WatchGuard Security Center

Exciting Blog Changes Just Around the Corner

Corey Nachreiner — Wed, 13 Jul 2016 15:38:55 +0000

I am excited to announce the upcoming launch of our redesigned and refreshed blog.

Over the past six years, WatchGuard Security Center has provided IT professionals with breaking news and analysis about the most important information security (InfoSec) issues. Our mission has always been to distill the often complex topics of computer and network security into something any technical professional can understand and act on. Our newly redesigned blog, Secplicity, takes this mission to the next level.

Our team has worked hard to create a faster, easier to browse, and more useful blog for everyone interested in information security—based in part on your feedback. On top of the design changes, you’ll also enjoy more regular content, both written and video, from a more diverse group of authors and researchers. We also plan to cater our content to your questions and feedback.

The new site goes live in the next 48 hours. When it does, we’ll automatically redirect WatchGuardSecurityCenter.com visitors to the new Secplicity.org site. Your email, WordPress, and RSS subscriptions should continue to work, but in the event that you stop receiving updates please visit the blog and re-subscribe.

We’re looking forward to many more years of InfoSec community service, and hope you continue to visit us for the latest security news and analysis, simplified.

— Corey Nachreiner, CISSP (@SecAdept)

July 2016 Patch Day – Daily Security Byte EP. 289

Corey Nachreiner — Wed, 13 Jul 2016 15:26:29 +0000

It’s that time again. Patch Day! On the second Tuesday of the month, both Microsoft and Adobe release their security updates. This month, you should probably focus on Adobe’s updates first. If you use Adobe and Microsoft products, watch the video below to learn more, and check out the reference section to find links to the patches.

(Episode Runtime: 3:16

Direct YouTube Link: https://www.youtube.com/watch?v=rsj41RqhyLs

EPISODE REFERENCES:

Microsoft July Path Day summary – Microsoft
Adobe’s security page with July’s bulletins – Adobe
Good summary of Microsoft Patch Day – Ghacks

— Corey Nachreiner, CISSP (@SecAdept)

Password Sharing Illegal? – Daily Security Byte EP. 288

Corey Nachreiner — Tue, 12 Jul 2016 15:51:23 +0000

In general, security experts like me are against sharing passwords, even among family and friends. Sure, we can all think of cases where sharing passwords with family might be useful, but why not just setup privileged accounts for those family members?

However, today’s episode isn’t about whether or not password sharing is a risk, it’s about whether or not it’s even legal at all. A US appeals court made a ruling on a case recently, basing their decision on the Computer Fraud and Abuse Act (CFAA). The EFF thinks it’s a dangerous ruling, that would have a far-reaching affect on the legality of password sharing. Watch Monday’s video to learn what I think.

(Episode Runtime: 4:46

Direct YouTube Link: https://www.youtube.com/watch?v=K1vpqFdTe7A

EPISODE REFERENCES:

EFF against going to jail for sharing passwords – EFF
Is sharing Netflix passwords a federal crime – Independent
US court shares password sharing anxiety – BBC
Wikipedia article on the case against David Nosal – Wikipedia

— Corey Nachreiner, CISSP (@SecAdept)

Backdoor in Pokemon Go – Daily Security Byte EP. 287

Corey Nachreiner — Mon, 11 Jul 2016 17:23:06 +0000

To keep Friday’s story fun, I covered an incident that involves both gaming and infosec. Attackers have already created a malicious version of the popular Pokemon Go app. If you’re an Android user trying to download Pokemon Go from non-official sources, this story is no joke. Watch below to learn more.

(Episode Runtime: 3:16

Direct YouTube Link: https://www.youtube.com/watch?v=Kt54wJ3gpsY

EPISODE REFERENCES:

Research blog post describing the backdoored Pokemon Go app – Proofpoint
Remote access tool found in Pokemon Go – Android Central

— Corey Nachreiner, CISSP (@SecAdept)

Fitbits Hack ATMs? – Daily Security Byte EP. 286

Corey Nachreiner — Fri, 08 Jul 2016 15:03:43 +0000

University researchers have shown how you can use the various tracking sensors in wearable devices to recover keypad passwords of their owners. Article headlines suggest attackers might user this to steal your bank PIN. Is this threat real, or science fiction? The answer is a mix of both. Watch below to learn more.

