Week in security with Tony Anscombe

With partner abuse increasingly going digital, we took an in-depth look this week at what needs to be done to stop the scourge of stalkerware

This week, ESET security researcher Lysa Myers took an in-depth look at what needs to be improved to stop stalkerware, as the problem of technology-facilitated domestic abuse grows. NASA disclosed a security breach that saw hackers steal sensitive data related to the agency’s Mars missions. Two cities in Florida that were recently struck by ransomware have eventually decided to pay the demanded ransom in hopes of retrieving access to their computer systems. All this – and more – on WeLiveSecurity.

Microsoft enhances OneDrive to secure your critical files

The new feature is intended to protect the kind of data that you hold particularly dear

Microsoft will soon add a new feature to its OneDrive cloud storage that is designed to ramp up security for your most sensitive files.

Dubbed OneDrive Personal Vault, this ‘partition’ of your OneDrive account will only be accessible using “a strong authentication method or a second step of identity verification, such as your fingerprint, face, PIN, or a code sent to you via email or SMS”, said Microsoft. Another option is to use the Microsoft Authenticator app.

[Two-step verification (2SV), also known as two-factor authentication (2FA), has been available on Microsoft accounts for several years now. Wherever you use the extra factor, however, you’re better off relying on other and generally safer 2FA methods than text messages.]

Importantly, the vault will automatically relock on your PC or mobile device after a period of inactivity. Similarly, files opened from the secure folder will close and lock after the timeout period. The locking interval will vary by device and can be set by you.

Source: Microsoft

The vault will be reserved for data that you hold particularly dear – copies of passports, ID cards, or other highly sensitive data. In addition, as Microsoft suggests, you can choose to use the OneDrive for mobile app to scan documents and shoot pictures or videos directly into Personal Vault. That way, you can avoid storing the files in less secure areas, such as your phone’s camera roll.

Of course, you can use the vault for any kind of files and even store all your OneDrive files in it, but then you’ll need to reauthenticate every time you wish to access one of the files.

If you use Windows 10 Pro, Personal Vault will synchronize your files to a BitLocker-encrypted portion of your local storage. “And like all files in OneDrive, the contents of your Personal Vault are encrypted at-rest in the Microsoft cloud and in-transit to your device,” said Microsoft.

The company says that files in your Personal Vault should be safe even if your computer or mobile device falls into the wrong hands or somebody breaks into your account.

Any files stored in the folder will be accessible on OneDrive.com, Windows 10 PCs, and iOS- and Android-powered mobile devices. The new feature is first set to roll out for Australia, New Zealand, and Canada, with the rest of the world to follow suit by the end of this year.

Beside the security improvements, Microsoft also announced two storage plan updates, including an increase in the amount of storage in its basic US$1.99/month subscription plan from 50GB to 100GB.

27 Jun 2019 – 05:22PM

Two US cities opt to pay $1m to ransomware operators

A few days apart, two cities in Florida cave in to extortionists’ demands in hopes of restoring access to municipal computer systems

To pay or not to pay ransomware attackers? Is it okay to pay? And if I do pay up, will the problem go away?

These have been some truly pressing questions not only for ransomware victims and, as the recommended reading section at the end of this article shows, we too have spilled quite some digital ink on answering them. (The short answer to the questions is ‘no’ but, for better insight as well as for reasons why they may not be the right questions to ask in the first place, you may want to navigate to the articles.)

But why bring this up now, anyway?

In recent weeks, two cities in Florida have found themselves in a similar quandary after their computer systems were struck by ransomware. As it turns out, they both decided to cough up some hefty money to the cyber-extortionists.

The first to fall victim, on May 29th, was the small city of Riviera Beach, where a police department employee opened a malicious email attachment, unwittingly unleashing mayhem on the city’s computer systems and effectively forcing its staff to turn to pen and paper.

Fast forward three weeks and, heeding advice from external consultants, the municipality’s officials authorized its insurance carrier to pay 65 bitcoins (close to US$600,000 at the time) to the cybercriminals in hopes of retrieving access to its computer systems, reads the New York Times report.

Barely a few days flew by before another municipality in the Sunshine State gave in to extortionists’ demands. Lake City – which has been reeling from a ransomware attack going back to June 10th – authorized the payment of 42 bitcoins (some US$460,000) on Monday, with the actual ‘transaction’ to follow on the next day, reads the report by the local WCJB-TV.

