. The attacker got a few thousands of downloads and installations. It even used the same domains as in February, where the infected devices got the information from.

Fake Dubsmash 2 used during May

Same domains as the first time, seen in Tacyt
July, the fourth wave

This time, Avast alerted again about the same people: Turkish, same “movies related” domains and apps, same Dubsmash 2 as a decoy, same network and JavaScript code. But again, different enough to fool Google Play and antiviruses. He never stopeed trying to upload apps during June, but during July it was more aggressive.

The attacker still uses the same structure as the offensive domains. Some of them seem to be compromised domains (peliculasgratishd.net?). These are all the domains (we do not show all the paths) related with this wave of attacks. They seem harmless, but this could change any moment from now.

  • http://ynk.linuxum.com/
  • http://kankalar.linuxum.com/z/z5/
  • http://amas.europeanteenx.com/z/orap/
  • http://sulale.hitgit.com/com.sulale.dubb/1.png, 
  • http://tranquockarafren.peliculasgratishd.net/g/getasite/
  • http://kum.angelpinkgirls.com/z/z2/
  • http://cinar.pussyteenx.com/z/z5/
  • http://kamki.insfollows.com/com.nguyenngocjumraze.suuu/4.png
  • http://phutanjocohare.mobilprn.net/g/getasite/, 
  • http://mebk.pantiescock.com/z/z2/, 
  • http://komidin.cumshotsex.net/com.komidin.cheatscrim/3.png
  • http://rafta.girlstoyporn.com/z/orap/
  • http://sulale.hitgit.com/z/z2/
  • http://kendo.teenpornxx.com/z/orap/
  • http://fet.asianpornxx.com/z/z5/
  • http://pupa.romantictube.net/g/getasite/ 
  • http://palasandoreki.filmsme.net/z/z2/

The attackers keep using the same Turkish name to register most domains. Code (inside and outside the app) keep on using some characteristics and formulas that are common enough to attribute the code to the same people.

Domain used in February (up) and domain used in July (down)

Some of the files a are still available in Google Play while writing this lines.

One of the clickers simulating Temple Run 3, still online: https://play.google.com/store/apps/details?id=com.amas.ra

These are some of the apps we have found during these last days so far (using Tacyt and a few clicks) that share the same characteristics. But, since February, they had to refuse to some “commodities” as for example, starting the app with the telephone, which limits the attack to the moment the app is opened… so that is why the attacker is trying to add some content to it lately.

  • Amasra 1;com.amas.ra;f617515837ebe345a68904417d7823974e382e59
  • Best : Dubsmash;com.kankalar.elma;99cc2f0ff000df5c2e856d40acac1b4dc72e9230
  • Dubs Mash 2;com.sulale.dubb;459dc9198de2875017885d89e1c04c81301213b3
  • Panita Kin;com.tranquockarafren.king;f320e227b9742527be37a1c03afe4f2689bb76f0
  • Cheats for Boom Beach;com.kum.sal;36c4d4c0ca7c2d9e948daa32c20556709984fdba
  • Cinarcik 1;com.cinar.cik;315c57bddee7a2ee5db54fb52215986bc23a9c93
  • belki yanbak;com.nguyenngocjumraze.suuu;9b0e6c03338db95a86217ea298ae9a50c85c8217
  • MayHada;com.phutanjocohare.may;9fe6f210fe5209c3d6d97800054e42d80d4e6966
  • MayHayda;com.phutanjocohare.jat;84af3da99603e9d5586a2278d180d485c74d4068
  • Cheats for Clash of Clans;com.kankalar.cheats;a0f000baa8246908bdce9feabc2f24530fd8afcb
  • Man Kaptasi;com.phutanjocohare.conc;ed7ed72b9cf1de2cd67ce74d252be5aa7a2c0d35
  • Cheats for Pou;com.mebk.adli;9d3e6747cf892a7bc7571b1b91da1d14061ad4bb
  • Cheats for Criminal Case;com.komidin.cheatscrim;df5be5567eb7dc2ef8d6f96909ff6dfc29b37d8d
  • Cheats for Hill Climb;com.rafta.chetashill;8d4a009bae65731f10adc0b7fbfb708918579e74
  • Cheats & Trucos: Gta 5;com.sulale.chetastga;1741e985d4d204da73ee9f2a35622331fe7824c0
  • Maps & Guide: GTA 5;com.sulale.cimmi;ed388d4dd304c695aba5794d089355febaeb80d8
  • Followers for Instagram;com.nguyenngocjumraze.takip;5638df53b960a0d2b16f708bba8e46d4dc996f6d
  • C l a s h o f C l a n s 2;com.kankalar.clash2;7552118b7e5f1ef3698579cc48121a6be37aa5f3
  • Komidin;com.kendo.yako;0695c87554db4a10a7b38df49ecf03f6e20eb4db
  • Fethiye;com.fet.hiye;49c37da0ca94536600cecd8290aba670164ba7a6
  • Koday;com.pupa.yelken;2e2598c930a448217b6070d934e98735e4c44732
  • Doganın Güzellikleri 2;com.palasandoreki.hsa2;961923bad0f1a986a142ef5916d57b053e6591ba
  • Doganin Guzellikleri;com.palasandoreki.hsa;193e986d65249a8a04d596b9c13ecfdf0e3dced9
  • Doganin güzellikleri 3;com.palasandoreki.hsa3;6dad78b0bae7210fcc9335ee671f4514becdb214

