Tag: security

Ropemaker: a new email security weakness

Most people live under the assumption that email is immutable once delivered, like a physical letter. A new email exploit, dubbed ROPEMAKER by Mimecast’s research team, turns that assumption on its head, undermining the security and non-repudiation of email; even for those that use SMIME or PGP for signing.

Using the ROPEMAKER exploit a malicious actor can change the displayed content in an email at will. For example, a malicious actor could swap a benign URL with a malicious one in an email already delivered to your inbox, turn simple text into a malicious URL, or edit any text in the body of an email whenever they want. All of this can be done without direct access to the inbox.

Described in more detail in a recently published security advisory, Mimecast has been able to add a defense against this exploit for our customers and also provide security recommendations that can be considered by non-customers to safeguard their email from this email exploit.

So what is ROPEMAKER?

The origin of ROPEMAKER lies at the intersection of email and Web technologies, more specifically Cascading Style Sheets (CSS) used with HTML. While the use of these Web technologies has made email more visually attractive and dynamic relative to its purely text-based predecessor, this has also introduced an exploitable attack vector for email.

Clearly, giving attackers remote control over any aspect of ones’ applications or infrastructure is a bad thing. As is described in more depth in the ROPEMAKER Security Advisory, this remote-control-ability could enable bad actors to direct unwitting users to malicious Web sites or cause other harmful consequences using a technique that could bypass common security controls and fool even the most security savvy users. ROPEMAKER could be leveraged in ways that are limited only by the creativity of the threat actors, which experience tells us, is often unlimited.

Changing this:

Into this, post-delivery (without having direct access to the user’s desktop):

To date, Mimecast has not seen ROPEMAKER exploited in the wild. We have, however, shown it to work on most popular email clients and online email services. Given that Mimecast currently serves more than 27K organizations and relays billions of emails monthly, if these types of exploits were being widely used it is very likely that Mimecast would see them. However, this is no guarantee that cybercriminals aren’t currently taking advantage of ROPEMAKER in very targeted attacks.

For details on email clients that we tested that are and are not exploitable by ROPEMAKER and the specifics on a security setting recommended by Apple for Apple Mail, please see the ROPEMAKER Security Advisory.

Is ROPEMAKER a software vulnerability, a form of potential application abuse/exploit, or a fundamental design flaw resulting from the intersection of Web technologies and email? Does it really matter which it is? For sure attackers don’t care why a system can be exploited, only that it can be. If you agree that the potential of an email being changeable post-delivery under the control of a malicious actor increases the probability of a successful email-borne attack, the issue simplifies itself. Experience tells us that cybercriminals are always looking for the next email attack technique to use. As an industry let’s work together to reduce the likelihood that the ROPEMAKER style of exploits gains any traction with cybercriminals!

by Matthew Gardiner for Mimecast

 

Cybercriminals could have access to hundreds of millions of Android smartphones’ data. This conclusion was reached after Check Point uncovered four vulnerabilities.

The security firm released a report that showed Android devices running Qualcomm chipsets are at risk from a threat dubbed QuadRooter.

The affected devices include smartphones from BlackBerry, Blackphone, Google Nexus, HTC, LG, Motorola, OnePlus, Samsung and Sony Xperia.

“Such an app would require no special permissions to take advantage of these vulnerabilities, alleviating any suspicion users may have when installing,” says Adam Donenfeld, a member of the Check Point mobile research team.

The attacker would then potentially be able to control devices and could access capabilities such as GPS tracking, and recording video and audio.

The weaknesses were found in software drivers that come with Qualcomm chipsets.

“The drivers, controlling communication between chipset components, become incorporated into Android builds manufacturers develop for their devices,” the company said in the report.

“Pre-installed on devices at the point of manufacturing, these vulnerable drivers can only be fixed by installing a patch from the distributor or carrier. Distributors and carriers can only issue patches after receiving fixed driver packs from Qualcomm.”