All but US$10,000 was covered from what city officials described as “a good comprehensive insurance plan in place that does cover this type of an incident”. The city is said to have made multiple attempts to get its systems unlocked and up and running again after the incident disabled all of its online systems. In fact, the city’s police department said two days after the attack that recovery was going well, but apparently the efforts came to nothing.

In either incident, there is no word on what kind of prevention or business continuity measures, if any (and notably backups), were in place or why they weren’t successful. Nor is it immediately clear if the post-payment recovery efforts have been successful.

According to a recent report by threat intelligence provider Recorded Future, state and local governments in the US reported 169 ransomware incidents between 2013 and April 2019.

Recommended reading

Ransomware: To pay or not to pay?
Ransomware: To pay or not to pay? (another article of the same name)
Ransomware: Should you pay the cybercriminals?
FBI: No, you shouldn’t pay ransomware extortionists
The cyber insurance question
The economics of ransomware recovery
Ransomware: Expert advice on how to keep safe and secure

26 Jun 2019 – 11:05PM

Stopping stalkerware: What needs to change?

What technology makers and others can – and should – do to counter the kind of surveillance that starts at home

Regardless of whose statistics you read, a disturbingly high percentage of women and men will experience intimate partner violence or harassment in their lifetime. Worryingly, technology is being used more and more frequently as a tool to coerce and intimidate victims, with social media, smart phones and smart home devices being among the most popular tools for these purposes. This will continue to be the case until we change how technology is developed and implemented.

One of the first articles I wrote upon joining ESET in 2013 was about how domestic violence survivors could help protect themselves. While I had helped friends defend themselves against ongoing surveillance by domestic partners before writing that article, I hadn’t realized until researching it how incredibly challenging it can be to deal with a more technically enabled abuser.

That article is also one of a very small handful of articles I’ve ever been asked to update with more current information, because the issue it describes continues to be such a huge problem for so many people. This is clearly not a problem that’s getting better without a much stronger effort on the part of a lot of different people, including anti-malware vendors.

Challenges

There are many challenging aspects to combating harassment, due in large part to the failure of legislation in keeping up with technology, as well as the failure of technology manufacturers in designing products to prevent misuse. This makes it hard for defenders to address these problems, which has allowed them to pile up.

Laws combating stalking and domestic violence have been woefully inadequate and slow in being adopted at all, much less enforced. As such, it should be no surprise that laws surrounding “digital versions” of these crimes are almost non-existent, and law enforcement all too often has little capability to pursue crimes committed over the Internet.

Manufacturers of legitimate devices and services that have not been designed to prevent misuse, which are then used to harass or stalk people, shrug their way past complaints of their products being used for harm. Companies that create products that are designed to monitor people in a way that’s legally acceptable (such as employee or child trackers) shake off questions about their products, when they are designed in such a way that they can also be used for questionable legal purposes (such as surreptitiously surveilling a spouse).

The existence of these legal grey areas has the knock-on effect of hamstringing organizations that seek to defend victims. It’s a whole lot harder to fight against something that’s probably legal, even if it’s being used in ways that are at least deeply unethical if not illegal.

Tools as weapons

If you’ve been through a security line in an airport in the last decade or so, you’re probably aware of the occasionally perplexing list of items that are prohibited in carry-on luggage. Objects that are designed as weapons, such as guns and knifes, are obviously prohibited. But sporting equipment, hand tools, crafting implements like knitting needles, and even large quantities of liquids are also prohibited on most flights.

Air travel is now one of those situations where public sentiment is generally in favor of very stringent methods of excluding access to potentially dangerous items, even when they’re considered innocent in 99% of our daily activities. Most people don’t use screwdrivers for harmful or illegal purposes, but the risk of misuse is considered too great when a bunch of people are locked into a metal tube at 35,000 feet, so we have collectively agreed not to allow access to these items while we’re in flight. But in almost every other situation, screwdrivers are totally unregulated, and you’d be hard pressed to find anyone who would argue that it should be otherwise.

Airports have set up special infrastructure that allows them to apply a higher level of scrutiny, where they can exclude items that are usually considered innocent. Outside the airport, you have to use different techniques to protect yourself against harm from traditional weapons as well as tools that can also be used as weapons.