So, this is the fourth time the attackers modify the apps and get them in Google Play. But we have to consider that, once you are able to “fool the antivirus” just twisting code, this kind of badware is hard to detect, since the way the apps work is not that “suspicious” (“just visiting sites”) and the behavior can be easily “hidden”, for example, waiting for some events to start visiting porn sites.

Sergio de los Santos
@ssantosv

Studying the trojan apps for Android used in Hacking Team leak

Florence Broderick    9 July, 2015
Between the information leaked these days about #HackingTeam, several trojan Android APK files have been found. A first approach with Tacyt shows interesting relations with legitimate apps, the ones leaked a few days ago, some leaked last year… and some other notable stuff.

We have studied some details of the leaked APKs. They were not public until this recent attack, and they were not detected by many antivirus engines until the leak. It is not the first time that we know about this company’s APKs. During 2014 summer, some remote control Android apps were known to belong to this HackingTeam, and they were used to spy mobile devices.

A certificate for binaries in an APK. waste and a mistake

To digitally sign an executable file in Windows, an Authenticode certificate is necessary. It may be expensive, between 200 and 500 euros a year, depending on the CA that issues them. To sign an APK, Android doesn’t require anything. It may be “self signed” and, therefore, free. And that is the way most of developers work. In fact, from our database, less than 100 APKs (0,002% approximately) use certificates signed by a CA.

The APKs from HackingTeam were signed by this certificate that allows signing executable files as well.

The three views of the Authenticode certificate used to sign the APKs

And the problem is not only the waste, but the exposition. These certificates were already known since early 2013, when the tools used by HackingTeam to spy remotely were discovered. So, these APKs have been signed after that, in March. We already knew, by then, that they have been used to sign malicious code (at least, since February 2013, as this link states). An unnecessary mistake from HackingTeam.

The certificate expires in November 2015. As a side note, in the executable files (in the APK, it does not make any sense) it’s revoked and is not countersigned. That means that, even if it wasn’t revoked, it would stop working in November 2015.

Binary file signed with the same certificate

What apps they were pretending to be

A quick search by the packageName allows us to know what apps were trying to be simulated and contained the trojan. These are some of them that we found.

Some examples of legitimate apps used as a decoy for the trojans

All of them may be downloaded right now from aptoide or Google Play (although in the latest you may find the earliest versions). The topics are different. From the Quran to spy cameras.

Legitimate apps used to create the malware

Obviously they differ from the good ones in several aspects.

Comparing the legitimate and the trojanized app

Much more permissions are needed and a Google Map link is always in the code. We guess they locate victims this way.

All the HackingTeam apps keep a Google Maps link in them

We insist: these apps shown in their markets are innocuous, it’s just that HackingTeam uses them as trojans (in the more classic meaning of the word) to encourage or disguise the malware installation.

More notable facts

Both in this leak and previous analyses made to HackingTeam programs (like the one on 2014 summer, where some trojanized APKs were discovered as well), we can see some that could have allowed the early detection of these trojans (aside from using the same certificate). For example, all the APKs share a singularity: between their /assets/, they keep binary files named with a single letter.

HackingTeam Android malware contains this kind of files, with these singular names 

Searching by this kind of file or some of these hashes, we found no other sample containing them in our databases.

Some of the files shared by HackingTeam samples are a singularity for them

Finally, all the APKs in this leak (except one) were created “2013-04-09” roughly at 11:40, local timezone from the computer they were compiled in.