(Episode Runtime: 5:12

Direct YouTube Link: https://www.youtube.com/watch?v=N4yiI52Pxy4

EPISODE REFERENCES:

Your smart watch is recording your PIN – Wired
Wearables give away your password – Science Daily
ACM link to research paper [pay gate] – ACM.org

— Corey Nachreiner, CISSP (@SecAdept)

Watch Out for HummingBad Android Malware

Marc Laliberte — Thu, 07 Jul 2016 15:54:21 +0000

Security researchers at Check Point released their findings about HummingBad this week (pdf), after a five-month long analysis of the Android malware campaign. Since first discovered in February 2016, the malware has infected an estimated 10 million Android devices, earning its developer $300,000 a month in revenue from fraudulent ad clicks and app installs. While devices located in China and India make up a comparatively large percentage of infections, western nations like the United States and Mexico still have estimated victim counts of over 250,000 each.

The HummingBad campaign uses drive-by download attacks hosted on adult content sites to initially infect new victims. During infection, the malware attempts to obtain root access on the victim device by exploiting known Android vulnerabilities. If rooting fails, the malware instead creates a fake system update notification to trick users into granting it system-level permissions. During this rooting process, the malware also downloads several malicious components and apps which contain the actual malevolent functionality.

As mentioned earlier, HummingBad’s main intent is to earn revenue through illegitimate ads and fraudulent app installs. Device events such as booting, locking or unlocking your screen, and changing your network connectivity trigger the malware’s main process, causing it to display illegitimate ads that include a fake “close” button. Whether you click the ad or the “close” button, HummingBad’s developers earn revenue from the click. Throughout this process, the malware blocks you from returning to your home screen, making it very hard to avoid these evil ads.

While you’re inadvertently clicking these evil ads, another HummingBad process forcefully downloads and installs more unwanted applications on your device, helping earn the authors even more illicit revenue from something called “installation referrals”. Google Play includes mechanisms that share “INSTALL_REFERRER” information with app developers. This mechanism allows legitimate app developers to pay commissions whenever a customer buys or installs their app based on someone’s referral. The HummingBad malware includes a sophisticated process injection technique that can subvert the Google Play referral process. It can imitate clicks on the install/buy/accept buttons in the Google Play store, allowing the malware to simulate app installation referrals. The malicious process also can inject fake International Mobile Station Equipment Identity (IMEI) numbers during app installation, allowing the same app to be installed multiple times on the same device (which generates even more revenue for these criminals).

If forcing your device into an ad zombie wasn’t bad enough, HummingBad’s root capabilities potentially expose it up to even more foul play. With full system privilege, Attackers could easily leverage the army of HummingBad-infected devices to launch DDoS attacks or simply use its included functionality to load even worse malware onto infected devices.

Interestingly, Check Point’s report connects HummingBad to the Chinese advertisement and analysis company Yingmob—the same firm linked to the Yispecter iOS malware discovered towards the end of 2015. Yingmob applications, both legitimate and malicious, have an estimated installation base of 85 million devices according to the researcher’s findings. I find this very frightening since it puts Yingmob one malicious update away from creating a massive number of infected devices.

There are several steps you should take to protect your Android devices from becoming infected.

First, avoid rooting your device. While rooting can enable beneficial functionality, which is normally locked down by your carrier, it leaves you wide open to malware installed via drive-by download attacks.
Second, always keep your device updated with the latest available patches. By running the latest OS update, you limit the vulnerabilities attackers might exploit to install malware like HummingBad. That said, Google allows carriers to package their own versions of Android, and some carriers don’t use the latest Google Android versions. This means your device’s security may be more dependent on your carrier than the devices itself.
Third, never install applications from unknown sources. By default, Android prevents users from installing applications that aren’t available in the Google Play Store (sideloading). Disabling this prevention leaves you at risk of installing malicious applications like HummingBad.

