Malware Using More Stealthy Techniques To Avoid Detection

Dell SecureWorks, the counter threat service that Dell bought in 2011, is reporting on a new outbreak of the malware family STEGOLOADER, which has a different M.O., making it hard to detect.  All that persists on the machine in a small loader that downloads the core module.  This can be changed easily and might even have the ability to change itself to avoid detection.  That is all the anti virus software has to work with.

Once it loads this core module, that module downloads a picture.  Yes, a picture.  Potentially the picture could be any picture and the picture could be on any web site, including compromised legitimate sites.  Inside this picture, using steganography (hiding secrets in plain sight),  is the first piece of malware.  However, this malware is never written to disk.  If you reboot the machine, it just downloads it again.

Now the malware has a beachhead and can download other modules using this same technique.  If the anti virus software looks on the disk, there is no new files to scan.  If the software scans the downloaded file, all it sees is a picture.

The software is modular and downloads whatever modules it needs.  This allows for easy updates each time the core module is reloaded – for example, if the anti virus guys come up with a way to detect it, just morph it to avoid the detection.

The data (malware) that is extracted from the picture is compressed and encrypted just to make things more fun.  While the decryption key is hardcoded, different samples have different keys.

The malware is in constant contact with it’s control server, but those messages are also encrypted.  That way the control server can change the malware’s behavior as needed.

The malware can detect if it is being analyzed – like by being run inside a virtual machine – and if so, it  just shuts down.

Since it is modular, it can do many things, but one thing that it does do is steal passwords – like email passwords and SSH passwords.   Since it is running in memory, in your PC, link encryption like SSL does not make any difference.  Any passwords in memory are potential targets.

Trend Micro says that the main targets it is seeing is healthcare followed by finance and most of the infections are in the U.S.

Obviously, in either of these environments, stolen passwords can yield a lot of sensitive information.

This category of malware is difficult to detect, which is why it is becoming popular.  If people and companies want to stop this class of malware, it will require some out of the box thinking and the result may require users to make some adjustments.  Just part of the evolution of malware.

Information for this post came from here and here.


Consumers DO Care About Data Breaches

The common wisdom these days is that consumers are numb to data breaches, but Stax Consulting asked a thousand people and the results show that is not the case.  This is just one more reason why avoiding being breached is still in your interest.  For those of you who are concerned, I will make a suggestion at the end .

Myth #1 – Consumers don’t know or care about breaches

Nearly 70% of the people asked could correctly identify companies that had been breached.  15% said that they generally stopped shopping at those stores and 23% said they stopped using the breached payment method there, which is also important.  If the person had been a victim of a breach, the numbers were higher.

Myth #2 – Breaches don’t affect consumer spending

If the 15% above who said they would stop shopping at your store isn’t enough to consider, for victims of the breach, more than 25% said they would stop shopping there and nearly a third would close their account.

Among the consumers who continue to shop there after the breach, almost half don’t use their credit cards any more (for example, I still don’t  use a credit card at Target).  This is important because when people pay cash, they tend to spend 10-20 percent less – because the cost is more real than when you use plastic.

Myth #3 – A Breach Only Affects The Breached Retailer

Nearly half of the respondents blamed their bank as well.  43% said they closed, froze or stopped using that payment method.  This impacts revenue up and down the food chain.  In light of Visa and Mastercard telling banks that they can say why they are reissuing a card (such as “due to a security breach at Target …”), reissue letters may get more interesting in the future.

Myth #4 – Consumers Have Short Data Breach Memories

Consumers surveyed a year after the Target breach (before Christmas 2014) said that breach would affect their holiday spending.

Myth #5 – Consumers Will Come Back On There Own After A Breach

If some segment of the population stops shopping at a business, stops charging purchases there or reduces the size of their purchases, that is not a good thing for a business.  If a  year later people are still adjusting their shopping patterns due to the Target breach, the researchers suggest businesses ought to have a plan in place to win back shoppers.  Target, for example, had more sales events, but sales reduce profits.  In their case, even with the sales, their revenue was down and, of course, so were profits.

