Wednesday, 16 October 2013
With the increased public availability of leaked/cracked DIY malware/botnet generating tools, cybercriminals continue practically generating new botnets on the fly, in order to monetize the process by offering access to these very same botnets at a later stage in the botnet generation process. In addition to monetizing the actual process of setting up and hosting the botnet’s C&C (command and control) servers, novice cybercriminals continue selling direct access to their newly generated botnets, empowering other novice cybercriminals with the foundations for further disseminating and later on monetizing other pieces of malicious software, part of their own arsenal of fraudulent/malicious tools.
Let’s discuss one such sample service run by novice cybercriminals, once again targeting cybercriminals, that’s selling direct access to mini botnets generated using what appears to be a cracked version of a popular DIY malware/botnet generating kit, and emphasize on the service’s potential in the broader context of today’s highly professionalized cybercrime ecosystem.
Sample screenshots of the actual (international) underground market proposition:
Sample screenshots of the botnets he’s already sold access to:
Such (international) underground market services demonstrate the ease of generating and operating beneath the radar in 2013, where the size of the botnet is proportional with the (indirectly) applied OPSEC (Operational Security), thanks to the fact that such mini botnets are usually perceived as smaller threats compared to sophisticated botnets causing widespread damage on a daily basis. However, it’s these mini botnets that comprise a huge percentage of the botnets operated by adversaries launching targeted attacks online, and it’s only a matter of time before the botnet masters behind them realize the market potential of geolocated hosts in a specific region/country of interest to their prospective customers.
We expect that the novice cybercriminals behind these services will continue capitalizing on the market potential for serving other novice cybercriminals, with their services starting to apply basic QA (Quality Assurance) processes, next to the logical evolution into one-time-stop-E-shops, like the ones we’ve already discussed and profiled in our previous research highlighting some of the current and emerging cybercrime trends in 2013.
Most of us are aware of the really big risks out there on the internet – sites offering “free” software, hacks for games, or pirated films.
But it’s perfectly possible to allow cybercriminals a foothold on your PC without visiting the darker districts of the web.
Tiny things such as using an admin account on your PC when you don’t need to can give cybercriminals their “way in”. Thankfully, a few simple changes can make you safer – wherever you browse, and whatever you do.Below are ESET’s tips for how to close off those last few “holes” you might have left in your trusty PC.
Promoting yourself to “admin”Most computer operating systems allow for several users on the same machine at once – but many of us opt to use just one with administrator privileges, ie . If you choose not to, you’re less vulnerable – malware may not be able to get a foothold, and most of us don’t need admin privileges ALL the time. ESET Senior Research Fellow David Harley says, “Log on to your computer with an account that doesn’t have “Administrator” privileges, to reduce the likelihood and severity of damage from self-installing malware. Multi-user operating systems (and nowadays, few operating systems assume that a machine will be used by a single user at a single level of privilege) allow you to create an account for everyday use that allows you less privileges than are available to an administrator.”
“Pimping” your browserIt’s tempting to think of your browser as a “window” on the web that you can personalize – but it’s a mistake. That window is the one cybercriminals will come in through. Don’t store passwords in your browser – or any info, if you can, and don’t download dubious plug-ins. “Plug-in” might SOUND different from downloading an executable file, but this year ESET detected several “plug-ins” with a hidden dark side. Keep your browser clean – and you won’t hand information to cybercriminals.
Ignoring boring little boxes
Any nagging warning that pops up when your PC turns on is probably important – even if it makes you hate Adobe and Java, update whenever you can. Do it manually if you’ve noticed that the nags have slowed down. The source code for Acrobat – Adobe’s document software – was recently stolen, and may well be in the hands of criminals. This could lead to fast-moving attacks against which there is little defense except to update fast, and ensure you have good AV software running. Likewise, ensure Windows Update is on, looking for updates, and installing them every time it turns on and off. These updates are rarely to add new functions – they’re to prevent cybercrimals “zombifying” your PC. Patch, patch and patch again – and just remember to untick that box that makes Ask.com your search engine when Java updates. Google is much better.
Having too many friendsWe’re told that this is the “social age” on the web – but cybercriminals are friendly guys too. Don’t befriend people you don’t know on Facebook – and if your Privacy settings are set to Friends of Friends, you’re effectively doing that already. Don’t post your phone number or email on Facebook – Facebook’s new Graph Search makes that information accessible to people you may not know.. Most importantly, though, don’t rush to click links – malware is increasingly delivered via social sites, and that shortened URL offering a hilarious video might well offer a not-so-hilarious Trojan. A detailed guide to “social” posts that you should distrust is here.
Trusting that “unbreakable” password
You might be the one guy who can remember a 52-character string of random numbers, letters and special characters – but that doesn’t mean you’re totally safe. The cybercrime landscape has changed a lot in the past few years – and with high-profile attacks on internet giants such as Adobe, LinkedIn and EverNote handing huge lists of encrypted passwords to cybercriminals, the worst risk we all take is using “real” email addresses and passwords across multiple sites. Any password can and will be decrypted. Use two-factor systems where you can – offered as an option by many sites, including Evernote. These won’t keep you 100% safe – but put another hurdle in the way of criminals. Cybercriminals sink the big ships first, sites such as Adobe – then go after the passengers. Once such lists are in the hands of criminals, they have the time and the technology to crack them – no matter what password you’ve chosen. When signing up to services such as these, use a “disposable” email address, and use a different password for each one – use a “password safe” such as LastPass if your memory isn’t up to it. For an ESET guide to making passwords as strong as possible, click here – it won’t keep your password safe forever, but it will slow the criminals down.
For many PC users USB keys must seem like a relic of a bygone age – but for security-conscious workers, keys can be a very safe place for data.
Porsche Design, of course, rarely put their name to anything that isn’t state-of-the-art – so a secure area within the new Lacie Porsche USB 3.0 key is protected by AES 256-bit encryption and password protection.It also offers 32GB of capacity and speeds of up to 95MB/s over USB 3.0.
While passwords, AV software and updated OS offer a good level of protection, a removable, encrypted drive is a good “extra layer” of defense. The Lacie/Porsche drive offers an encrypted area to store sensitive files.
It’s among the smallest on the market, according to Pocket-Lint, and clearly pitched at business customers.
“While on a business trip, users can conveniently access, securely store and easily share large documents or media files in seconds,” the companies said in a statement.
In a guide to keeping data safe, ESET Malware Researcher Cameron Camp writes, “ Your computer may interact with sensitive data but it does not need to store all of it right there in one place. Consider using encrypted removable media for sensitive data and carrying that separate from the computer. This way, if “bad things” happen, you’ll have much lower likelihood that the bad actors got off with critical information.”
The Lacie Porsche model – naturally – comes in steel with a scratchproof connector, and its creators claim, “melds design, performance and technology to give users a stylish accessory for any keychain, purse or briefcase.”More pertinently, its makers say, “LaCie’s Private/Public software protects confidential data stored on the LaCie Porsche Design USB key. Even in case of loss, theft or unauthorized access, files are secured with AES 256-bit encryption and password protection. And for added accessibility and off-site backup, theLaCie Porsche Design USB key comes with one-to-one capacity of Wuala Secure Cloud Storage for one year.”
