Mind the Gap – Mind your Android

Android holds approximately 80% of the global mobile market today. Due to the popularity of the Android operating system for mobile phones, it serves as a more attractive target for hackers and cyber criminals than iOS mobile phones.

Security researchers have discovered ways to take control over roughly 70% of Android devices via a Web page or apps – mostly devices that have outdated versions. Although Google releases patches approximately every four months, most of the devices will likely remain vulnerable to attack because they will not be updated.

Security consultant Graham Cluley accentuated this point when he said, “The fundamental problem is that they [Google] don’t control the hardware and software. Even though all these devices are Android-operated, they run different tweaked versions with different UIs and add-ons.

While the iOS operating system is only installed on Apple devices and it is relatively easy to obtain updates, security updates for Android OS devices are forced to pass through the mobile network operators and carriers – a hindrance that often takes a great deal of time.

The following chart describes the patching process for an Android device, from the first discovery of a vulnerability through to the repair that ultimately reaches the end-user device. The repair process at point C is typical for every software product. The repair software represented by point C is usually the end vulnerability window shown at point A.

Points D – G represent the repair process specific to Google; whenever a patch to Android becomes necessary, Google provides an update via its open source forum. The manufacturers produce the update, vendors release it and then the user installs the updated customized version of his operating system.

Chart showing the creating of a patch for an Android device

Chart showing the creating of a patch for an Android device

It should be noted that the patch release date is not the date when these updates are actually available to users. Once Google releases an update, the manufacturer must update it to suit his material. There is a possibility that the updates may never actually become available to the user, for example, if the vendor decides that distributing the update is too expensive for him.

As a result of the window of vulnerability and the different Google and the manufacturer release dates, hackers can use reverse engineering techniques to identify and exploit the vulnerability of a device by using the information found in the original published patch, or that of any other manufacturer who may have issued the patch at an earlier date.

Clearly, the fact that Google provides a secure platform for Android is insufficient – it is also important to ensure that their patches reach their targets, Android users, within the shortest possible time, to minimize the attack window.

Phishers Hide their Hooks in Short URLs

We have recently encountered a more elaborate phishing scheme, one which includes cleverly hidden links.

Some days ago we received an email titled “American Express has an important update for you”. Funny, I don’t recall having an AMEX account… and the email from which the message was sent from was all to suspicious and not connected to AMEX: [communication.4abr7w64haprabracrafray552dreste[at]azurewebsites.net].

Phishing_Email

 

 

Still, I kept reading the message which was all about the new anti-SPAM law:

Effective July 20, 2014, United State’s new anti-spam law comes into effect and American Express wants to ensure that your representative will be able to continue sending you emails and other electronic messages without any interruptions. In addition to messages from your representative, we may also send you other electronic messages, including but not limited to newsletters and surveys as well as information, offers, and promotions regarding our products and services or those of others that we believe you might be interested in (“Electronic Messages”).

The next paragraph contained a request to click an “I Agree” link to express consent to receiving Electronic Messages from AMEX.

The hyperlink points to bit.ly address. Here’s the catch.

We all know that by hovering above a suspicious link we can usually see where it points to, and this is usually different than the link itself (the link could say “americanexpress.com” but hovering above it will show the real address “russianspammers.ru”).

So in this case we cannot simply identify the destination of the link. What can we do?

Simple. Just paste the link address in getlinkinfo.com (or similar service), and voila, you can see the original link (and in this case, with a warning attached).

GelLinkInfo

 

 

 

 

 

So other than the cynical use of anti-SPAM email to actually promote SPAM, the sender cleverly hides the real address inside a URL shortening service, making it more difficult to detect for the unsuspecting eye.

“Patching” the Gender Gap – the SenseCy Ladies Talk Cyber

It is no secret that the Infosec industry is predominantly male, with almost 90% of employees being men (according to a recent survey.) But even as we write this post, things are slowly changing and there is more talk about the “gender gap” than there is about the “skills gap” (a quick question for an industry filled with bright minds – if there is a skills gap and not enough male employees to fill it, doesn’t it make sense to recruit and train more women?) At least in our small company, things are very different. In fact, at SenseCy, women comprise over 50% of the workforce and we are recruiting more every month.