This article comes from a CNBC article published here.


For stores that I do frequent a lot, I used prepaid gift cards.  I don’t use the kind that you refill, but rather the ones that are thrown away when they are empty.  That way, if a store or Internet site gets hacked, the card is typically worthless.  In Colorado, the grocery stores sell the cards for no fee and you get fuel points in addition.  They have racks with a hundred different cards.  Of course, you would only buy cards for places that you are concerned about.  I, for example, buy Target and Home Depot cards.  You can also buy Mastercard and Visa cards, but there is a fee for them, so shop carefully.  Those cards are useful if you have to shop at a web site that you think might be sketchy.

In Case You Were Wondering – It IS About The Money

The SEC is investigating reports of a slightly different form of hacking – get insider trading information and use it yourself.  Insider trading, of course, has been around as long as there is trading.  But, what if, the insider trading was occurring from half way around the globe and no insiders were involved?

FireEye, as part of their client work, has discovered that hackers are spear phishing C-level executives – you know, the ones who send and receive sensitive insider information on sales and M&A deals on email – and the hackers are using it for themselves.

The group, which FireEye calls FIN4, was disclosed in a report last year.   Now, both the SEC and Secret Service are investigating.  They have talked to at least 8 publicly traded companies according to an article on Dark Reading.

If you think about it, it is a perfect crime.  If you hack someone’s email they likely will never know about it – unless you are stupid.  If you have the right mailboxes, you get some pretty interesting information.

Since most C-Levels don’t encrypt their email (including the ones who still – yes, really – have their admins print out their emails for them), if you get their password you are in.  Also, most C-Levels don’t require two factor authentication to access their email, making life simple for the attackers.

So now, what do you do?  You have a group, scattered around the globe, that buys and sells stocks, probably on margin, in small blocks – say less than 10,000 shares – with different brokers.  For example, 50 people x 10,000 shares x $10 up swing = $5 million profit on one trade.  If you can get away with leveraging blocks of 100,000 shares, in that same deal you make $50 million.

As I have said for a long time:  PIGS GET FAT, HOGS GET SLAUGHTERED.  If you get too piggy, you will get caught.

However, in corporate America, there is no end of targets to attack.  And the model is VERY easy to replicate.  You could probably do it yourself, in your own name, and make a very comfortable living.

Oh yeah – who would be the juiciest target – attorneys, accountants, financial advisors, etc.  THE ADVISORS WOULD LIKELY NEVER KNOW.

In theory, the company isn’t harmed, so they don’t really care.

Seems like a pretty interesting gig.

OPM Capital Hill Hearing Summary

IAPP published a summary of the hearings on Capitol Hill regarding the OPM breaches.  The revelations certainly explain the mess, but also continues to raise the question about where Congress has been over the last 6 years.  It is certainly OK to beat up OPM management, but I don’t see Congress taking any of the heat that they should be taking.

So, what does the article say (see article)?

