Week in security with Tony Anscombe

On the implications of facial recognition for privacy and security – Data privacy tips for businesses – Red flags for cyberbullying. All this in Week in security.

How could having your face scanned whenever you sign up for a new phone increase your security further down the road? If you own a small business, read our tips for what data privacy tools you can implement at a low cost. Also this week, we highlighted some of the most common warning signs that your child may be a victim of cyberbullying. All this – and more – on WeLiveSecurity.com.

How to spot if your child is a victim of cyberbullying

What are some of the most common warning signs that your child is experiencing online harassment?

Cyberbullying is by no means a new phenomenon; in fact, the term was added to the Oxford Dictionary back in 2011. However, as technology permeates almost every facet of our lives, the threat of online harassment is becoming more and more prevalent. It is increasingly common for schoolchildren to own smartphones, which often go hand-in-hand with social media accounts. This hyper-connectivity combined with the anonymity that the internet affords means that kids are increasingly at risk of cyber-abuse.

Online harassment is continually reported to be on the rise, and one in three parents worldwide report knowing a child in their community who has been cyberbullied. This form of bullying can be even more damaging than in-person bullying and can affect victims long into their adulthood. That said, it is not always easy to distinguish between common childhood or teenage issues and potential signals that your child is being cyberbullied. To help, we have taken a look at several common warning signs that might indicate that your child is being targeted by a cyberbully.

Unexplained physical changes

The first thing to look out for is noticeable physical changes. While this isn’t a sure-fire sign of cyberbullying, if your child has suddenly lost weight or appetite, has trouble sleeping during the night, or looks stressed out in the morning, it is worth having a conversation about whether everything is okay.

School avoidance

Similarly, if your child is regularly pretending to be ill to avoid going to school, this could also be an indicator of a problem. Almost every child uses excuses to get out of school from time to time, but if it is becoming a habit, or if time off becomes long, there might be a more serious issue at hand, such as the fear of a conflict with a bully.

Mood swings

Keep an eye out for noticeable nervousness, sudden mood swings and snappy answers to your questions. These may be characteristics commonly associated with moody teenagers, and do not necessarily signal that your child is being harassed, but if mood changes are regularly accompanied by petulant responses and jumpy reactions, it might be time to check if everything is okay. Responses such as “good” or “fine” should not be taken as satisfactory by parents – they do not always mean that everything is good and fine.

Loss of interest

Next up is an abrupt loss of interest in a hobby or passion. Does your child love playing football or the guitar, but has suddenly lost all interest? This could also be a sign that somebody is giving them a hard time. Similarly, if your child begins distancing themselves from family and friends, this may be an indication that they are having a hard time.

Quitting social media

Lastly, watch out for your child suddenly quitting social media. In an age where young people invest a lot of time into building their digital presence, notably on social media, abruptly deleting an account should set off an alarm.

To wrap up, it can be very daunting for children to speak out about their experiences or admit they are being bullied, which is why it is important that parents are able to spot if their child is a victim of online abuse or harassment. Pay close attention to how your child is doing and, if needed, be ready to offer a helping hand.

To learn more about more dangers faced by children online as well as about how technology can help, head over to https://saferkidsonline.eset.com.

6 Dec 2019 – 11:30AM

80% of all Android apps encrypt traffic by default

Google keeps pushing in its mission for broader encryption adoption

Android commands the lion’s share of the mobile operating system market. And with so many users under its wings, it should come as no surprise that Google has been doubling down on security.

In a blog post this week, the tech behemoth announced that 80% of Android applications in its Google Play store encrypt network traffic by default, using the Transport Layer Security (TLS) protocol. Google emphasized that the percentage is higher at 90% when considering apps that target Android 9 and later versions of the system.

To encourage this trend, both any new apps and app updates must aim at Android 9 at the very least. If developers keep on meeting the standards required to be published on the Google Play store, the percentage is expected to keep on rising.

The company started enforcing these measures gradually in 2016 with Android 7 by introducing Network Security Configuration. In its latest release of Android Studio, it doubles down on security, by alerting developers potentially insecure configurations in their app. For example, it issues a warning if the app allows unencrypted traffic.