We gathered our female cyber analysts for a joint interview to discuss their views on the industry, the challenges they face and to decide once and for all why should women find Infosec interesting?

legsMeet Tanya, our cybercrime analyst; Tatiana, our OSINT analyst; Hila, our hacktivism analyst; Sheila, our customer relations manager; and Gal, our technological projects manager.

What Do You Like About Your Job?

Most of us agree that we like working in this dynamic field, where we find ourselves learning something new every day. It is exciting to work in such a fast-paced environment. We love accumulating more knowledge and feel that each feed, project, post, etc. contributes to our understanding of the field.

We also love that everything we do here is also relevant and applicable to our personal daily lives.

“Even” the technical stuff is becoming more interesting to those of us who do not have a technological background as it is put into context and the more we learn, the more interesting it gets. We also feel that we are part of the “good guys” (/girls), fighting for a good cause.

Sheila: “I am the first Turkish cyber analyst at SenseCy; I tell everybody this and I am very proud to hold this title. Over time, as I delve deeper into topics and follow the news on these issues, then the technological knowledge helps me and becomes more interesting. When I do not understand something, I find it boring, but when I understand it is more interesting, because it makes sense to me.

Do You Think You Are Viewed Differently As a Woman Working in This Industry?

Tanya: “We moved offices the other day and while I was using an electric screwdriver to disassemble my desk, three guys came up to me offering to do the exact same job I was already doing…”

While we agree that it is true that most computer classes are taken by boys, and even though most of us come from Intelligence and have less of a technological background, we still take courses and learn all the time, so it is not something that is “impossible” for women to learn. On the contrary, there is so much information, so many forums, blogs and tutorials, where one can learn and ask questions. Information is readily available for those having the motivation to learn.

Sadly, there is a preconception today amongst youth – both boys and girls – that STEM (Science, Technology, Engineering, and Mathematics) professions are “just too hard.” This should change. We should bring computer science to “the people”, so that more people will strive to acquire knowledge in the field, and women can really contribute toward achieving this goal (for example in projects like “Girls Who Code“.)

As evidenced in our team composition, “Cyber” is a very broad term and there are many different opportunities in the field for people with different expertise and backgrounds.

Tanya: “I think that part of the social differences are biologically inherent, but at the same time, from a younger age girls are less drawn or encouraged to study computers.”

Gal: “I do not think computers require masculine thinking; women used to be the predominant workforce in the field before things changed.”

There is no doubt that men and women are viewed differently. There are subtle assumptions that we all make, even if we are not fully aware of them. So it is important to be more aware of our behavior and underlying assumptions. Therefore, such posts and conversations can raise awareness and contribute to advancing women in the field.

It is sometimes a matter of perception – when we think about an Infosec professional, the image that comes to mind is that of the uber-geek typing complex code lines on the computer. But this could change to accommodate other images that include women. This could change the mind-set of girls and women pursuing a career path in Information Security and also the perception of employers of possible candidates for the job.

From this:

DudeTo this?

 

Girl

Balancing Home and Office

Today’s global markets and the mobile BYOD technological environment have both advantages and disadvantages. For mothers (and fathers) it allows more flexibility as they can work from home. That said, for some of us it helps to disconnect once we are home, like for Hila. Gal says she needs the balance between home and work, and going back to work after childbirth kept her sane: “SenseCy (then Terrogence) is a great workplace for new mothers. They offered me a lot of flexibility and really did their best to accommodate my needs. I worked from home for two months and now I work a half day and clock more hours in the evening. They also hired me when I was seven months pregnant. I think it pays companies to invest in mothers, as they will be very committed to their job.”

Nine-to-five working hours are outdated and managers should look at achievements at work rather than just the hours employees put in. Unless there is something urgent, our managers do not mind when and where we do our job, as long as we do it well and meet deadlines.

The two mothers in the group agree that work is their resting time (we can drink coffee, use the restroom and talk to adults.)

Do We Actually Need More Women in Cyber? And if so, How Can We Encourage Them to Join Us?

Tatiana says that the requirements for the job are sometimes very high and it is not suitable for everyone. You have to invest a lot of time studying and always stay updated on what is going on.

Hila says we need more people in general in IS, while Tanya thinks it is best to have a 50%-50% work environment.