For most people, during most of their lifetime, an appropriate level of caution dictates being vigilant against traditional weapons rather than being worried about the presence of hand tools or sporting goods. People who’re in the midst of a harassment or domestic violence situation, however, are entirely reasonable to consider the possibility of ordinary household items being used as weapons.

Paranoia as a powerful defense

Anti-malware vendors are in an interesting place, with their products being used by people in ordinary threat scenarios as well as by those who are in very extraordinary threat scenarios. Most people would find it somewhere between bothersome and extremely problematic to be warned about every bit of code on their devices that could be used for harmful purposes. There would be a lot of alerts if you were to be warned about the presence of every figurative screwdriver, frying pan, or baseball bat in your midst.

But it’s entirely reasonable for you to want those warnings sometimes, especially if the context of your situation warrants an extra degree of caution. Each company that makes a security product has to decide on what an appropriate level of caution is, for their customer base.

That decision is generally arrived at based on the specific capabilities or aims of their products, as well as using feedback from their customers. Each company strikes a balance so that people get the best level of protection, without being so inundated with warnings that they get alert-fatigue. And over time, that balance inevitably shifts as product capabilities and the threatscape changes.

One tactic that a lot of security companies have taken is to allow some customizability within their products. The default level of protection is what should be appropriate for the largest number of customers; you can tweak individual

Hackers breach NASA, steal Mars mission data

The infiltration was only spotted and stopped after the hackers roamed the network undetected for almost a year

The United States’ National Aeronautics and Space Administration, better known as NASA, suffered a security incident recently that saw hackers make off with sensitive data relating to the agency’s Mars missions, including details about the Curiosity rover.

The breach, which affected NASA’s Jet Propulsion Laboratory (JPL), went undetected for 10 months, reads a report by the NASA Office of the Inspector General (OIG).

“In April 2018 JPL discovered an account belonging to an external user had been compromised and used to steal approximately 500 megabytes of data from one of its major mission systems,” reads the report, attributing the intrusion to an Advanced Persistent Threat (APT) group.

But just as notable is how the breach occurred. It turns out that the hackers exploited a Raspberry Pi, which was attached to the JPL network without authorization, as a launch pad for getting inside and moving laterally across the network.

There’s no word on who was behind the intrusion or, indeed, who connected the diminutive, single-board computer, which can retail for as little as US$25, to the network [As it happens, today saw the unveiling of the device’s fourth incarnation].

What is abundantly clear, however, is that OIG wasn’t impressed with the space agency’s cybersecurity posture.

Dropping the ball

“Over the past 10 years, JPL has experienced several notable cybersecurity incidents that have compromised major segments of its IT network,” reads the scathing report.

And it doesn’t stop at that, going on to list a bit of a litany of shortcomings in NASA’s network security controls that put its systems and data at risk. “Multiple IT security control weaknesses reduce JPL’s ability to prevent, detect, and mitigate attacks targeting its systems and networks, thereby exposing NASA systems and data to exploitation by cybercriminals,” according to the report.

This was also laid bare in the Raspberry Pi incident, which was partly enabled by “reduced visibility into devices connected to its [NASA’s] networks”. This effectively means that new devices added to the network weren’t always subject to a vetting process by a security official and the agency didn’t know the gadget was present on the network.

In addition, the audit noted a lack of network segmentation, which the hackers ultimately exploited to move laterally between various systems connected to a network gateway. The gateway gives external users and its partners, including foreign space agencies, contractors, and educational institutions, remote access to a shared environment.

Moreover, the audit found that security log tickets, which include applying a software patch or updating a system’s configuration, sometimes sat unresolved for more than six months. That’s despite the fact that system administrators had a maximum of 30 days to take corrective action.

Such laggard progress helped oil the wheels of the Raspberry Pi intrusion, as “one of the four compromised systems had not been patched for the vulnerability in a timely manner”.

Also affected were systems involved in NASA’s Deep Space Network (DSN). This ultimately prompted security teams from the Johnson Space Center, which manages the International Space Station, to disconnect from the gateway due to fears that “cyberattackers could move laterally from the gateway into their mission systems, potentially gaining access and initiating malicious signals to human space flight missions that use those systems”.

The report also noted that JPL had not implemented a threat hunting program to “aggressively pursue abnormal activity on its systems for signs of compromise”, relying instead on “an ad hoc process to search for intruders”.

The report outlined 10 recommendations, with NASA agreeing too all but one – to put in place a formal threat hunting process.

24 Jun 2019 – 10:28PM