“Porsche Design’s electronics series is an elite group of products that represent timeless design and influential technology,” says Dr. Juergen Gessler, CEO of the Porsche Design Group. “The LaCie Porsche Design USB key embodies that by combining high-speed performance with a compelling and usable design.”
A trio of men plugged keyloggers disguised as ordinary connectors into cash registers in a Nordstrom department store in Florida, and returned to collect days later, according to security blogger Brian Krebs.
According to Krebs, the gang used connectors designed to resemble common PS2 cables, “The fraud devices in this case resemble small keyloggers that are sold by dozens of stores for approximately $30 to $40 apiece. These hardware keyloggers are essentially Ps2 connectors that are about an inch in length.”Krebs points out that such devices – a PS2 connector with built in storage and transmission capabilities are freely on sale.
Placing such a device would have allowed criminals access to data for anyone applying for a Nordstrom credit card, plus any numbers typed in via the keyboard (for instance when a magnetic stripe reader failed), according to Ars Technica.
Krebs writes that the Aventura, Florida police report said that Nordstrom’s security footage showed the three men acting as a team, with two distracting staff, while another installed the keyloggers.
“The subjects then return at a later date to recover the devices and create fake credit cards for fraud,” the Aventura PD stated in a memo describing how the thieves would complete their scam. “The connector was made to match the connections on the back of the register to include color match. Therefore, no one would have detected it unless there was a problem with the register.”Nordstrom said that it was investigating, according to Krebs.
Russian cybercriminals already sell fake point-of-sale terminals, with gangs of criminals at the ready when a credit card number is entered – able, one security expert says, to “drain bank accounts” in three hours.
The $2,000 reader is offered as a “package” with a money laundering service built in.Shown off in a video leaked to tech site The Register, the card reader – looking very similar to models used in restaurants worldwide – is shown to “read” numbers including the PIN, which are then displayed on a computer screen.
In the video, the information is transferred via cable – but if the terminal is fitted with a SIM card, it can “text” the information direct from your table to teams of criminals. The device is offered as a package – alongside a “service” where teams of criminals use cloned cards to buy fake goods, demand refunds, then take the cash.
The video is used as a sales tool for the $2,000 device, which is sold on underground forums in Russia, according to The Register’s report.
Thieves can then strip a customer’s bank account in under three hours, according to Russian security investigators Group-IB.
In this blog post, we will describe a piece of software – detected by ESET products as Win32/Kankan – that recently attracted our attention because:
It registers an Office plugin with no Office functionalities, which serves solely as a way to obtain persistence on the system,
It silently installs mobile applications to Android phones connected to the computer via USB debugging,
It has been signed by a well-known Chinese company called Xunlei Networking Technologies, which is particularly noted for developing the most widely-used torrent client in the world.
We are going to first introduce the context around this program, and explain in particular why its discovery shocked many Chinese users, then we will provide an in-depth analysis of its functionalities and finally we will discuss the evidence that Xunlei Networking Technologies is implicated.
The story related in this article started last June when several complaints appeared on various Chinese forums about a suspicious program signed by the Chinese company Xunlei Networking Technologies. The news then spread rapidly and ended up in the headlines of many Chinese websites.
To understand such media interest, we first have to set the context, which is very likely unknown to most of our non-Chinese readers. Xunlei Networking Technologies’s main activity is the development of Xunlei, a piece of software whose purpose is to accelerate the download of various types of files (videos, pdfs, executables,…) – pretty much like Orbit Downloader –, and which is extremely popular in China.
To explain this popularity, it is worth mentioning how the tool works. Roughly summarized, Xunlei maintains a list of locations for each known file and whenever a user starts a download using its browser or torrent client, it chooses the best possible locations to maximize the download speed. To implement this process, Xunlei Networking Technologies has developed a complex software ecosystem, including a search engine for the shared files, a multi-protocol torrent client, and even a custom peer-to-peer protocol. For interested readers, an extensive study of the Xunlei network has been written by Dhungel et al. in 2012 and can be found here.
As previously mentioned, the program is extremely popular among Chinese people. A study published in 2009 by TorrentFreak even positioned Xunlei as the most used torrent client in the world, with more than 100 million peer IDs, while uTorrent peaks at 92 million peer IDs. On the other hand, the tool is almost unused outside China, which is unsurprising since there is no English translation of the official website, while the textual content of the tool itself has been translated only by amateurs. We can thus speculate that this China-only deployment is a deliberate strategy on the part of the company.
AnalysisThis background story explains the consternation among Chinese users when some of them found a suspect piece of software on their computer signed by Xunlei Networking Technologies. The certificate in question is shown below.
When we describe the program, you’ll see why it was considered suspicious.
The program comes as a Windows installer, usually named INPEnhSetup.exe, and based on the Nullsoft Scriptable Install System. Simply put, this means that the installer is an archive associated with an installation script. In this case the installer begins by contacting the hard-coded domain kkyouxi.stat.kankan.com to report the initiation of the installation. Then, it drops three different files onto the system: INPEn.dll, INPEnhUD.exe and INPEnhSvc.exe. Afterwards, the library INPEn.dll is loaded into memory and its DllRegisterServer function is called. Finally, the installer re-contacts the domain kkyouxi.stat.kankan.com to report the completion of its execution.
INPEn.dll starts by installing a copy of itself, named INPEnh.dll this time, as a plugin for Word, Excel and PowerPoint named InputEnhance. In order to do this, it creates Windows registry keys that will make Office applications use the INPEnh.dll library as a plugin (more details can be found here). Some of these registry keys can be seen in the graphic below.
We can observe that the LoadBehavior key is set to 3, which means the plugin will be loaded at each application startup. Interestingly, this is the only way this piece of software gains persistence on the system: every time Word, Excel or PowerPoint is launched, the library is loaded in memory as a plugin. Nevertheless, its presence is invisible to the user. More than that, it silently executes the following steps:
- Fetch the file conf.kklm.n0808.com/tools.ini, of which an extract can be seen below.
- Check whether one of the previously mentioned binary analysis tools
is running: if so the Office plugin promptly stops executing. The
current decoded list is shown below.
- It is worth mentioning that this list only contains analysis tools – and no security products – like the Windows task manager, OllyDebugger, and even a Wi-Fi network management tool. Hence the program is intended to avoid security analyst machines.
- Check if an Internet connection is active by contacting some common Chinese domain names, such as baidu.com and qq.com. When there is no Internet connection, it goes into a code loop that regularly checks whether a connection has been established.
- If all the previous checks are passed, the plugin sends various information to the StatServer, notably the Windows version and the application name (WINWORD.exe for example), and then executes INPEnhUD.exe.
So execution is continued by INPEnhUD.exe, which can be tersely described as an updater. In particular, it fetches the hard coded URL update.kklm.n0808.com/officeaddinupdate.xml, of which the current state can be seen below.