“This encourages the adoption of HTTPS across the Android ecosystem and ensures that developers are aware of their security configuration,” states the official blog.

But it’s not only in Android apps where Google has been pushing for traffic encryption. It has been driving websites to adopt the standards widely as well as implementing it across its own sites and services.

As of May of this year, encryption was at 94% across its products and services, according to its Transparency Report. The only service that has been achieving “subpar” results with 92% encryption of traffic is its news service.

In October 2019, Google announced that its browser, Chrome, would gradually move to preventing insecure HTTP content from loading on HTTPS pages.

5 Dec 2019 – 03:41PM

Face scanning – privacy concern or identity protection?

What issues would face scanning attached to a mobile device resolve and, if used correctly, would it make the incursion into my privacy acceptable?

On December 1st, China’s regulation requiring people to have their face scanned when subscribing for a new mobile phone took effect. If you were not aware of this regulation your initial reaction, like mine, could be that this is an infringement of privacy rights. After all, why does any government need to capture my face in relation to my desire to have a mobile phone?

According to a BBC News article, the Chinese government has stated that it wants to “protect the legitimate rights and interests of citizens in cyberspace”. When you combine the tracking of a person’s location achieved through a mobile device and now the facial scanning and recognition, then privacy advocates may have a point.

But let’s step back for a moment. The world is making an assumption that the data gained from the facial scan will be used in an inappropriate way, and maybe they are right. However, we should remember that it‘s not technology that causes privacy issues – it’s the way technology gets used that can cause reason for concern.

What issues would face scanning/recognition attached to a mobile device resolve in my world as a consumer and would it make the incursion into my privacy acceptable if used correctly?

Phones as authenticators

Smartphones have morphed into an identity authenticator. Think for a moment about all the applications and services where you receive a code through SMS or via an app to validate that you are the person you claim to be. Step into a bank and ask for an increased ATM limit and they will send a code to your mobile at the counter to validate you are the real person you are claiming. This then raises the question that potentially you need strong authentication when subscribing to a mobile phone service in order to ensure that the authenticator belongs to the real person.

At the initial subscription of the service the issue may not be that apparent, but what about maintenance or changes to the subscription? Or, more importantly, what happens when someone attempts to take control of your phone service through a SIM swap and can then control your identity, at least in part?

The FBI have recently issued two separate alerts regarding SIM swapping, one related to cryptocurrency theft and the other an industry alert. In basic terms, a cybercriminal will walk into a phone shop with a fake ID (or simply call the carrier) and get the customer service representative to activate a new SIM card for the mobile number they need to control. They may even do it without an ID and use social engineering by knowing the home address and some other basic information about the subscriber that is freely accessible on social media or other public websites.

Once the new SIM is issued and activated, the criminal is able to receive authentication texts or to load apps and start impersonating the victim. Virtually all services – email, banking, social media and many others – use the phone as a password reset authentication device, making the options for the criminal endless.

Meanwhile the victim is wondering why their phone stopped working and those crucial hours that they waste hoping it will come to life again gives the criminal the time they need to monetize their crime.

I recently tested the ability to get a replacement SIM and walked in a local branch store of my carrier’s phone network and asked for a new SIM due to a lost phone. I produced my ID, which stayed in my wallet and was in part covered up, and all the assistant really saw was my name, date of birth and my, license number – this could easily have been a fake due to the lack of inspection or removal from the wallet. I got my new SIM within a few minutes, shockingly simple! Had my intention been malicious, I would have been in control of the very device used to validate the identity of the subscriber.

Now, let’s circle back to the Chinese face scanning regulation. If the technology is used to protect against SIM swap and identity theft by ensuring that the smartphone or, as discussed above, the identity authenticator, is only ever in the ownership of the true subscriber, then it would seem to be a very positive use of technology to protect the consumer. Would I subscribe and allow this level of protection? Yes.

5 Dec 2019 – 11:30AM

Notorious spy tool taken down in global operation

IM-RAT, which could be had for as little as US$25, was bought by nearly 15,000 people

Law enforcement authorities in a number of countries have broken up a cybercriminal operation that peddled a notorious Remote Access Trojan (RAT) capable of giving anyone with ill intentions total control over compromised machines, according to announcements by Europol, the United Kingdom’s National Crime Agency (NCA) and the Australian Federal Police (AFP).