6 apps were created March, 9th, except one

Sergio de los Santos
Adolfo Hernández

New Tool: MicEnum, Mandatory Integrity Control Enumerator

Florence Broderick    9 July, 2015
In the context of the Microsoft Windows family of operating systems, Mandatory Integrity Control (MIC) is a core security feature introduced in Windows Vista and implemented in subsequent lines of Windows operating systems. It adds Integrity Levels(IL)-based isolation to running processes and objects. The IL represents the level of trustworthiness of an object, and it may be set to files, folders, etc. Believe it or not, there is no graphical interface for dealing with MIC in Windows. MicEnum has been created to solve this, and as a tool for forensics.

MicEnum is a simple graphical tool that:

  • Enumerates the Integrity Levels of the objects (files and folders) in the hard disks.
  • Enumerates the Integrity Levels in the registry.
  • Helps to detect anomalies in them by spotting different integrity levels.
  • Allows to store and restore this information in an XML file so it may be used for forensic purposes.
  • Allows to set or modify the integrity levels graphically.

MicEnum scanning a folder

How does the tool work?

The only way by now, to show or set Integrity Levels in Windows is by using icacls.exe, a command line tool. There is no easy or standard way to detect changes or anomalies. As in NTFS, an attacker may have changed Integrity Levels of a file in a system to elevate privileges or leverage another attack, so, watching this kind of movements and anomalies is important for forensics or preventive actions.

The tool represents files and folders in a tree style. The integrity level of files and folders is shown in a column next to them. By scanning a folder, the tool will check all Integrity Levels and, if any of them does not match with its parent, it will expand it. If you have expanded some folders and want to group back the ones that are known to be the same, just use the checkbox at the bottom. It will hide the folders that are supposed to share same integrity level.

MicEnum scanning a Windows registry branch

For setting new integrity levels, just use the contextual menu again and set the desired level. Do not change them if you do not know what you are doing. You may need administrator privileges to achieve the change.

The program allows to set different integrity levels

For forensic purposes, the whole “session” or information about the integrity levels may be saved as an XML file. Later you may restore it with this same tool. Once restored, icons are missing, and there is no chance to set new values, of course, since you are not using your “live” hard disk.

If a session is loaded, the different values are shown

This all applies to registry branches as well, in its correspondent tab.

MicEnum is inspired in AccessEnum, a classical tool by Sysinternals that enumerates NTFS permissions and helps detecting anomalies.

MicEnum may be downloaded from: https://www.elevenpaths.com/labstools/micenum/index.html

Sergio de los Santos

Telefónica Trend Report: The PoS Malware threat in 2015

Florence Broderick    24 June, 2015
A few weeks ago in the United Kingdom, cashless payments overtook the use of notes and coins for the first time. This is the latest demonstration that, while worldwide cash still remains king, the balance is slowly changing. We present here, a complete study about PoS malware state of art, evolution, figures, countermeasures… These are the main ideas from the report.

Although the smartphone has been the catalyst for the shift towards more secure mobile payments, credit and debit card transactions at point-of-sale (PoS) still remain the main entry point of consumer data into merchants’ information environment. Perhaps an obvious point, and one certainly not missed by cyber-criminals if the “mega breaches” affecting major U.S retailers in the past few years are anything to go by.

Illustration of PoS malware breach headlines, 2002- 2015

Targeting the weak link in PCI-DSS, cyber criminals have refined PoS malware, employing “RAM Scraping” techniques to parse memory processes on PoS terminals before card data is encrypted. It is now a mature cybercrime model, responsible for the majority of confirmed data breaches and feeding a booming underground marketplace. Focusing too much on the headline-grabbing breaches belies that from a frequency perspective, small and medium sized enterprises are most affected; criminals are after the money, not the headlines. However, awareness has undoubtedly risen, and the average time between breach and detection appears to be narrowing, but the number of detections in Q1 2015 outstripping the previous two years is also a narrative of soaring propagation rates.