This XML file thus contains a list of file URLs with MD5 hashes. The updater then downloads each file, verifies the hash and, if it corresponds, executes it.
The attentive reader should have noticed that the URL in the previous image points to a program named Uninstall.exe, which is something we will explain later. Finally, the updater executes the third dropped file, INPEnhSvc.exe.
INPEnhSvc.exe, which will be called ‘the service’ in the following text, is the core of this three-program architecture. After performing the same test for analysis tools as we saw in the Office plugin, the service fetches an XML configuration file that can contain seven commands, each of them with a number of parameters. These commands can be divided into two groups:
local commands: scanreg, scandesktop, scanfavorites
outsourced commands: installpcapp, installphoneapp, setdesktopshortcut, addfavorites, setiestartpage
As the name implies, the local commands are implemented in the service itself: scanreg looks for a specific registry key and reports its presence or absence to the StatServer, whereas scandesktop and scanfavorites search for shortcut files (.lnk extension) and network link files (.url) respectively in the Desktop and Favorites folders.
On the other hand, when an outsourced command is received the program communicates with the Office plugin, which is the one responsible for executing it. This communication passes through a configuration file named tasklist.ini that contains three different sections: Doing, Done and DoneByDate. Also, both binaries contain a list of unique identifiers (GUIDs), each of them being associated with a task. More precisely, the communication process is as follows:
When it receives an outsourced command, the service simply writes the associated GUID in the section Doing with its parameters (URLs, …).
During its task management loop the Office plugin reads the GUID, then checks that this GUID is not present in sections Done and DoneByDate of the file tasklist.ini. If the GUID is only in section Doing, it executes the associated program logic.
Once finished, the Office plugin writes the GUID in the section Done. Moreover, the GUIDs for the commands installpcapp and installphoneapp are also written in the section DoneByDate. This is probably done in order to re-execute regularly these commands.
The whole architecture is summarized below, with blue rectangles representing processes, and yellow ones representing files.
The names of the outsourced commands are self-explanatory and no more details are necessary, except of course for the surprising installphoneapp command.
As the name implies, the command installphoneapp makes the Office plugin download an Android application (an APK file), which is then installed on any Android devices connected to the computer. In order to do so, the service first downloads the Android Debug Bridge (ADB) binary – which is part of the Android SDK – plus the libraries this program needs. Next, the Office plugin downloads the APK files whose URLs were provided in the XML commands file. Finally, it lists the Android devices connected to the computer with the ADB command devices, and then installs on each of them the APKs with the command install.
Nevertheless, this installation will only work if the Android device has USB debugging enabled, which can be done in the phone settings menu. Officially this feature is intended for development purposes only, but it is also commonly needed by certain types of applications (like screenshots app), and by most techniques to root Android phones or install custom ROMs. It is worth noticing that with this installation method the user will not see the usual Android permission screen on his phone. In other words, the applications will be silently installed on any connected Android phone with USB debugging enabled.
During our investigation, the Android applications were no longer being downloaded, for reasons that will become clear at the end of this post, but we were able to find four of them on some Chinese security forums. The main screen of these applications can be seen below.
The last one, still available on Google Play at the time of writing, allows the user to make phone calls at so-called advantageous rates. Nevertheless, it exhibits some suspicious features, like regular contacts with URLs known to distribute adware for Android phones. This application is detected by ESET as a variant of Android/SMSreg.BT, which is a Potentially Unsafe Application.
Overall, the motivation behind the installation of these particular mobile applications remains unknown.
Epilogue: Xunlei Networking Technologies’ confession
The final question we have to address is the role of Xunlei Networking Technologies. Not only were the binaries signed with their certificate, but the domain kankan.com, whose subdomain is used as StatServer, corresponds to the company’s video-on-demand service. So there is little doubt about the company’s implication in the production of this piece of software.
In last August, in reaction to the users’ complaints, the company officially admitted during a press conference that some of their employees have used the company resources to create and distribute this program. The company’s explanation is that it was made by one of their subdivisions, without the company’s agreement. They claimed to have fired the people responsible, and apologized publicly.
This is in accordance with the fact that an uninstaller – signed by the very same company – has been provided since the beginning of August. In particular, any infected computer will download it, thanks to the updater. According to our analysis, the uninstallation works correctly, and removes all the program’s artifacts. Moreover, all the domain names still up are just doing the minimal work necessary in order to allow the uninstaller to execute. The end of Kankan’s distribution can also be verified with the daily number of detections by ESET during August and September, which is shown below.ESET VirusRadar system.
Without surprise, China has been the only country significantly touched by this piece of software.
The use of a fake Office plugin to gain persistence, the ability to silently install Android applications, and the backdoor functionalities, confirm the validity of the concerns of Chinese users and explains why ESET detects this program as malicious, under the name Win32/Kankan.
There are still some open questions, like the original infection vector and the exact reason the Android applications were installed. Finally, the degree to which Xunlei Networking Technologies were implicated is hard to tell from the outside. On a side note it is surprising to remark that, as far as we know, not one non-Chinese website has ever mentioned this story.
Thanks to Jean-Ian Boutin, Sieng Chye Oh and Alexis Dorais-Joncas for their help while analyzing this malware.
Android ApplicationsA439B1EA45769EC2FA0EFC4098EC263662EF40AE (market)
C6013DE01EC260DC5584FAA2A35EF0580B3BDC89 (phone calls)
Some models of the popular routers made by D-Link contain a “backdoor” which could allow a remote attacker access to settings and private data, a researcher has warned.At time of writing, D-Link has not responded to the post by researcher Craig Heffner, and has not issued a patch for the backdoor.
Craig Heffner, a security researcher, and former employee of the National Security Administration, claims that the backdoor appears to have been placed deliberately – and could allow attackers access to unencrypted data.
Heffner says on his blog, “You can access the web interface without any authentication and view/change the device settings.”All an attacker needs to do is change their user agent string to “xmlset_roodkcableoj28840ybtide”, and no password is required, Heffner says. The reason Heffner suspects it was left deliberately is that the string appears to be signed by “Joel”.
The code which could allow access was found on a Russian cybercrime forum, according to Heffner, which suggests it has been known about for some time, according to a report by PC World.
Commenters on Heffner’s site claimed to have tested the vulnerability successfully, which affects models including,IR-100, DI-524, DI-524UP, DI-604S, DI-604UP, DI-604+ and TM-G5240 units, as well as some routers from Planex and Virgin Media, according to The Register.
Heffner used the search engine Shodan to find affected models – a search engine which allows users to “find” connected appliances such as routers and fridges.
“My guess is that the developers realized that some programs/services needed to be able to change the device’s settings automatically,” Heffner wrote.“Realizing that the web server already had all the code to change these settings, they decided to just send requests to the web server whenever they needed to change something.”
”The only problem was that the web server required a username and password, which the end user could change. Then, in a eureka moment, Joel jumped up and said, ‘Don’t worry, for I have a cunning plan’!”