If installed undetected, the insidious tool – dubbed ‘Imminent Monitor RAT’ (IM-RAT) – made it possible for the crook to “disable anti-malware software, carry out commands such as recording keystrokes, steal data and passwords and watch the victims via their webcams”, obviously all without the victim’s knowledge or consent.

The malware was sold for as little as US$25 via the now-removed website imminentmethods.net. As has been true in similar cases, IM-RAT was marketed as a legitimate remote desktop utility.

In all, the full-featured spy tool was bought by no fewer than 14,500 people in 124 countries, whereas victims are in the tens of thousands. Importantly, according to the NCA, with the IM-RAT infrastructure now taken down, the malware can no longer be used by the buyers.

The takedown notice on the now-seized IM-RAT website

“The IM RAT was used by individuals and organized crime groups in the UK to commit a range of offenses beyond just the Computer Misuse Act, including fraud, theft and voyeurism. Cybercriminals who bought this tool for as little as US$25 were able to commit serious criminality, remotely invading the privacy of unsuspecting victims and stealing sensitive data,” said the NCA.

The clampdown was carried out in two stages. In June of this year, Australian and Belgian police raided the home of the tool’s developer and one of his employees. The second stage, which transpired last week, resulted in the arrests of 13 of the tool’s most prolific users in nine countries. A total of 85 search warrants were executed and more than 430 devices were seized.

The authorities were quick to highlight three of the most fundamental cyber-hygiene tips that go a long way towards keeping these kinds of threats at bay; so let’s reiterate them here – ensure that your operating system and software are always up-to-date, use reputable security software, and refrain from clicking on links or attachments in suspicious emails.

IM-RAT’s case brings echoes of similar global crackdowns, including that on another spy tool, called LuminosityLink, was busted and its creator was later sentenced to 30 months in jail.

3 Dec 2019 – 05:40PM

5 personal (and cheap) data privacy tools that scale for business

Smart selections when starting small can ease the pain as you scale up your company’s privacy infrastructure

If, unlike enterprise customers, you don’t have six figures to spend, what are some things you can do to protect your data that can scale as your business grows? Even if you don’t plan on scaling to an IPO, but are looking for good, solid privacy tech on the cheap, here are five ideas to help.

Multifactor authentication (aka MFA)

You don’t have to go crazy here to get decent protection: a sub-US$50 hardware authentication device (typically USB/NFC) from a reputable manufacturer can really help you lock things down – and software choices abound as well. If your company goes public and you need something bigger and more complex, you can still use this technology at scale, and it’s very hard to hack.

Password management

Here the important thing is to PICK SOMETHING that has a good reputation for security. They’re normally cheap or free and you can integrate the well-known ones with larger systems, should the need arise down the road.

Email encryption

You don’t have to be a rocket scientist anymore; you can download free or cheap software like GPG that can be used to sign email communication, making it practically impossible for an adversary to spoof your email … or you can fully encrypt it, so an adversary cannot intercept its meaning … or both. If your email recipient receives an email supposedly from you and it doesn’t have a cryptographic signature, they should know something may be amiss.

Secure Wi-Fi router

You don’t have to spend much more than the cost of a cheap home router to get something that has really robust tools, good vendor support into the future, a good reputation for security and a wide user base. If you pick enterprise names and look for their less expensive router models, typically marketed for small business, they have security features you can scale with, and they only cost US$50-100 more than the lower-end one you were planning on getting anyway.

Encrypting your traffic by default is a good way to steer clear of prying eyes when your data is in transit. With modern virtual private network (VPN) software, it’s not terribly difficult to set up, some can even be set up to connect automatically when you power up. Again, look for a supplier that has a low-end option to what is normally considered an enterprise offering. Yeah, it may not have all the bells and whistles like integration with authentication through Active Directory, but later if you need it you have a chance of integrating something you’re already familiar with and using it simply by upgrading your license.

If you have some of these pieces implemented and have time to get familiar with them, you’ll already have a leg up if you have to scale. If you use them for personal use and later get a job with increased security requirements, they’ll be happy to know you’re already up to speed on these technologies. Even if they have different systems, there will likely be many similarities with what you already know. In the meantime, you’ll have more peace of mind without breaking the budget.