After discovering the faults, Check Point let the chip manufacturer know in April.

Qualcomm confirmed to the firm it would release patches to the device manufacturers. It is then up to the manufacturers to send updates to smartphones already sold, and for end-users to install them.

“This situation highlights the inherent risks in the Android security model. Critical security updates must pass through the entire supply chain before they can be made available to end-users,” says Donenfeld.

Check Point has developed a QuadRooter scanner app that is available free on Google Play. Running it will tell users if these vulnerabilities exist on their device.

Smartphone models which could be at risk include:

  • BlackBerry Priv
  • Blackphone 1 and Blackphone 2
  • Google Nexus 5X, Nexus 6 and Nexus 6P
  • HTC One, HTC M9 and HTC 10
  • LG G4, LG G5, and LG V10
  • New Moto X by Motorola
  • OnePlus One, OnePlus 2 and OnePlus 3
  • Samsung Galaxy S7 and Samsung S7 Edge
  • Sony Xperia Z Ultra

While the vulnerabilities unearthed by Check Point are serious, Google has said it has an app pre-installed onto most affected devices that will automatically block a malicious app from being downloaded.
A Google spokesperson told Android Central: “Exploitation of these issues depends on users also downloading and installing a malicious application. Our Verify Apps and SafetyNet protections help identify, block and remove applications that exploit vulnerabilities like these.”

However, Android phones that do not come with Google Play Services installed will still be at risk.

The spokesperson also said Google has released a security patch that protects against three of the vulnerabilities and is working on a patch for the fourth.

Smartphone manufacturer BlackBerry has released a statement saying it is aware of QuadRooter and a fix for BlackBerry’s Android devices has been tested and pushed to customers.

Risky behaviour
Much has been done by partners to mitigate the vulnerabilities and protect the device owners.

Those most at risk will be users who side-load Android apps, by downloading APK files, or those who have disabled Google’s Verify Apps feature.

Side-loading apps is often used to acquire apps that are not available in certain regions, like the mobile game Pokémon Go and music app Spotify.

Check Point recommends downloading and installing the latest Android updates as soon as they become available, carefully examining app permissions before giving access, and avoiding app downloads from third-party sources.

By Lauren Kate Rawlins for www.itweb.co.za

Over half (59%) of women in South Africa value the photos and videos they store on their phones more than anything else on the device – compared to 43% of men, according to a survey by Kaspersky Lab and B2B International. However, despite over a quarter of women worrying about the online safety of these images, many still fail to implement even basic security measures.

The study globally also found that while women are more likely than men to share with others photos of themselves (48%) and of people they know (40%) – compared to 43% and 33% of men respectively – one of their greatest security concerns, named by 29%, is the safety of their pictures and videos should a cyber-criminal gain access to their device.

Locally, one in four women worries that these images and other information could be shared inappropriately or without their consent, causing embarrassment and hurt if sent to the wrong person (45%) or even damage relationships (41%).

Despite this, many fail to appreciate how vulnerable they are to possible cyber-attacks – just 25% believe they could be a target, compared to 26% of men. As a result they don’t implement safety measures to safeguard their treasured photographs or other sensitive information stored on their device. Unlike men, up to 16% of women locally admit they don’t protect their device with a password and 15% of women do not use any form of security solution at all.

This lack of understanding about risk is confirmed by the fact that in a recent global security quiz, 27% of women admitted that they do not backup their devices, thereby risk losing all precious photos, videos and files if their device is stolen or damaged. Men are more prepared by comparison, with 80% of men agreeing that they backup their devices.

“It is not surprising that women use and value the information stored on connected devices differently from men. Devices play an important role in storing and sharing our happy memories and maintaining our relationships through email and text. Women worry more about the emotional impact on others should their devices be stolen or hacked. Celebrities aren’t the only ones to worry about what might happen if their private images were to be publically exposed. The only way to prevent this from happening is to take basic security precautions to keep what’s precious safe. We encourage women to start effectively protecting their devices to keep their precious information and photos safe,” says David Emm, principal security researcher at Kaspersky Lab.