Earlier this year, Heffner found a vulnerability which could allow attackers to control security cameras – including those made by D-Link – which was shown off at the Black Hat conference in Las Vegas.
Heffner found “zero-day vulnerabilities” which would allow attackers to control cameras made by D-Link, Trendnet, Cisco, IQInvision, Alinking and 3SVision. Those are used in homes as well as businesses, Heffner saidHeffner described the scope of the vulnerabilities as allowing “Hollywood-style” attacks – referring to the manipulation of video feeds commonly seen in heist movies.
“Thousands of these cameras are Internet accessible, and known to be deployed in homes, businesses, hotels, casinos, banks and prisons, as well as military and industrial facilities,” Heffner said.
Governments around the world are recruiting “cyber warriors” to fight against the growing threat of both cybercrime and state-sponsored attacks – but there aren’t enough experts to go round.A report by the Reuters news agency said that forces such as the Pentagon’s Cyber Command and Britain’s new Joint Cyber Reserve have created a demand which cannot be met.
“As with anything, it really comes down to human capital and there simply isn’t enough of it,” says Chris Finan, White House director for cyber security from 2011-12, said in a Reuters report.
“They will choose where they work based on salary, lifestyle and the lack of an interfering bureaucracy and that makes it particularly hard to get them into government.”Government jobs are simply not attractive enough to lure trained professionals, a report by TechEye suggested.
The UK’s Joint Cyber Reserve was set up to protect critical computer networks from attack – “if necessary, to strike in cyberspace,” Britain’s Defense Secretary Philip Hammond said, and will recruit from both military and private sectors.The US Defense Department Cyber Command moved this year from “cyber defensive measures” into a “fully-operational Internet-era fighting force” with close to 5,000 troops and civilians at its disposal. The Cyber Command is recruiting 4,000 staff
Other countries such as Brazil and Indonesia have also announced new “cyber” divisions. Although many of these forces are military, many countries have announced that the divisions will work alongside private-sector companies.
A former White House official said earlier this year that governments needed to act, to prevent damage to the global economy.
“We have made cybersecurity one topic when it is many. Countries can’t see eye-to-eye on what is most important and what needs to be done first,” said Melissa Hathaway. Hathaway was Director of the Joint Interagency Cyber Task Force under George W Bush, and also worked for the Barack Obama administration.
“We need to start to talk about this as gross domestic product loss, and the instability of the financial institutions we are all dependent on as a global economy,” Hathaway said in an interview in Tel Aviv.
The problem, according to Reuters, is that the private sector often offers better salaries and working conditions. Government officials have said that budgets are to increase – but others complained that they are not increasing fast enough.America’s President Barack Obama recently proposed to increase Defense Department spending on cyber security to $4.7 billion – a rise of $800 million.
Most smartphones today contain an accelerometer – without them, the latest fitness apps don’t work – but a Stanford researcher has shown that the sensor can be used to “fingerprint” a device, or even track it. The information could easily be misused by rogue advertisers, he warned.
Each sensor is unique, and can be used to “fingerprint” a device, for targeted advertising or even tracking. The speakers and microphones in smartphones can be used in the same way.Every accelerometer is different, Hristo Bojinov says, and merely using the device – he demonstrated this by turning over a Galaxy Nexus – gives out a unique set of numbers which can remotely identify the phone, according to an SFGate report.
Bojinov said he was concerned that the information may already be being used by unscrupulous advertisers.
“Code running on the website in the device’s mobile browser measured the tiniest defects in the device’s accelerometer—the sensor that detects movement – producing a unique set of numbers that advertisers could exploit to identify and track most smartphones,” Phys Org reported.
Malicious apps designed to deliver unwanted advertising are already common on Android – when cybercriminals “fool” users into downloading useless apps, the apps are often built to serve up adverts, as was the case with a fake BBM app earlier this year. If sensors in smartphones hand out identifying data, the devices could be an even more attractive target for advertising malware.
The speakers and microphones in smartphones can also “betray” devices, Bojinov says- giving out identifying information, which could be misused by advertisers or cybercriminals. Bojinov demonstrated how speakers and microphones could be used to “identify” phones by the unique way they play and record certain tones. Information Week said that Bojinov hoped that smartphone manufacturers might find a way of safeguarding such data.
“People need to consider the whole system when they think about privacy,” said Bojinov, saying that he would not be surprised if some advertisers had already discovered and used such techniques.
Most of us are pretty web-savvy: when an email arrives saying we need to enter our bank details, we think, “Oh, please!” – and don’t click.But cybercriminals don’t rest – and new techniques can sometimes fool even veteran PC users.
From legitimate companies delivering software with a “side-order” of malware, to PC attacks that persuade you to infect your own phone, here are some of the latest traps laid by cybercriminals.
As ever, you don’t have to become a victim. Ensure all your software is up to date – from Windows to Flash to Java to your browser – think carefully before installing anything, whether it’s an app or a browser plug-in, and use good AV software for maximum security.
The poisoned plug-in
Browser plug-ins are something many of us install without even thinking – but this year has seen a surge in plug-ins with hidden, malicious functions. Orbit Downloader, one of the most popular video downloaders for YouTube, was found to have a hidden “dark side” – working to attack other websites with DDoS attacks, using unwitting users’ PCs.
“Given the age and the popularity of Orbit Downloader (it is listed as one of the top downloads in its category on several popular software web sites) this means that the program might be generating gigabits (or more) of network traffic, making it an effective tool for Distributed Denial of Service (DDoS) attacks,” says ESET Distinguished Researcher Aryeh Goretsky.
After ESET’s report, Orbit was withdrawn from several sites. To stay safe, use plug-ins only when absolutely necessary, only install plug-ins from reputable stores – and check the reviews first.
The PC attack that poisons your phone
Persuading Android users to download malware is not hard – but cybercriminals have also created PC malware that “poisons” phones connected to it. Win 32/KanKan “silently installs mobile applications to Android phones connected to the computer via USB debugging” according to ESET researcher Joan Calvet.
More sinisterly, the Hesperbot Trojan attempts to bypass banking security, according to ESET researcher Robert Lipovsky – by persuading them to install fake bank apps. “The aim of the attackers is to obtain login credentials giving access to the victim’s bank account and to get them to install a mobile component of the malware on their Symbian, Blackberry or Android phone.”Your bank will never ask you to “update” an app in this way – any necessary updates will be done via an official store such as Google Play – so if you see your bank’s website offering a link, beware. If new apps do appear on your phone without warning, delete immediately, consider a factory reset on your phone- and check your PC.
The Bitcoin burglar
Bitcoin made the news this year – with ATMs allowing users to withdraw their cryptocurrency as real currency, and bars that would accept payments in Bitcoin. But sites such as the online drug mart Silk Road also highlighted the “dark side” of such cryptocurrencies – and cybercriminals tried to cash in. Gaming company ESEA discovered an employee had secretly installed Bitcoin-mining software in the company’s game client. “It becomes obvious that digital currency is currently a trending topic, among malware writers as well as amongst gamers,” says ESET Malware Researcher Robert Lipovsky. “Recently we’ve happened upon a new Trojan that attempts to steal virtual cash in the form of the alternate digital currency, Litecoin.”
