Netizen Cybersecurity Bulletin: 7 November 2018
In this issue:
In this week’s issue, you’ll find information regarding the most current critical threats and preventative measures to lessen the chances of a breach.
- How Secure Is Your Mobile Device?
- Apache Struts Vulnerability
- Self-Encrypting SSD Flaws
- Phish Tale of the Week
- How can Netizen help?
How Secure is your Mobile Device?
Smartphones are ubiquitous, in everyone’s hands wherever we go. Whether in the Boardroom, the coffee shop or at entertainment events, we rely on our phones to process and store reams of personal digital data. We check our bank balances, send personal or corporate emails, carry entire photo albums around, and diaries of our lives. CNBC has estimated that there will be more than 6 billion smartphone users in the world by 2020.
It’s easy to forget that your mobile phone is essentially a pocket-sized computer and that, just as with any device that can connect to the Internet, mobile phones are at risk of a cyber attack.
Fortunately, the risk of mobile malware is still relatively uncommon. However, the risk to those devices keeps growing. And as the advisories are always looking to cash-in on sources of data (i.e., money) reside, they are looking towards mobile devices. Securing your mobile phone should be a top priority, both for personal and business use.
- Mobile spyware: Spyware on a mobile device is not unlike that on a desktop. It can infiltrate seemingly benign programs and secretly monitor your activity, record your location, and steal sensitive passwords. Frequently, users grant an app permission to access this information when the app is installed. The classic example: does that Flashlight app need access to contact list?
- Mobile banking Trojans: Mobile banking malware masquerade as a legitimate banking app to lure users into installing it, only to steal their credentials.
- SMS malware: This form of malware will send costly text messages, often without the user noticing until they receive a huge bill at the end of the month.
How Your Mobile Phone Can Get Infected
The easiest way to infect your device is by downloading a malicious app. Hackers also exploit known vulnerabilities in an operating system, which is why you must keep your device up-to-date with the latest software patches.
Another way you might expose yourself to an attack is by connecting to a public WiFi hotspot. As public WiFi is usually unencrypted, attackers can intercept the data stream between the user and the access point.
Which is vulnerable, Android vs. iOS?
Short answer: Both!
Google’s Android holds dominance in the smartphone market but has a reported 19 million malware programs developed especially for that platform. A big reason for this is that multiple hardware vendors have varying methods of delivering Android updates, leaving the rest vulnerable.
On the other hand, Nevertheless, iOS is not entirely failsafe. The XCodeGhost attack that occurred in China in 2015 compromised more than 39 apps, including older versions of the popular WeChat app.
Earlier this week a friend showed me their Apple iPhone and demonstrated how by going to vote411.com they were being redirected a site that presented a false-positive virus alert.
While both Android and iOS platforms provide a “wall-garden” approach – requiring users to access apps from app stores controlled by Google and Apple, respectively – many users choose to jailbreak or root/enable unknown sources their devices, allowing the user to download apps from any website. While this makes apps available to the user that is not in the App store, the risks of installing infected software outweighs any benefits of that greater selection.
Tips for Securing Your Mobile Phone
Of course, the most effective way to protect your phone from malware is to take preventative steps to reduce the likelihood of contracting an infection in the first place.
- Be wary of public WiFi hotspots. Use a VPN whenever you are uncertain how secure the hotspot may be.
- Do not jailbreak or root your device Don’t defeat the built-in security provided by the smartphone vendors.
- Update your operating system Check for updates and ensure you have installed them
- Review your access permissions Often when consumers download new apps they don’t take the time to read the Terms & Conditions or consider what data they are allowing the app to access.
Keep cybersecurity in mind whenever you reach for your smartphone; your entire digital life will appreciate it!
Apache Struts Vulnerability
The Apache Software Foundation has released an advisory that the latest version of the Commons FileUpload Library is vulnerable to a two-year-old remote code execution flaw and that users must update their projects manually.
The bug found in the Common FileUpload Library is a known vulnerability (CVE-2016-1000031) that allows for remote code execution when using the open source framework, which is facilitated towards developing web applications in the Java programming language.
The vulnerability works by allowing an attacker to exploit a Java Object that can copy or write files on a server using the library. This can allow an attacker to take control of the affected system that is using the built-in file upload system of Struts 2.
It is highly recommended that any versions of Apache Struts at 2.3.36 or prior be updated immediately to the released version of the Commons FileUpload Library 1.3.3.
This vulnerability is similar to another critical remote execution vulnerability within the Apache Struts framework that led to the massive 2017 Equifax breach that led to the compromise of over 140 million Americans’ data.
Self-Encrypting SSD Flaws
Multiple critical vulnerabilities have been discovered in some popular self-encrypting Solid State Drives (SSD) that may allow an attacker to decrypt disk encryption, accessing protected data without even knowing the password for the disk. Successfully exploited models include:
Crucial: MX100, MX200, MX300
Samsung: 840 EVO, 850 EVO, T3 Portable, T5 Portable
The vulnerability is due to improper implementations of Advanced Technology Attachment (ATA) security and Trusting Computer Group (TCG) Opal, which are two specifications for the implementation of encryption with SSDs that utilize hardware-based encryption. Given that there is no cryptographic link between the SSD password and the data encryption key (DEK) an attacker could exploit and unlock these drives with any password by modifying the password validation touring in Random Access Memory (RAM) through a JTAG debugging interface.
BitLocker may not be the answer to encrypting your drive as well. Windows’ native BitLocker encryption method uses hardware-based encryption instead of software-based algorithms. Not all is lost, as you can force BitLocker to use software-based encryption in the following manner:
- Open the Local Group Policy Editor by entering “gpedit.msc” in the Run dialog.
- Head on to “Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption.”
- Double-click the “Configure use of hardware-based encryption for fixed data drives” option in the right panel.
- Select the “Disabled” option there and click “OK” to save the new setting.
- Once suspend the BitLocker protection and re-enable it to make the changes in effect.
Other open-source resources exist too, such as VeraCrypt, which can encrypt your hard-drive just fine. VeraCrypt uses TrueCrypt software and is able to handle the encryption process on its own without relying on the SSD.
Since the discovery of the vulnerabilities, Crucial has released firmware patches for the affected drives, while Samsung has done the same for their T3 and T5 portable drives. For the EVO drives, it is recommended to install encryption software that is compatible with your system.
Phish Tale of the Week
Netizen captures many phishes each month, which we feature here. This week we have received an unsolicited email alerting us of a fax that has never occurred nor was asked for. The unprofessional look, such as with the formatting and long “From” and “To” fields are a giveaway as well.
A phishing email will typically direct the user to visit a website where they are asked to update personal information, such as a password, credit card, social security, or bank account numbers. A legitimate company already has this sensitive information and would not ask for it again, especially via email.
- Scrutinize your emails before clicking anything. Did you order or ask for anything for which you’re expecting a confirmation? Did the email come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
- Verify that the sender is actually from the company sending the message.
- Did you receive a message or email from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email—this is a huge red flag.
- Do not give out personal or company information.
- Review both signature and salutation.
- Do not click on attachments.
- Do not click on unrecognized links. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.
- Be wary of poor spelling, grammar, and formatting. As can be seen with the with this email, there are multiple spelling, grammar, and formatting errors, leading us to believe that the message is illegitimate. If an email is visually unprofessional, the sender is likely not who they say they are.
Many phishing emails pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any email requesting immediate action or that is addressing you in a threatening manner should be questionable. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Staff Pay Raises 2018” may seem like something you really want to know about, but it could just be a ploy to plant malware on your system or steal your credentials.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management) certified company.