HummingBad is just the latest in an increasing series of attacks against mobile devices. With an estimated 2 billion smartphones in use worldwide, the incentive for attack is already there. Users need to make sure they are prepared for the incoming onslaught. –Marc Laliberte

July Android Security Update – Daily Security Byte EP. 285

Corey Nachreiner — Thu, 07 Jul 2016 15:53:56 +0000

If you use Android devices, it’s time to update. Google released an Android update that fixes hundreds of vulnerabilities, including the Qualcomm chipset flaw that has been in the news lately. Watch today’s video to learn more, and update your Android device when you can. Also, check out Marc Laliberte’s post to learn about HummingBad, a prolific malware variant that’s affecting Android users.

(Episode Runtime: 1:55

Direct YouTube Link: https://www.youtube.com/watch?v=z4B7E8qfbFM

EPISODE REFERENCES:

Big Google Android patch fixes 100 vulnerabilities – PCWorld
Google’s July Android security update – Android.com
Android Qualcomm flaw affects millions of devices – Threat Post
Watch out for HummingBad android malware – WGSC

— Corey Nachreiner, CISSP (@SecAdept)

Eleanor Mac Backdoor – Daily Security Byte EP. 284

Corey Nachreiner — Wed, 06 Jul 2016 15:46:57 +0000

Many Mac users think they’re immune to malware, but unfortunately that’s untrue. Though Windows malware variants still greatly outweigh Apple ones, Mac malware is starting to appear more regularly. Today’s Byte video covers a new Mac trojan discovered by Bitdefender, and what you can do to avoid it.

(Episode Runtime: 3:04

Direct YouTube Link: https://www.youtube.com/watch?v=6K4lU6bcQ_w

EPISODE REFERENCES:

Research blog post about Eleanor Mac OS X trojan – Bitdefender
Technical paper on the Eleanor OS X Backdoor – Bitdefender

— Corey Nachreiner, CISSP (@SecAdept)

ThinkPwn: UEFI Vulnerability – Daily Security Byte EP. 283

Corey Nachreiner — Tue, 05 Jul 2016 20:44:15 +0000

The Unified Extensible Firmware Interface (UEFI) is the new type of firmware that replaces Basic Input/Output System (BIOS) firmware on PCs. Among other new features, UEFI supports security mechanisms like Secure Boot for Windows. Unfortunately, a researcher found a flaw in Lenovo’s UEFI that could allow attackers to bypass this mechanism. Watch the video to learn more.

(Episode Runtime: 2:21

Direct YouTube Link: https://www.youtube.com/watch?v=jlXtXG8YdKM

EPISODE REFERENCES:

News article on Lenovo firmware exploit – Network World
Cr4sh’s blog post on Lenovo UEFI flaw – Cr4.sh
ThinkPwn readme – Github
ThinkPwn Pr00f-of-Concept exploit – Github
Lenovo’s security advisory on firmware vulnerability – Lenovo

— Corey Nachreiner, CISSP (@SecAdept)

Critical Symantec AV Flaws – Daily Security Byte EP. 282

Corey Nachreiner — Fri, 01 Jul 2016 19:39:59 +0000

Tavis Ormanday, a well-known security engineer for Google, disclosed a number of critical vulnerabilities in some of Symantec’s endpoint security products. If you use Symantec or Norton’s antivirus (AV), watch the video below to learn how bad these flaws are, and where to find the updates. You can also stick around to hear what I think about vulnerabilities in security products in general.

(Episode Runtime: 7:13

Direct YouTube Link: https://www.youtube.com/watch?v=gWr_U2iH7-E

EPISODE REFERENCES:

Ormandy’s Project Zero Symantec disclosure – Google Project Zero
Symantec’s advisory on the seven AV vulnerabilities – Symantec
Project Zero discloses serious Symantec security flaws – Tech Target
Google researcher slams Symantec’s security – Uber Gizmo
Symantec woes exposes security gaps in AV – Wired

— Corey Nachreiner, CISSP (@SecAdept)