Yotam (SenseCy’s Sales and Marketing manager, who helped record the interview, but could not resist jumping in) says: “Women must be part of the solution, because cyber security is a global issue that affects all of us. We are all targets for hackers, so if 50% of the population is excluded from the discussion, it will be very difficult to make a difference. Also, I think women are more patient and responsible, so they are up for the job.”

Cyber security is a problem in all sections of the population and in different industries, so we must all be aware of the dangers.

Gal (responding to Tatiana’s comment): “I think most women underestimate themselves and do not apply for jobs with high requirements, while men try anyway. Also, we ask for lower salaries.”

Tanya: “It is not just us; sometimes employers have a lower motivation to hire women of child-bearing age, because they know they will have to deal with maternity leave and children, etc.”

Gal: “It is also our mind-set that must change; women today often start families in their thirties, so we have a decade to invest in our career and to gain an advantage in our field of occupation. Sandberg said ‘Don’t leave before you leave.’ I see a lot of young women already planning their career path according to their pre-existing children. I think that is a mistake. Make use of this time to acquire an interesting well-paid profession.”

Tanya: “I think that sometimes women should carefully plan the balance between career and family life, as in our competitive society slowing down in the career race can put future promotions at risk. This is especially true for women who want to have more than one child and allocate time to stay home with them.”

Tanya continues: “I feel that today women are encouraged to invest more in their careers and if I talk about children, they look at me awkwardly. A lot of women postpone having families because of their careers. For me, ‘feminism’ is more about being able to make your own choice, and not about doing everything that a man does.”

Hila: “There are financial considerations – sometimes it has nothing to do with feminism. Today, in most families both parents have to work to survive financially.”

To Summarize

Sheila: “I came here because of my Turkish skills, but stayed and learned other skills.”

Hila: “I came straight from the military, where I felt that men ran everything. Here at SenseCy, I do not feel that this is the case.”

Tatiana: “I think we should start educating our girls from an early age.”

Gal: “I feel that SenseCy has more diversity compared to other Israeli hi-tech companies. It is very interesting and inspiring to work in such a heterogeneous company with so many different language speakers and a balance between men and women. What I would love to see more of in the future is more women taking a role in leading this field as managers and entrepreneurs.”

Two New Banking Trojans Offered for Sale on the Russian Underground

It is the time of summer vacations in East Europe now, and we definitely see a certain recession in the underground cybercrime business. Just as “regular” people in Russia, cybercriminals also spend a week or two by the sea or in their dachas (chalets), after hard work round the clock during the year. We are witnessing this recession not only in the decrease of trade activity, but also in the lack of support for some services offered on the forums, long absence of several high ranked members from the boards etc.

Considering this situation, it was quite exceptional to see almost simultaneously the appearance of two new Banking Trojans on one of the Russian underground forums. Although offered by different sellers, the names of both of them are derived from the Greek Mythology – Kronos and Kratos. Kronos is the father of Zeus, the most important Greek God, while Kratos was a far less important figure. The prices match the significance of the gods – Kronos costs $7,000 (a special release price till July 18th is $5,000, and one-week trial is offered for $1,000, on your own domain), while Kratos is available for only $2,000.

Let us look deeper at the features of the above mentioned Trojans, as they are described by the sellers.

Kronos

Kronos, first published on June 10th, is claimed not to be based on Zeus source code, or other known banking Trojans, thus suggesting a new generation of financial malware. The extremely high price supports this suggestion.

It has a ring 3 rootkit which is compatible both with x86 and x64 systems and includes formgrabber for the last versions of the popular browsers (IE, FF and Crome). Kronos’ web injections are configured in Zeus’ format, so the adjustment of old injections for the new Trojan is supposed to be pretty simple. As for security features, the Trojan is capable of bypassing proactive AV protection, as well as bypassing user-mode sandboxes and rootkits.

Among the disadvantages of this Trojan, the seller mentions the lack of VNC module and the discrepancy of Opera browser. Nevertheless, a vigorous discussion about Kronos developed on the forum and gained mostly positive feedback.

On July 8th, the seller posted the results of AV scan that he performed to his product – it was detected by 10 out of 35 vendors, as a generic malware.