Bitcoin has a great guide to security here – http://bitcoin.org/en/secure-your-wallet but in general, it’s best to have two wallets for cryptocurrencies, one for spending, and one offline wallet for larger sums.
The good website gone bad
Even “good” websites can turn bad – witness the long-running “Home Campaign”, which has infected thousands of websites, and in turn delivered malware to their visitors. “How did the cybercriminals manage to exert control over so many IPs and domains?” asks ESET Sebastien Duquette, “By compromising the CPanel and Plesk panels used by many web hosting companies to manage their networks and sometimes control hundreds or thousands of websites.” The malware inserts the Blackhole “exploit kit” into sites, so users with vulnerable versions of programmes such as Java will be infected. To stay safe, ensure all your PC’s software – particularly your operating system, browser and software such as Java and Flash – are up-to-date.
The banking malware that steals money right under your nose
Shylock – detected by ESET as Win32/Caphaw, is one of the few pieces of financial malware that can steal money while a user watches. “It is one of the few that has autoload functionality for automatically stealing money when the user is actively accessing his banking account. An infected user can’t recognize that his money is being stolen, because he sees fake data on the banking web page based on the webinjects’ rules,” writes ESET Security Intelligence Team Lead Aleksandr Matrosov. The malware was recently detected attacking North American users, targeting login credentials for 24 banks. Shylock has advanced “stealth” capabilities, but appears to spread via a Java vulnerability – ensure software such as Java is up to date on your PC, and always exercise caution around online banking. If anything appears slightly wrong, call your bank immediately.
Bringing the international gang lords of cybercrime to justice is a “challenge”, the interim head of Britain’s new National Cyber Crime Unit has admitted – and says he will discuss the issue with government if necessary.
“The challenge is the international dimension,” Andy Archibald said in an interview with The Register. “The vast majority of those we’re really interested in are overseas and often they’re in hard to reach jurisdictions. So international collaboration, international relationships with trusted partners are key to our success.”Archibald, who previously worked for Britain’s Serious Organized Crime Agency (labelled “Britain’s FBI in some British media), says that in some areas, British law may need to be tightened up.
“There are improvements that could be done,” Archibald said. “But what I would say first of all is that we need to be confident that we’re making the best use of current legislation. If we are and we still consider that there are gaps, we will discuss that with government.”
Archibald said that the unit had a list of “targets”.
In a recent BBC News report, Archibald said that cybercrime poses unique challenges. Referring to the recent action against the “drug market” Silk Road, he said that the “dark web” will continue to evolve.
“Tor evolves, and will resecure itself,” Mr Archibald said in an interview with the BBC.”The success we’ve had may not necessarily mean that by the same routes and same approaches we can get into other criminal forums.”“We have to continually probe and identify those forums and then seek to infiltrate them and use other tools. It’s not simply a case of because we were able to infiltrate Tor on this occasion that we’ll be able to do it next time around as well.”
The NCCU has continued to arrest cybercriminals at a rapid rate – targeting drug dealers who used Silk Road, and others.
A 19-year old man was arrested this week for suspicion of developing and distributing malware and selling services to enable cyber criminals to test their malware.
Steve Pye, Senior Manager of Operations at the NCCU said:”We will lead the national response to cyber crime, focusing activities in particular on those individuals and groups who develop, distribute and deploy the malware that attacks computers and causes harm to business networks and individual users across the UK. The arrest of this individual shows that officers will work relentlessly, 24/7, to ensure that serious and organised criminals are held accountable for their actions”.
[Please note: a version of this article first appeared in the September 2013 issue of Virus Bulletin and is reproduced here by kind permission of Virus Bulletin, a great source of objective information about information security.]
[Also note: several links in this article point to U.S. government websites that were closed at the time this was published, I just hope for all our sakes that they open again, soon.]
Is cybersecurity by fiat DOA?Government-sponsored efforts to improve cybersecurity are currently underway in several parts of the world, including the USA, the UK, and the EU, but will they accomplish their goals? The answer has serious implications for many groups of people, from security practitioners to taxpayers, CIOs and CISOs, intelligence agencies and the military. Depending on your perspective, not all of the implications are positive.
I recently participated in the latest American endeavor to secure all things cyber and critical by attending the Third Cybersecurity Framework Workshop, organized by the National Institute of Standards and Technology (NIST). As you may know, something called Executive Order 13636 directed NIST to “work with stakeholders to develop a voluntary framework for reducing cyber risks to critical infrastructure”.
I respect NIST as one of the rare government agencies which, like the Federal Trade Commission, just seems to get on with doing useful things, including the distribution of useful information (notably the Special Publication 800 series). A lesser agency might have balked when asked to create a cybersecurity framework “in an open manner with input from stakeholders in industry, academia and government, including a public review and comment process, workshops and other means of engagement”. But so far, NIST seems to be rising to that challenge.
At the workshop I attended, over 300 participants were spun out into eight working groups, led by a team of facilitators who did a great job of taking input from all sides. The starting point was a draft outline of the framework, based on the two previous workshops. As we evaluated the work so far, there was a lot of learned and considered discussion, but one point of friction did emerge: fear that this voluntary framework, once completed and approved, will become a stick to beat companies into compliance. Might a law be passed to punish companies that do not comply with the framework? The folks from NIST insisted they had no interest in seeing this happen, but some attendees eyed the Department of Homeland Security attendees with suspicion.
And that brings us to malware. It might seem like a stretch, but please bear with me and turn to the Code of Federal Regulations 45 CFR 164.308(a)(5)(ii)(B). This is the Health Insurance Portability and Accountability Act (HIPAA) security rule that states that a Covered Entity must implement “Procedures for guarding against, detecting and reporting malicious software”. For years now, compliance with this rule has been the law in the USA, enforced with financial penalties running into millions of dollars. Now turn to page 16 of the Ponemon Institute’s Third Annual Benchmark Study on Patient Privacy & Data Security. Larry Ponemon’s team conducted 324 interviews and compiled stats on 80 healthcare organizations.
When the results of the study were published last year, the headline was that 94% of healthcare organizations had experienced at least one data breach in the past two years, and 45% reported more than five incidents in that period. Figure 13 in the report (“Measures to ensure devices are secure enough to connect to the network”) shows that a staggering 46% of healthcare organizations don’t engage in any of seven listed measures to protect critical systems. Only 23% insist on having anti-malware on mobile devices that connect to the network, and only 21% scan devices for malware prior to connection. Sadly, there are many more data points beyond the Ponemon study.
For me, this all adds up to a strong case for saying that you can’t legislate security. A voluntary framework might help, but as several of my fellow attendees at the NIST workshop pointed out: information security requires serious will power and commitment. Absent that, and regulation is apt to do more harm than good.