2 Dec 2019 – 11:30AM

Week in security with Tony Anscombe

ESET researchers detail how the operators of the Stantinko botnet have expanded their toolset with a new means of profiting from computers under their control

ESET researchers detail how the operators of the Stantinko botnet have expanded their toolset with a new means of profiting from computers under their control. ESET security researcher Cameron Camp looks back at the key theme of the CyberwarCon conference in Washington, D.C. Top five scams to be on the lookout for this Black Friday and the entire holiday shopping season. All this – and more – on WeLiveSecurity.com.

Smartwatch exposes locations and other data on thousands of children

A device that is supposed to help parents keep track of their children and give them a peace of mind can be turned into a surveillance device

Researchers at the AV-Test Institute have uncovered gaping privacy and security holes in the SMA-WATCH-M2 smartwatch that is designed to keep children safe and their parents feeling secure about their offspring.

The security lapses were so severe that the researchers were able to piece together a snapshot of the life and daily habits of a randomly selected 10-year-old child named Anna from Germany. Among other data, the Chinese-made device exposed the girl’s age, place of residence, where she spends most of her day, and the routes she takes. The researchers could even access the sound messages that were transmitted to her device. And that’s still not all – they were even able to monitor Anna’s real-time GPS position.

Obviously, the security shortcomings did not affect just that single device. The team said it could gain access to the location, phone number, photos and conversations of well over 5,000 children, and was quick to note the number of affected users might, in fact, be far higher.

How was this possible, I hear you ask? In addition to communication with the manufacturer’s server being unencrypted, the online interface of the manufacturer’s server was completely unsecured, leaving it entirely open to external unauthorized access. Although an authorization token was generated to prevent unauthorized access, the server does not check it. Which essentially means anyone with enough “hacking” skills should have no problem in accessing user IDs. This allows potential attackers to have the same access that a parent would have.

To sum it up, a device that is supposed to help parents keep track of their children and give them a peace of mind can be turned into a surveillance device for bad actors. This lapse in security was found to affect users in Germany, Turkey, Poland, Mexico, Belgium, Hong Kong, Spain, the Netherlands, and China. There is a possibility that the number of affected people may be well over the previously estimated 5,000.

As much as this case might look like a one-off security lapse, the reality is far from it. We covered a similar recorded event earlier this year. Hence we think it is always important to consider the pros and cons of using such a device.

29 Nov 2019 – 03:47PM

5 scams to watch out for this shopping season

Black Friday and Cyber Monday are just around the corner and scammers are gearing up to flood you with bogus offers

According to Adobe, consumers in the US are predicted to spend a staggering US$143.7 billion this shopping holiday season. Unsurprisingly, smartphones are expected to account for a significant part of the purchases made.

Shopping platforms will be dropping prices and offering deals aiming to unseat the competition. Far too often, what looks too good to be true will, in fact, be a scam designed to separate you from your hard-earned cash. For scammers ’tis the season to be jolly, since unaware shoppers are ripe to be ripped off. Honestly, if that shiny, new iPhone at half its regular price seems too cheap, it probably is. Here are some of the most common types of online shopping scams you should watch out for.

Scam ads

These are an evergreen classic not reserved just for the holidays. You can encounter them all year round, but during shopping holidays they come out in force. Fraudulent ads are usually spread through social media and unfortunately, involve hacked accounts. Usually clicking on such an ad will redirect you to a fraud site, which may be advertising fake goods. In the worst-case scenario, you might just download a malware payload to your device. Refrain from clicking on anything that seems even remotely suspicious and always check for signs of a scam, such as ridiculous prices, grammar mistakes or weird surveys.

Figure 1. Brazilian website promising to include you in a raffle if you fill out a survey

Fake websites

Fake websites come in many shapes and sizes, and during this part of the year con artists will try to leverage seasonal shopping. For example, it might appear that a reputable e-shop launched a separate domain to house its Black Friday or Cyber Monday offerings, but in fact, it’s just a scam. Or, you might just get hit with a homograph attack. It might sound like somebody is going to hit you in the face with a dictionary, but a homograph attack is what happens when adversaries register domains that are similar to the originals but use visually ambiguous characters. And, of course, these fake sites can often have their own, valid certificates that might further misdirect their victims.