In order to prevent cybercriminals from accessing images, videos and other precious data, files stored on digital devices should be protected by passwords and encryption. Files should also be regularly backed up so that if the device is stolen or damaged, they are not lost forever. If this data is shared or copied, it should be encrypted, so that even if it falls into the wrong hands, it will remain protected. Kaspersky Total Security – multi-device protects data on multiple mobile devices, allowing women – and men – to enjoy their mobile devices whilst remaining secure against cyberthreats.

In a piece of advice that seemingly contradicts everything else we’ve ever heard, GCHQ has recommended you should change your password less often.

According to the spy agency’s cybersecurity arm, forcing people to change their passwords regularly is ineffectual, because they are likely to choose a new password that is very similar to the old one.

They are also more likely to write the new password down, for fear of forgetting it. This increases the risk of the password falling into the wrong hands.

“Attackers can exploit this weakness,” says the Communications-Electronics Security Group (CESG). “The new password may have been used elsewhere, and attackers can exploit this too.”

Instead of forcing a changed password at regular intervals, it recommends organisations provide users with information on when their account was last activated.

GCHQ says sticking to the same password for a long time – unless it’s something like ABC123 – is a good idea.

The news comes as a new study into online privacy reveals that one in three Brits secretly know their partner’s passwords .

The survey by money-saving website VoucherCodesPro has revealed the UK’s attitude to trusting loved ones with our passwords .

It discovered that almost three quarters of us have looked through social media messages on someone else’s account without their permission.

The team responsible for the study polled 2,211 UK adults between 18 and 45 who have been in their current relationship for at least two years.

Initially respondents were asked if their partner let them access their social media channels when they wanted to; 51% of respondents stated they did. Respondents were then asked if their partner had let them know their password for social media channels, 21% stated they had.

Following straight on from this, all respondents were then asked if they knew their partner’s password without them being aware of this – with 34% stated they did.

Researchers asked these participants how it was they found their partners password out, 59% stated they ‘guessed’ it, 37% said they ‘keyboard watched’ and the remaining 4% asked their partner’s friends.

As to what those sneaky snoopers got up to once they’d accessed their partner’s accounts – the researchers provided a list:

  • Looked through social media messages – 74%
  • Looked through the photo gallery – 59%
  • Looked through emails – 54%
  • Looked through browser history – 46%
  • Looked through bank statements – 39%

George Charles, spokesperson for www.VoucherCodesPro.co.uk , made the following comments regarding the study:

“Being open with your partner is incredibly important and snooping at their social media channels or any private documentation just isn’t the way to achieve a healthy relationship,” said George Charles, a spokesperson for VoucherCodesPro.

“Knowing your partner’s password without their knowledge will only lead to trouble. It suggests you are looking for something and if you look hard enough, you will always find something to convince you that your fear is real.”

By Jeff Parsons for www.mirror.co.uk

Online shopping is a convenient way to find, compare, and purchase items in South Africa.

However, as security breaches increase and attacks grow more sophisticated, buyers need to take greater care with their personal and banking information.

Besides standard security precautions such as keeping your operating system, anti-virus, and browser up-to-date, you should also keep the following security tips in mind.

Watch out for scam specials
If you get a promotional e-mail from a retailer, even one you are familiar with, never click on a link – ever.

That’s the advice from Adam Levin, author of Swiped: How to Protect Yourself in a World Full of Scammers, Phishers, and Identity Thieves.

Levin said two problems could occur:

The destination the link points to could contain malware used to steal your passwords.

You could be directed to a clone site that looks like the retailer’s, which is used to harvest your identity and credit card details.
Levin said shoppers must go directly to a shop’s URL and avoid following links from promotional messages.


Read reviews
Before using a store for the first time, Levin said buyers must read independent reviews to ensure the site is reputable.


Check the security certificate
Shoppers should always check an online store’s security certificate.