For more on the NIST cybersecurity framework for critical infrastructure, see these We Live Security articles. You can also check NIST.gov when it re-opens and the August update of the draft should be here (.pdf).
Apple has announced an event for October 22, with the usual teasing headline, “We still have a lot to cover.” Leaked pictures hint that at least one of those things will be an iPad protected by the Fingerprint ID system used in iPhone 5S.The invitations, sent out to journalists on Tuesday, merely confirm an event at San Francisco’s Yerba Buena conference center at 10am on Tuesday next week – but it’s considered a near-certainty that Apple will update its ageing iPad range, according to The Register.
A picture which surfaced on Chinese news site CTechCN showed a device with a Home button which mirrored the distinctive shape of iPhone 5S’s fingerprint-reading button, according to a CNET report.
The image is a typically blurred and indistinct smartphone shot purportedly leaked from a Chinese supplier, but the move would make sense, according to CNET. “Perhaps Apple will keep Touch ID away from the mini, but bring it to the larger iPad, as a way to reward shoppers who splash out on the bigger, pricier tablet,” the site wrote.
Despite repeated attempts to “hack” the security sensor, Apple’s move appears to have inspired other handset manufacturers. HTC’s One Max – a bigger, 5.9-inch screen version of its flagship Android handset – also offers fingerprint authentication, and was unveiled at a press conference in China this week according to the BBC.
“The fingerprint scanner allows users to lock or unlock the screen and quickly launch up to three favourite applications by assigning an individual finger to each,” the Taiwanese company said in a statement.
Last week, a report from USA Today said that a standardized fingerprint security system for Android devices, certified by the FIDO (Fast Identity Online) Alliance, would be available shortly after the new year.
Stephen Cobb, Security Researcher with ESET, says that we may be on the verge of widespread deployment of biometrics. Cobb says, “Successful implementation of biometrics in a segment leading product could bode well for consumer acceptance.”
“I have been a fan of biometrics as an added authentication factor ever since I first researched multi-factor and 2FA systems 20 years ago, however, user adoption is very sensitive to performance; in other words the iPhone 5S and subsequent devices could advance biometrics, or put a whole lot of people off biometrics.”Various other start-ups are working on systems which ID users via brain waves, heart beats and even the way they walk.
The cybercriminals behind last week’s profiled fake T-Mobile themed email campaign have resumed operations, and have just spamvertised another round of tens of thousands of malicious emails impersonating the company, in order to trick its customers into executing the malicious attachment, which in this case is once again supposedly a legitimate MMS notification message.
Detection rate for the spamvertised attachment: MD5: 8a9abe065d473da9527fdf08fb55cb9e – detected by 26 out of 48 antivirus scanners as Trojan.DownLoader9.22851; UDS:DangerousObject.Multi.Generic
Once executed, the sample creates the following Mutexes on the affected hosts:
It then (once again) phones back to networksecurityx.hopto.org. The most recent MD5 (MD5: 014543ee64491bac496fabda3f1c8932) that has phoned back to the same C&C server (networksecurityx.hopto.org) is also known to have phoned back to dahaka.no-ip.biz (22.214.171.124).
Detection rate for the spamvertised attachment: MD5: 8a9abe065d473da9527fdf08fb55cb9e – detected by 26 out of 48 antivirus scanners as Trojan.DownLoader9.22851; UDS:DangerousObject.Multi.Generic
Once executed, the sample creates the following Mutexes on the affected hosts:
It then (once again) phones back to networksecurityx.hopto.org. The most recent MD5 (MD5: 014543ee64491bac496fabda3f1c8932) that has phoned back to the same C&C server (networksecurityx.hopto.org) is also known to have phoned back to dahaka.no-ip.biz (126.96.36.199).
Hi all, Cyberinfocts IT Security October Forum -- Saturday 19 th October 2013 @ 1st Floor Owo Dunni Omotayo Road Close to Oshophey Plaza Allen Avenue Ikeja agos . Time: 9:00 am Registration Fee: 500.For further details contact 07037288651
The issue was uncovered by James Forshaw, head of of vulnerability research at Context Information Security, and the money was awarded under the firm's Mitigation Bypass Bounty scheme.
Forshaw previously uncovered design bugs in Internet Explorer 11 (IE11), so this new reward takes his earnings from Microsoft’s bounty programme to a total of $109,400. The majority of the award will go to Context, although Forshaw is likely to receive a sizeable bonus for carrying out the research.
Writing in a blog post Katie Moussouris, senior security strategist at Microsoft Security Response Center, said the firm would not be detailing the issue he had uncovered until it was addressed.
However, she said the scale of the issue uncovered meant that it would be able to vastly improve security across its products, and this was why the firm had awarded the highest possible sum to Forshaw.
“The reason we pay so much more for a new attack technique versus for an individual bug is that learning about new mitigation bypass techniques helps us develop defences against entire classes of attack," Moussouris said.
“This knowledge helps us make individual vulnerabilities less useful when attackers try to use them against customers. When we strengthen the platform-wide mitigations, we make it harder to exploit bugs in all software that runs on our platform, not just Microsoft applications.”
Moussouris added that a researcher at Microsoft, Thomas Garnier, had also “found a variant of this class of attack technique” but the firm acknowledged that Forshaw’s submission was of a more detailed and thorough nature and so deserved the reward.
Commenting on the bounty, Forshaw said Microsoft’s approach to rewarding security research helped justify the type of work he was doing.
“I’m keenly interested in the intellectual puzzle of finding novel exploitation techniques and the creativity it requires. Microsoft’s Mitigation Bypass Bounty is very important to help shift the focus of bounty programs from offence to defence,” he said.
“It incentivises researchers like me to commit time and effort to security in depth rather than just striving for the total vulnerability count.”
The huge sum Microsoft is paying out is in stark contrast to recent outrage aimed at Yahoo after it was found to have only paid $12.50 in gift vouchers to researchers for uncovering flaws.
It has since changed its policies to put a more official and generous reward scheme in place. Facebook also faced criticism for its handling of a security flaw find by an Indian researcher, although $12,500 was eventually paid out.
Vice president of global security solutions at Unisys, Neil Fisher, told V3 the tool works by hiding critical information and data centre processes from hackers to offer protection all the way through the network.
"Mobile security needs to begin in the data centre where an organisation's ‘crown jewels' - its most mission-critical data - are kept. Unisys Stealth darkens endpoints in the data centre and uses identity-based security, so the crown jewels are virtually invisible to those not authorised to see them," he explained.
Fisher added the Stealth service also features mobile software that can be used to authenticate and organise device users' privileges. This means managers can control what information each user is accessing and spot unauthorised activity.
"Once the crown jewels are secure, the same protection can extend to mobile applications with Unisys Stealth for Mobile. The technology uses the strengths of Unisys Stealth data protection and extends it to applications on mobile devices, helping to hide Stealth-enabled communities and virtual processing environments from unauthorised users," he said.
The service also has application wrapping software designed to let administrators set specific security policies on a per-app basis. Fisher said the combined package will offer businesses protection against a variety of cyber threats.