Kronos in action - a snapshot from a video published by the seller

Kronos in action – a snapshot from a video published by the seller

Kratos

Kratos’ sales started on July 7th. It is based on Karberp’s bootkit, without relying on Zeus source code, and has the php Citadel’s administration panel.

The seller describes the main concept of his product as blocking AV detection (depends on a successful installation of ring0 bootkit). It works on both x86 and x64 OS, and based on modulatory system – one of them is injecting module for all version of FF, IE and Chrome browsers. As to security functions, the Trojan bypasses UAC protection and has a unique, 16kb, RSA signature key.

Kratos’ seller emphasizes the fact that the change in one of the protocols (compared to Zeus), allowed compression of the traffic, thus opening the possibility of connection to TOR browser.

The thread about Kratos on one of Russian underground forums

The thread about Kratos on one of Russian underground forums

In both cases, the discussions still continue. We still have not seen feedbacks from satisfied purchasers, but in general both of the Trojans were accepted with positives responses.

#OpSaveGaza – Interim Summary

Written by Yotam Gutman

When the cannons roar, the muses stay silent (but the hacktivists hack).

As we reported last week, operation “Protective Edge” instigated a flurry of activity by Muslim hacktivists, targeting Israel. In the following post we will review the activities which took place so far and try to characterize them.

Attacker Types

Attackers can by divided into three types: individuals, hacktivist groups and cyber terror organizations. Individuals usually join larger campaigns by hacktivists groups and show their support on social media sites.

Hacktivist groups taking a stance make extensive use of Facebook as a “command and control” platform. The largest “event” dubbed #OpSaveGaza was created by Moxer Cyber Team, a relatively new group who probably originated from Indonesia whose event page has 19,000 followers.

Moxer Cyber Team event page

Moxer Cyber Team event page

The event included many lesser known Islamic groups, mainly from Indonesia, who did not participate in previous campaigns against Israel. Another event page by the Tunisian AnonGhost announced that the attack will include 38 groups from around the Muslim world. The campaign is planned to continue until the 14th of July.

Cyber terror organization in the form of the SEA (Syrian Electronic Army and ICR (Islamic Cyber Resistance) have not officially declared their participation in the campaign but have waged several high profile attacks, such as hacking into the IDF spokesman blog and Twitter account (SEA) and leaking a large database of job seekers (ICR).

Attacker Tools

The participants in this campaign use similar tools as previous campaigns – Generic DDoS tools, SQLi tools, shells and IP anonymization tools.

Results (Interim Summary)

#OpSaveGaza campaign included to date mainly defacement attacks (about 500 sites have been defaced), DDoS attacks of minor scale and some data dumps. Two interesting trend we’re seeing are recycling older data dumps and claiming it to be a new one, and posting publicly available information which was allegedly breached.

Summary

We estimate that these activities will continue until the hostilities on the ground subside, with perhaps more substantial denial of service or data leak attempts.

To the Rescue? Muslim Hacktivists Prepare Cyber Retaliation against Operation “Protective Edge”

Following the escalation between Israel and the Hamas regime in Gaza, Muslim hacktivists have announced the launch of several cyber campaigns against Israeli targets.

Unlike the real Middle-East, where Muslims from different factions fight each other, when it comes to assaulting Israel they are happy to join forces. While several groups have launched campaigns to show their solidarity with the Palestinians, the most prominent are AnonGhost with #OpSaveGaza and Anonymous Arabe that launched #Intifada_3, alongside Moroccan Tigers Team.

#OpSaveGaza is scheduled to peak on July 11, but attacks have already commenced against government, financial and Telcos, and is combining hackers from Malaysia in the East to Tunisia in the West.

#OpSaveGaza

#OpSaveGaza

#intifada_3 is lead by Anonymous Arabe and Moroccan Tigers Team, and is promising to launch daily attacks against an assortment of sites with defacement and DDoS attacks.

#intifiada_3

#intifiada_3

We expect the attack attempts to intensify in line with the progress of the armed conflict.

An Aid to the Aspiring Cyber Intelligence Analyst (Part 2)

We recently published the first section of the terms table and felt it was insufficient, so we are following up with the second section, delving deeper into the underground cyber world of illicit trade, hacking and malware.

Cyber intelligence phrases