This can be done by clicking the lock icon next to the site’s URL in the address bar.

You can also take this a step further and test a site’s Transport Layer Security (TLS) using a tool such as the Qualys SSL Labs server tester.
Using public Wi-Fi or computers
While TLS helps protect against the dangers of unsecure networks such as public Wi-Fi, it is best to avoid shopping over public connections.

Similarly, users don’t know what software might be watching their activity on a public computer, so it is best not to use one when shopping online.
Re-using passwords
Another security mistake is using the same password on two or more Web sites.

This is to guard against an attacker only needing to get hold of a single password to get into multiple websites where you have registered accounts.
Saving billing information
If someone gets their hands on your password for an online shopping site and you have saved your credit card information, they might be able to buy items with your money.

Sites which save card and CVV numbers are prime examples.

Digital voucher codes or gift cards are a popular purchase among attackers in this instance.
Source: www.mybroadband.co.za

Can you shop online safely?

In our modern society, shopping and the Internet go together like bacon and eggs. After all, why leave home when you could be eating said food items and shopping simultaneously? To this end, shopping online is one of the most convenient things that modern technology has brought to us.

What makes online shopping so attractive is that it is convenient and it is instant. But is it secure? Yes and no. Remember, online security is only as good as the amount of effort expended and the systems put in place by the merchant to ensure you enjoy a secure experience.

“In recent years, shopping online has become much more convenient via mobile payment solutions,” states Gregory Anderson, country manager at Trend Micro South Africa. “However it’s important to note that when you are dashing through multiple sites on the Web from the comfort of your armchair, your accounts and financial transactions could be compromised by countless prying eyes. Due to the nature of e-commerce and the thousands of options for online shops, it can sometimes be hard to tell if you’re dealing with a legitimate merchant or a bogus one.”

According to Anderson, shopping online bears the same perils as shopping in store. You as an individual can’t rely on the merchant to shoulder all the risk; you need to become just as savvy as you would be if you were shopping in modern-day Hillbrow. What’s more, while we are all keen to secure our credit card information, online shopping doesn’t just pose a threat to your credit details but to your general privacy too.

Now that data breaches and incidents of hacking and identity theft are becoming more common, online shoppers should protect themselves against likely attacks that could threaten their privacy. There are a number of different methods that can be used to invade a user’s privacy and, sooner or later, an unaware user is bound to run into threats such as phishing, online scams, spam, Internet fraud and malicious URLs.
Here are a few general tips on how to secure and maintain your privacy and security when shopping online:

• Double-check URLs – if you hadn’t already bookmarked your favorite shopping site’s payment page and still rely on typing in names, always double check the URL. Cybercriminals can easily replace payment pages and apps with fake ones. One way to tell if a site is secure is by checking the security lock indicator (HTTPS instead of HTTP). HTTPS is more secure.

• Use an official online shopping app – if you’re an avid mobile shopper, make sure to use the official online shopping app and avoid third-party apps for secure transactions.

• Always use strong and secure passwords – attackers can easily hack online accounts, including banking and social media accounts. Since these accounts contain sensitive and personal details, it’s important that you use unique hard-to-crack passwords across all devices and change them regularly.

• Use a secure network – if you’re using a mobile device to pay, make sure that you are using the official payment app, and that you’re accessing a secure and private network.

• Think before you click – being scammed online could translate to an eventual invasion of your privacy. Before you click on unverified posts, messages or ads, think twice and stay away from suspicious-looking offers. They’re most likely used as bait to lead you to phishing sites. Check with official sites rather than relying on social media posts.

“Shopping online can be safe. But just be alert and be aware. Web threats are no longer limited to malware and scams. Attackers know that the more you perform any online activities, the more you increase the risk of revealing information about yourself – especially when you’re looking to make a purchase. Searching for items alone could lead you from one Web site to another, which increases the chance of stumbling upon a malicious one.