"Stealth for Mobile helps secure the most critical assets in the data centre from threats introduced by mobile devices. It makes use of application wrapping software that encrypts data-in-motion from the mobile app across the internet - keeping it secure from hackers and eavesdroppers," he said.
"Unlike mobile VPN technologies which encrypt data only to the enterprise boundary, Stealth for Mobile extends that encryption right up to the servers in the data centre."
He claimed Stealth is the first service to offer enterprise businesses such holistic defences against hackers: "Unisys Stealth uses unique security techniques to allow clients to increase data security while simplifying security management, and use public networks such as the internet without exposing their data communications to cyber threats."
Threats to business networks are being exposed all the time. Only last week Adobe admitted it was the victim of a huge theft of data on 2.9 million of its customers, while source code for its products was also stolen.
The vulnerabilities in IE, .Net framework and Windows Kernel-Mode Drivers, were listed as the most serious, categorised as critical. The IE vulnerabilities were disclosed by Microsoft last month after it released a broken patch for them, which was subsequently pulled.
The news was troubling as it meant hackers had been alerted to vulnerabilities before Microsoft had a chance to fully fix them, leaving businesses with a temporary "Fix It" workaround. Trustwave director of security research Ziv Mador said the lack of a true fix was dangerous as the vulnerabilities could be exploited by hackers to mount a remote code execution attack.
"This is the biggie that everyone has been worried about, that was first announced last month and for which Microsoft issued a Fix It," he said.
"The good thing is that if you already applied the Fix It, you do not need to undo the changes before applying this update. The issue with all 10 of these vulnerabilities has to do with how IE handles objects in memory; if items in memory get corrupted in a certain way an attacker could cause that corruption to execute arbitrary code."
The bulletin issued a similar advisory for the .Net framework and Windows Kernel-Mode Drivers vulnerabilities. Ross Barrett, Rapid 7 senior manager of security engineering, warned that if left unpatched the vulnerabilities could theoretically be exploited by hackers for a variety of purposes.
"MS13-081 (vulnerabilities in Windows Kernel-Mode Drivers) addresses an exploit path (CVE-2013-3128), which would give an attacker kernel-level access on a system that attempts to render a page containing a malicious OpenType font," he said.
"Technically one of the CVEs in MS13-082 (vulnerabilities in .Net framework) addresses a variant of the same issue, which Microsoft found by auditing the reuse of that code. In this case the variant would only give user-level access to that attacker. At this time this issue is not known to be under active exploitation."
Barrett added that the vulnerability in the Windows Common Control Library was particularly interesting, as it could theoretically be targeted by a self-spreading worm attack.
"MS13-083 looks like a really fun one – a remote, server-side vulnerability offering remote code execution that is hittable through ASP.net webpages. This is a genuine article; a real, honest to goodness, potentially ‘wormable' condition," he said.
"If the bad guys figure out a way to automate the exploitation of this, it could spread rapidly and the defence in depth measures of your organisation will be tested. However, this vulnerability was privately reported to Microsoft and is not known to be under active exploitation."
Important patches for vulnerabilities in Microsoft Word, Excel and Windows Common Control Library were also released. Microsoft downplayed the significance of the Word and Excel patches, confirming that an attack would only have real significance if it managed to infect a machine with high-level administrative rights.
"Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights," read the bulletin.
Persuading businesses to install patches more regularly has been an ongoing problem facing the security community.
Most recently the dilemma was showcased by the fact numerous firms are still running the outdated Windows XP operating system. The news is troubling as in less than six months Microsoft will officially cease support for the OS, meaning new security vulnerabilities will no longer be patched.
Speaking on Tuesday evening, the director general of the security services Andrew Parker (pictured) dismissed concerns that the UK has been engaging in blanket spying as “utter nonsense”, and said publishing information on spying techniques had provided terrorists with a "gift".
His comments come in the wake of the PRISM and Tempora spying revelations that broke earlier this year. These revealed that both US and UK spying organisations, such as the Government Communications Headquarters (GCHQ), have been monitoring huge amounts of global internet traffic.
He said that the use of such techniques was vital to keep track of the latest terrorists as they use internet communications to plot terror attacks all the time.
“Technologies advance all the time. But MI5 will still need the ability to read or listen to terrorists' communications if we are to have any prospect of knowing their intentions and stopping them,” he said at the event hosted by the Royal United Services Institute (RUSI).
“The converse to this would be to accept that terrorists should have means of communication that they can be confident are beyond the sight of MI5 or GCHQ acting with proper legal warrant. Does anyone actually believe that? “
He went on to justify any snooping by claiming it was only ever done for the public good and focused on those suspected of terrorism, rather than blanket monitoring citizens at large.
“Let me be clear – we only apply intrusive tools and capabilities against terrorists and others threatening national security. The law requires that we only collect and access information that we really need to perform our functions,” he said.
“In some quarters there seems to be a vague notion that we monitor everyone and all their communications, browsing at will through people's private lives for anything that looks interesting. That is, of course, utter nonsense.”
He also hit out at the leaks of confidential documents that laid bare the extent of the spying programme. He said publishing the information had put national security at risk.
“It causes enormous damage to make public the reach and limits of GCHQ techniques. Such information hands the advantage to the terrorists. It is the gift they need to evade us and strike at will,” he said. “Unfashionable as it might seem, that is why we must keep secrets secret, and why not doing so causes such harm.”
Revelations around the spying programmes hit the headlines in June, after Edward Snowden leaked documents that revealed the existence and scope of the spying programmes.
This led to huge uproar among the tech and wider political landscape, and led to more revelations that the US had been spying on EU discussions and that many encryption technologies had been purposefully engineered to allow snoops easy access.
Google Security Team member, Michal Zalewski, announced the extended Patch Rewards scheme in a blog post, arguing current bug bounty programs are not doing enough to improve open source projects' general cyber security.
"We all benefit from the amazing volunteer work done by the open source community. That's why we keep asking ourselves how to take the model pioneered with our Vulnerability Reward Program - and employ it to improve the security of key third-party software critical to the health of the entire Internet," he wrote.
"So we decided to try something new: provide financial incentives for down-to-earth, proactive improvements that go beyond merely fixing a known security bug. Whether you want to switch to a more secure allocator, to add privilege separation, to clean up a bunch of sketchy calls to strcat, or even just to enable ASLR - we want to help!"
Zalewski confirmed the Patch Rewards scheme will initially apply to a select number of projects. Current projects included in the program are OpenSSH, BIND, ISC DHCP, libjpeg, libpng, giflib, Chromium, Blink, OpenSSL, zlib and a select number of security critical parts of the Linux kernel.
The Google security professional added the company plans to extend the program to include upgrades to Apache httpd, lighttpd, nginx, Sendmail, Postfix, Exim, GCC, binutils, llvm, and OpenVPN in the near future.