Figure 2. An example of a fake website

Bogus gift cards and coupons

Apart from jaw-dropping discounts, coupons are a popular way to reel customers in. That makes it a popular method for bad actors to bamboozle you. If you get enticed by the fake coupon and click on it, an installer can be downloaded to your device, which might install a banking trojan. A similar case was uncovered recently involving fraudulent McDonald’s coupons. Coupons and gift cards are usually distributed through the official channels of the company such as an app, so it’s best to stick to those. Any unsolicited coupons should set your spidey sense tingling.

Figure 3. A fake gift card example

Illicit discount or coupon apps

Alternatively, instead of receiving coupons by email, you may stumble upon Black Friday- or Cyber Monday-themed apps that are likely to appear on unofficial app repositories. These will have the same aim as all the aforementioned scams: pray on your trust and entice you with the promise of a great deal. Your best course of action is to stick to Google Play or the App Store. Most retailers tend to have official apps, but imposters have been known to sneak past the sentries into the walled gardens of platforms’ storefronts. So always pay attention to the app’s description, negative reviews and the permissions it requests.

Phishing attacks

Phishing attacks are one of the most widespread scams out there. For example, a criminal might send you an email posing as Amazon and telling you that there was an issue with your order. To proceed they will ask you to provide your personal information that may include your credit card number and home address, which you shouldn’t do under any circumstances. If you ever receive such a message, use the official channels of the company to check if they did it. So, keep your eyes peeled for thematic promotional emails that may ask you to fill out your personal information to claim your ‘prize’.

Figure 4. Have you ever seen a Louis Vuitton bag at such a steep discount?

According to ESET telemetry, of all the Black Friday-related emails you will get in one day an average of 11% will be spam emails, which can very often be more than only annoying. These are just the statistics that were recorded a week before the Black Friday craze begins. So, be sure to read anything that piques your interest extra thoroughly and don’t let your guard down while you’re on the hunt for that perfect deal. Happy hunting!

28 Nov 2019 – 11:30AM

Cryptocurrency exchange loses US$50 million in apparent hack

UPbit has announced that, as a precaution, all transactions will remain suspended for at least two weeks

Cryptocurrency exchange UPbit announced today that it lost almost US$50 million worth of ether (ETH) in an apparent security breach.

According to this statement by Lee Seok-woo, the CEO of the exchange’s operator Dunamu, around 342,000 ETH were moved from the platform’s ‘hot wallet’ to this unrecognized wallet today shortly after 1 p.m. local time. Client funds were not affected, said the South Korea-based cryptocurrency exchange.

The incident was also noted on Twitter by Whale Alert, a service that tracks major cryptocurrency transactions.

🚨 🚨 🚨 🚨 342,000 #ETH (49,848,273 USD) transferred from #Upbit to unknown wallet

Tx: https://t.co/HairAS3gee

— Whale Alert (@whale_alert) November 27, 2019

UPbit said that, in the wake of the incident, it moved all virtual coins to cold wallets. Cold-storing is a method used for the long-term storage of cryptocurrencies offline in order to reduce the likelihood of funds being stolen. By contrast, hot wallets are connected to the internet and used to carry out transactions.

The exchange has also halted all deposits and withdrawals and said that, in order to protect its clients’ virtual funds, the transactions will remain suspended for two weeks. The exchange said that it will cover the loss from its own funds. Additional details are scarce; notably, there’s no word on how the theft is thought to have taken place.

Launched two years ago, UPbit went on to become one of South Korea’s largest cryptocurrency exchanges. Just months ago, its users were targeted in a phishing campaign with a fake giveaway used as the pretense. Weeks earlier, another major South Korean cryptocurrency exchange, Bithumb, lost up to US$20 million worth of digital money in a suspected inside job.

Indeed, recent years have seen a string of cyberattacks against providers of infrastructure that caters to virtual currencies and their users, including high-profile thefts of people’s virtual money. Recent ESET research, too, discovered a range of mobile apps aimed at parting people from their cryptocurrency assets.

27 Nov 2019 – 05:06PM