“So set yourself a small regime of ensuring the above each time you enter a new site. If you can do that, you will almost be assured of shopping securely and with the peace of mind you crave,” Anderson concludes.

Very small businesses (VSBs) with fewer than 25 employees have the same rate of mobile device adoption as large enterprises. However, most VSBs lack the security awareness, technical expertise, and budget needed to properly protect company-issued or employee-owned (BYOD) mobile devices.

A Kaspersky Lab survey asked 3 900 IT professionals worldwide about IT challenges they encountered over the previous 12 months, and 34% of VSBs said they had managed the integration of mobile devices into their business.
What’s noteworthy is this rate is nearly identical to the rate of mobile integration reported by enterprises, which was 35%.

This means the smallest companies in the world are adopting mobile technology at essentially the same rate as huge companies with more than 5 000 employees. In fact, VSBs actually reported a higher rate of mobile adoption than small businesses with 26 to 99 employees, as well as large businesses with 1 500 to 5 000 employees.

VSBs reported 6% more mobile integration than small businesses (defined as 26 to 99 employees), and 2% more than large businesses (defined as 1 500 to 5 000 employees). These statistics certainly cast doubt on any perceptions that VSBs are confined to antiquated technology or slow to invest in IT.

Mobile technology may not be restricted to businesses based on their size, but there are other key factors to consider. Expertise and resources are the most obvious limitations of VSBs, which frequently don’t have dedicated IT staff to manage technology implementations.

These limitations may lead to a knowledge gap even amongst security-minded business owners. For example, 31% of VSBs listed “Securing Mobile/Portable Computing Devices” as one of their top-three IT security priorities for the next 12 months (a rate comparable to the 34% adoption rate from the previous 12 months).

But when asked about BYOD (bring your own device) policies, where employees use their own mobile devices for business purposes, the survey uncovered a perception-gap based on company size.

When surveying attitudes towards technology trends, 28% of VSBs agreed that BYOD introduces an increased IT security risk to their business. But large businesses and enterprises had a response rate that was nearly twice the VSB response, with 52% and 48% respectively agreeing about the risks presented by BYOD. Is it possible that VSBs are overlooking employee-owned mobile devices as a security risk?

This seems like a particularly troubling possibility, given that VSBs and their limited budgets are most likely to view employee-owned devices as a cost-savings measure and gladly welcome these devices onto their networks.
Common threats from employee-owned mobile devices include malware or rouge applications connecting to the company’s network via the employee’s device, or company data disappearing along with a lost or stolen employee device.

Realising that most VSBs lack the budget and technical sophistication for advanced mobile security solutions, small businesses can still use mobile technology – including employee-owned devices – without a huge investment of time or money. A mixture of common-sense and the right technology can go a long way to securing mobile devices, and help the owners of a start-up get back to running their business:

* Employee education – the first lines of protecting your business data are employees with security mind-sets. Make sure new employees know that if their smartphones or tablets contain workplace information, that device shouldn’t be subjected to unnecessarily risky usage habits (e.g., browsing questionable websites), and if the device is lost or stolen, it should be reported immediately to the employer, not days later.

* Basic anti-theft – an inexpensive piece of software that can remotely-wipe the data from missing or stolen devices is essential. Some devices offer similar functions built-in, and there are many third-party applications that can accomplish this task. But make sure an employee understands that if their device is wiped, that typically means any personal information on the device is deleted as well.

* Avoid complexity – a newly-created start up business with five employees can’t spend hours purchasing, deploying, and managing a business-grade security product that wasn’t built for their purposes. Avoid purchasing a larger product than the business needs, and stick to core mobile security features.

For small businesses looking to learn more about Kaspersky Lab’s mobile security technology, they go to www.kapersky.com and read their Dummies Guide for mobile security and BYOD.

  • 1
  • 2

Follow us on social media: 

               

View our magazine archives: 

                       


My Office News Ⓒ 2017 - Designed by A Collective


SUBSCRIBE TO OUR NEWSLETTER
Top