Professionals looking to take advantage of the payment scheme will have to submit their application to the email@example.com email address. In order to be eligible for payment developers will first have to show their work has already been submitted and used by the relevant open source project. Rewards on offer range from $500 to $3,133. The exact payout is determined by a panel of Google judges.
Security reward programs are an increasingly common tool used by technology companies. Prior to the Google Patch Rewards scheme's announcement Microsoft paid a UK researcher $100,000 for uncovering a new type of mitigation bypass technique that could be used to attack a number of its products.
Responding to audience questions on the topic at the Westminster eForum event on Thursday, Stephen McGibbon said that the debate had been "thrown to extremes" and that while using data to foil terrorists was necessary, it was not being handled correctly.
"A lot of people - and I'm agreeing with these people - agree that this wholescale slurping of data is ridiculous but they also agree that there needs to be some mechanism to be able to get information in order to catch terrorists."
"What's missing from the debate at the moment is the thing that allows us to meet in the middle. My personal opinion is there's a lack of maturity in the debate at the moment about the powers the estate has had in the past, why the estate has those powers and how they should exercise them."
Microsoft has found itself at the centre of the PRISM scandal - accused early on of providing "back-door" access for governments to access customer data, a claim the firm has repeatedly denied. Microsoft joined various technology companies over the course of the summer, petitioning and then suing the US government in a bid to bring greater transparency to the process of handing over requested customer data.
Last month, Microsoft revealed the extent to which it hands over user data to governments around the world, with only a small portion of user data going beyond basic account data such as email and IP addresses. In only a minority of cases, Microsoft handed over data such as chat logs and email exchanges.
However, due to US government legislation, the firm was unable to provide numbers on requests instigated by national security orders, thereby rendering US request numbers less informative.
On Tuesday, MI5 director general Andrew Parker labelled fears over blanket surveillance as "utter nonsense", saying internet monitoring is vital for thwarting terrorist threats.
The data watchdog also suggested that businesses should not go too far in the other direction by intruding on their employees' privacy, though, and that a balance must be struck.
Speaking at a Westminster eForum event on remote working, Simon Rice, the ICO's group manager for technology said data controllers should consider how much information is required on any device at one time and that simple security features should not be ignored.
"If a device does not have what the data controller considers to be a critical measure or if the employee doesn't want to enable it, don't be shy about choosing not to enrol that device," he advised. "Most modern devices allow for password protection and the encryption of data, and it's just a matter of making sure it's switched on at little or no additional cost.
"It's important that a data controller is not reducing a level of security that they've already put in place. If they've already defined the standards, allowing new devices to connect shouldn't reduce that standard."
However, Rice was quick to discredit excessive mobile device management, urging data controllers to take a slightly lighter touch to regulation: "We musn't forget the employees themselves. By definition, some or most of the use of personal devices will be personal. A bring your own device policy should not permit surveillance or excessive monitoring coming through the back door."
The ICO has handed out fines totalling more than £4m to public bodies alone since it was given the power to penalise data mishandling in 2011, with the total brought even higher when private firms are considered.
Rice concluded that while many business processes can take place on personal devices, he said that it would not be considered acceptable for "all types of processing for any type of data" to take place on personal devices. He said that data controllers "must take stock of this, and should not underestimate the time and effort to put those measures in place."
The rise of BYOD policies in organisations is growing all the time. V3 reported this week on plans at Hounslow Council to implement BYOD for both phones and tablets as well as moving to an 'infrastructure free' IT use model within five years.
The National Crime Agency (NCA) confirmed the Inner London Crown Court sentenced 27-year-old Olukunle Babatunde, to serve five years and six months after he pleaded guilty to plotting to defraud UK banks.
Alongside Babatunde, 25-year-old Tamar Abdulhamid was also confirmed to have pled guilty to conspiracy to remove and conceal criminal property.
The two arrests follow an ongoing investigation by UK authorities into the distribution of stolen financial data by organised, international criminal groups. The groups included in the investigation are believed to run sophisticated phishing scams.
The scams operate by sending a number of phishing emails to a variety of victims. The emails are designed to dupe recipients into revealing their online banking login details. Once stolen the details are either sold on cyber black markets, or used to make fraudulent transactions.
The arrests follow a wider push by the UK government and law enforcement to combat cyber crime. Combating cyber crime has been a central part of the UK government's ongoing Cyber Strategy.
Since being announced in 2011 the strategy has seen the government and law enforcement launch numerous initiatives and strategies to help deal with cyber crime. These have included the creation of the NCA's National Cyber Crime Unit (NCCU), which only launched earlier this week, and the creation of the Cyber Security Information Sharing Partnership (CISP).
Head of the NCCU, Andy Archibald, said the arrests were only possible thanks to information sharing schemes like CISP.
"This is an excellent result built on the joint working of precursor agencies and has involved the examination of a large number of data, resulting in 765 victim accounts being identified," he said.
"The National Crime Agency will continue to share information and intelligence with regards to serious and organised cyber crime, ensuring those who pose a threat to the public are identified and held accountable for their actions".
The arrests mark another early success for the NCA which was launched this week. It also helped arrest four men who are believed to have been involved in the running of the infamous Silk Road forum, which the FBI took ofline earlier this month.
Earlier this month senior architect at security firm FireEye, Jason Steer cited law enforcement's robust anti-cyber crime campaign as a potential reason only 0.016 percent of the world's known cyber attacks stem from the UK.
Symantec researchers Avdhoot Patil and Daniel Regalado Arias reported uncovering the scam in a public blog post, warning the criminals are using the site to mount a two-pronged attack against their victims.
"The phishing site boasted that the application would enable users to view a list of people who visited their profile page. The site offered two options to activate the fake app. The first option was by downloading software containing the malware and the second was by entering user credentials and logging into Facebook," read the post.
"A message on the phishing page encouraged users to download the software that would allegedly send notifications to the user when someone visited their Facebook profile. If the download button was clicked, a file download prompt appeared. The file contained malicious content detected by Symantec as Infostealer. On the other hand, if user credentials were entered, the phishing site redirected to a legitimate Facebook page."
The researchers highlighted the use of the malware as particularly troubling as it has the potential to grant the criminals several espionage and data theft powers.
"Symantec analyzed the malware and found its behavior to be as follows: The malware consists of two executable files that both perform the same action. The files are added to the registry run key, which execute after every reboot. The malware sets up a keylogger in order to track anything that the victim types," read the post.
"Then, it will check if there is internet connectivity by pinging www.google.com. If there is connectivity, the malware will send all information gathered to the attacker's email address. Symantec observed that the email address has not been valid for three months and hence the malware is not able to send updates to the attacker at the moment."
Phishing attacks have been a growing problem facing UK Industry. Prior to the new attack's discovery Kaspersky Lab reported the number of phishing messages hitting UK web users has tripled over the last year, with crooks targeting an average of 3,000 Brits every day.
The sophistication of the attacks is also believed to be growing with criminals constantly creating new inventive ways to spread malware. Earlier in the year Sophos researchers reported uncovering a new phishing message loaded with a malicious Google Doc targeting Gmail users.