Frequency of incident classification patterns with confirmed data breaches

Industries with high card transaction volumes (particularly hotels and entertainment) in addition to the more obvious retail sector, are most at risk from PoS malware. The size of the U.S economy combined with the late adoption of EMV “Chip and Pin” technology ensures it will almost certainly remain the most targeted during 2015, and an attack surge within the target rich environment is possible before the October implementation deadline. Although even when EMV is implemented, data remains that enables fraudulent e-commerce transactions. In large enterprise, the drive for innovation at PoS can see security overlooked in favour of the consumer experience and integration with other business applications. Secure technology that would hinder PoS malware such as end to end encryption is often unrealistic for small and medium sized businesses to implement. Conversely, criminals are able to call upon a readily available and proven PoS malware codebase, unthreatened by obsolescence of a PoS data environment set to remain largely Windows XP based for several years to come.

Evolution of PoS malware variants

Technical analysis reveals heavy development occurring across a few key codebase variants, with some strains adopting nation-state level complexity and others stripping back and removing unnecessary overhead. The overall malware campaign, in particular the exfiltration of stolen data can be complex, and is often based on detailed network knowledge.

Figures in millions (pounds) of UK credit card fraud and countermeasure implementation date

While it is possible that large companies may be able to limit the impact of protracted “mega breaches”, the risk of smaller more distributed breaches remains, and the upwards trajectory of PoS malware in 2015 shows no signs of slowing. However rather than be overawed in the face of the threat, it should be remembered that common PoS network intrusion methods such as phishing and attackers using default passwords are often targeted but nothing new.


PoSeidon Logo and a phishing email campaing used to target PoS vendors

Ben Walton

"Incident Response Management": Attitudes of European Enterprises

Florence Broderick    19 June, 2015
We have recently sponsored a new research study conducted by Pierre Audoin Consultants, PAC, focused on “Incident Response Management”. The results detailed are compiled from a survey conducted among large enterprises in France, Germany and the United Kingdom.

The report provides key insights into the reality of security breaches and how enterprises are dealing with the current threat landscape. 67% of companies report that they were breached last year and all admit to having been breached at some point in the past. 43% of those companies rate the incident severity high or very high. With an average direct cost of €75k per breach plus indirect costs associated with taking one to six person months to recover from a breach companies have to accept that breaches are inevitable and adapt their strategies accordingly to face this new reality. Not surprisingly over the next two years companies expect a shift in their security budgets between the traditional  protect and prevent services versus detection and response from a ratio of 4:1 to 3:2.

The shift towards a proactive security strategy
We believe this trend will only accelerate and that incident response is an important element of a more proactive security strategy being employed by enterprises.  This new threat landscape is reflected in the standardized security services within our portfolio designed to detect and mitigate security incidents, including Phishing or Malware, Brand Abuse, Pharming and the ongoing concerns associated with Customer Credential Markets. In addition we provide customised solutions and expert teams to support enterprises address advanced incidents including forensic analysis.

We continue to invest in the development of our Cybersecurity services portfolio in order to provide enterprises with actionable intelligence to help them identify the impact of attacks on their business. This includes insight into the effects on their brand and reputation across their digital estate, including the internet, web portals and social networks, the detection of online fraud and the identification of threat actors, their motivations and attack methodologies.

Security technology provides an incredible amount of data. This drives a key challenge within the security industry, the need to rationalise this data and identify a clear picture of what is occurring and what it means. Importantly, much of the relevant information lies outside of the enterprise, driven by the fact that there is no longer a defined perimeter and because most of the threats are executed via the internet. It is crucial that we are able to provide insight into the current security landscape and clearly articulate the current status for enterprises. Not surprisingly, the PAC study details how companies are challenged by the lack of in-house threat intelligence skills with 38% of security teams identifying this as their main source of concern.

Don’t just stand there, prepare!
Detecting an incident rapidly and effectively means that enterprises need to be ready. The need to prepare and react are two sides of what is usually a single problem. When we consider the need to prepare for a cyber-incident response it is clear that while incidents are out of our control, in that we cannot predict who will attack, when it will occur or what will happen, organizations crucially should expect an attack and be prepared to react appropriately. 86% of enterprises recognise this and within the research identified the need to be ready as central to their strategy. This proactively manifests itself in the form of implementing strategies that will help if and when the breach happens. This includes a CyberIncident Response Strategy or Plan that is maintained and tested.  It includes a crisis handling plan, roles and responsibilities post-discovery and communication plans etc. By having these key items in place and creating controls that allow the discovery of incidents, companies are better prepared for an organized post-incident response.

To notify or not notify, that is the question
The new European regulation with the inclusion of the mandatory breach notification is yet to be issued, however, companies are exploring what this will mean to their businesses. 87% of respondents indicated concern with regard to this change. Responding to an incident is not only a technological challenge it has a negative impact on a number of elements within any organization. The technological response mainly addresses the need to safeguard core aspects including communication, both internal and external, minimizing business operational impact and ensuring continuity. Breach notification requires technological support which produces the right type of information in a reasonable timeframe but also a communications challenge to ensure that any public announcement is effectively managed. This is reflected in the responses captured. 71% of respondents raised this as a key concern whilst 52% considered this a more important challenge than the technical issue. As the legislation initiative evolves, the need for enterprises to develop their cyber-incident response plans becomes paramount in order to be able to manage these issues. We believe this is why increasingly cyber-incident response plans are either linked or even included in the business continuity plan. Many of the softer skills required to manage an incident, will be the same regardless of the nature of the incident. As the market matures, and with a greater understanding of the cyber-risks and the associated importance of these risks increases for enterprises, the concept of Cybersecurity will be considered as another source of risk, to be managed in a consistent way.

I’m in trouble. Can you help?
The final part of the report assesses the strategy of outsourcing as a potential approach to addressing cyber-incident response. 69% of participants indicated that they have a combination of both internal and external staff dealing with security incidents. While initially this number appears surprisingly high, in retrospect, given that the severity, complexity and impact of incidents vary widely, it seems reasonable that companies adopt a human resources strategy which is flexibly designed to provide a range of capabilities in order to be ready for a different  types of incidents.  This is especially relevant when considering that companies often utilise external resources to support the management of standard security incidents which allow them to focus on more strategic security issues.

Once an organisation is aware of an incident they are immediately concerned with its containment and resolution. A breach will not solve itself, or simply disappear, hence its  damaging effects continue to grow. This explains why respondents cite quality, speed and knowledge in preference to the more traditional reasons for outsourcing, which normally include cost or budgetary flexibility. We understand this important requirement and provide key performance indicators for the time taken to close an incident as part of our on-line portal for our cyberincident response services.

Telefónica is both an ISP and an IP backbone provider and we have extensive experience in managing security inside our global and national networks as this is a core requirement for our business. We can leverage that experience as well as our cloud and network assets in order to deliver comprehensive managed security services. We believe that within Cybersecurity we can provide a comprehensive and end-to-end view of the security challenges faces enterprises from the generation of threat intelligence through to incident response where our experience and our network enable us to use network-based mitigation measures.

You can now download the study conducted by the consultancy company Pierre Audoin Consultants (PAC) and supported by Telefónica:

» Download the executive summary of the “Incident Response Management: How European Enterprises are Planning to Prepare for a Cyber Security Breach”.

» Download the full study “Incident Response Management: How European Enterprises are Planning to Prepare for a Cyber Security Breach”.

Luis Francisco González
Twitter: @lfghz

"Alarmware" in Google Play: will not stop an alarm until you install another malicious app

Florence Broderick    12 June, 2015
In ElevenPaths, we have spotted a few samples of downloaders in Google Play that work in a very special way. The app hides its icon and installs a service that will download another application from a server. We have seen this before… but the interesting part is that, to make sure the downloaded app is installed, it will start a kind of alarm that will start every few seconds until this new package from outside Google Play is indeed installed.

One of the offensive apps

We have found several alive samples of a new variant of a downloader known as “Stew.B” that we covered a few months ago. But this time they work in a different way, even more annoyingly. They maybe should be called, “alarmware”.

How it works

The apps are supposed to be Minecraft or Clash of Clans guides. Even pizza recipes or weigh loss advice. The analyzed app shows some ads and then it just removes the icon from the desktop, so the user is not able to launch it again. Although, in the background, the app installs a service that will launch itself on every reboot.

Part of the configuration of the service

This service is ready to respond to two events, when the screen locks and unlocks and when an app is installed or uninstalled. The service has a random function to calculate how many hours or minutes to wait since the first application has been installed until it visits again the attacker’s server and gets some instructions. Between them, the URL pointing at a package to be downloaded that could be literally, anything.

The program requests which new app to download and what message to show

Then this fresh downloaded APK starts and… it will really try hard to be installed. Even if you do not have your phone configured to install from outside Google Play.

Basic scheme of the malware program

Many of the devices will maybe have the security measure enabled: “do not install APKs from untrusted sources” (outside Google Play). So the just downloaded attacker’s program will not be able to be installed and one of these screens will appear again and again.

APKs from outside Google Play are not allowed, 
and the telephone is not configured to use VerifyApps by default

And, showing these screens again and again, the user experience with the telephone will become quite annoying. Using a trick with a toast component (a special notification text that appears when you are connected to a new Wi-Fi or any other important system message) it will start popping again and again a message and a very annoying sound. Even vibrating. If you cancel or go back, it will start again (sound and message) trying to convince you it is a Google Service update or something like that. This will happen every few seconds. If the user does allow to install APKs from outside Google Play, or it finally configures it because he can not stand the sound anymore, this screen will appear.

Just before installing the downloaded APK 

The installation toast message and alert will keep on appearing and beeping again and again. Even if the device is silenced. The shown text will be in the browser language (it was taken from the attacker’s server).  It will be very difficult to use the telephone normally anymore, unless you uninstall the original app (if you can in such a short time with the annoying screen request and sounds). It will continue annoying the user until the downloaded app is installed or the original app from Google Play uninstalled.

If the user finally installs it, the alarm will stop, and there will be “two” Google Service programs… who will dare to uninstall any of them?

One of the Service Google Play is fake

Funny enough, the application installed (the fake Google Service program) is just again the same code as the original one, which is weird. It is supposed the attacker is testing, but this could change in any minute. This attacker is from Russia, and used a similar technique back in March, but Google removed them.

Some apps of the same kind were removed back in March

A few weeks ago, the attacker got to upload some other apps again. Some of them are still online. These are the ones we found thanks to Tacyt, as we have done before with JSDialers, JSSMSers, Clickers, Shuabang, etc.

  • Guide minecraft game, com.appalexk.mcs, 965559baa77650d9c6249626d33ad14c5210c272
  • Guide Minecraft Free, com.appalexk.aam, bde1502855e2d9912937906c1d85bec24b3b6246
  • Guide for Clash of Clans, com.appalexk.cofc, 30c4db4033478007a1bdc86a40e37b5cd4053633
  • Recipes Pizza, com.appalexk.pizza, a84197a150285f04aee1096e96374255ccf5c2aa
  • Гайд для Earn to Die, com.appalexk.dde

The APK downloaded from the server is (right now): a2123233d8d972b68c721c01c6ad1785d8189fb9

Sergio de los Santos

Juan Manuel Tirado

ElevenPaths with triple representation at the eCrime 2015 conference

Florence Broderick    26 May, 2015
This year, the antiphishing working group organizes the eCrime 2015 conference in Barcelona from May 26 to 29. This symposium on eCrime investigation is attended by professionals who have conducted interesting investigations in this area in 2015. ElevenPaths takes part with three different proposals.

Join the phishing dots to detect suspicious mobile apps

Carlos Díaz presents this study that shows how with the help of Tacyt and Sinfonier it is easy to find apps on Google Play that make reference to other different apps in alternative locations, which represent potential “downloaders” or “adware”. The goal is to visually present the relationships existing between these “embedded” programs, the GP apps that reference them and the developers. By analyzing the aspect of these graphs, an analyst can identify patterns of embedded apps that could be potentially malicious.

Oh! the BIOS

David Barroso, CTO of ElevenPaths, will be talking about the BIOS, that component we have all heard of, but whose operation we know nothing about. In theory, it is the ideal place for running malicious code, since it is the first thing that runs when we turn on a computer. The perfect place for storing malicious code because (almost) nobody is going to look if there’s something unusual there… Although there have been public investigations of BIOS infections for nearly 10 years, it became really popular with the #BadBIOS controversy and later with Snowden’s documents, giving rise to much concern on this issue. There have been investigation groups for many years in several countries that are investigating how to take control of the BIOS (or UEFI in the latest computers) and Snowden has shown that some countries are actively using these investigations in CNE operations.

Chasing Shuabang in App Stores

We will also present in detail the investigation we carried out in the lab in late-2014, which discovered a completely new malware model hosted on Google Play. It was Shuabang. ElevenPaths detected dozens of malicious apps hosted on Google Play that were intended for Shuabang, or BlackASO (Black Hat App Store Optimization). The malicious apps linked false accounts with the victim’s actual device, thus achieving very credible accounts. With these accounts, the attacker would send tasks to the victims so they would download new apps. The user’s account remained safe, but not their personal data on the phone. The attacker needed a database with more than 12,000 Gmail accounts to complete the attack, which represented a real novelty in the world of malware for Android. .