  • While OPM admits that 4+ million people’s information was compromised as a result of the first breach, they are unwilling to say how many people were affected by the second breach.
  • After intense interactions, Katherine Archuleta, director of the OPM would only admit that they have records on 32 million people.  The reason that she is being so cagey – besides the fact that they are still trying to figure out what was taken – is that if the SF86s and related data from security clearance background checks were taken, the number of people affected could be 100 million.  This is due to the fact that people have to provide information on relatives, employers, references, friends, neighbors, etc.  For every one SF86, it could affect 10-30+ other people.  For most of these people, there is significantly less information than for the applicant, but still, there is information.  And, if the investigators notes were hacked, then all bets are off.  Comments made by people under threat of being put in jail if the did not cooperate and who were told that what they said to investigators was confidential, is now in the wild.  If certain information becomes public and the source of the information also becomes public, careers could be ruined and, I assume, lawsuits could be filed against the people who made the statements.
  • The OPM Inspector General said that they had a “suitcase” of concerns and said OPM’s response to the incidents were “dangerous”.  I would think Congress should have been asking OPM to explain what they were doing to fix the problems and what assistance and funding they needed to fix them for years, but until now, Congress hasn’t done anything.
  • The IG said, in no uncertain terms, that what they are doing now will fail – that they are rushing through projects, not doing the basics, not focusing on doing it right.  Logic would say that Congress should tell OPM to slow down, to show Congress a plan,  to bring their experts who are designing the fixes to Congress to explain what they are doing.  But Congress is doing none of this.
  • The IG also said that they are frustrated by the amount of time it takes OPM to provide answers to their questions and when they do get the answers, eventually, the answers are total crap.
  • Magically, the OPM was able to contract with an outsource vendor in less than 48 hours to handle the breach notification service.  Not exactly the amount of time you expect it to take to do a thorough, well planned evaluation and strategy.  The answer that Congress got about how this happened was, in my opinion, smoke and mirrors.
  • Archuleta admitted that credentials from vendor KeyPoint were used in the attack and that the Keypoint contract was still in force – even though USIS’s contract was terminated after they were breached.
  • I said the other day that the OPM was using systems developed in the 1980s.  Apparently I was wrong.  Archuleta admitted that a COBOL based system developed in 1959 is still in use.  To put that in different terms, that would be sort of like building today’s skyscrapers with rollers and pulleys rather than excavators and cranes.
  • The House committee clearly wants Archuleta gone – they blatantly said so – and while that is probably what needs to happen, firing her will make zero difference until and unless Congress does it’s job.  Just this week, Congress  punted, yet again, on spending money to fix the problem.  Unfortunately, this is not a surprise.

This story will continue to unfold, but unless the pressure stays on Congress, it will go back into the dark recesses of the Washington bureaucracy.

OPM Is Not Alone – 47 Agencies Credentials May Be Compromised

While OPM still garners most of the attention and the number of potentially compromised records continues to rise – that number now could, possibly, be as high as 32 million – 1 in 10 Americans, other reports show that credentials for other government users can be found on Pastebin.  Part of the problem is password reuse between work accounts and other accounts – say Facebook.  Part of the problem is that many agencies still don’t require anything more than a password to log in remotely (see articles here and here).

Federal Computer Weekly is reporting that credentials for employees at 47 agencies, including DHS, were found at sites like Pastebin, a toxic waste dump of all kinds of stolen stuff along with legitimate content.

FCW says that as of early 2015, 12 of those agencies did not require two factor authentication to log in remotely, meaning that if you had that userid and password, you were in.  This includes privileged users – a horrible security faux pas.

While Congress is finally holding some hearings and beating up everyone in sight besides themselves, they still have not approved the deployment of DHS’s Einstein, while at the same time complaining to agency heads about not securing the networks.

Such is the challenge of government.  Getting things done requires an Act of Congress – sometimes literally, sometimes figuratively.

Partly, this is because Congress is often about sound bites and the daily news cycle, so rather than dealing with dull, boring stuff like cybersecurity, they vote on things that will get them 30 seconds of face time on CNN or Fox.  Partly, it is because many Congress people have their staff print out their emails for them.  There are 4 Congress people who have computer science degrees (4/535 = 0.7%).

Another new item – credentials from KeyPoint Government Solutions were used by hackers to obtain access to OPM systems.

KeyPoint, one of two contractors that OPM used to do background checks was hacked last year.  The other contractor, USIS, was also hacked.  OPM decided to cancel (technically, not renew) their $2+ billion contract and they have filed for bankruptcy.  OPM defended not firing KeyPoint as well.  As cost is used as the determining factor for who wins a contract, the American people lose because security is not a consideration.

At the same time, less than half of U.S. companies do vendor security assessments, meaning that a lot of private companies may be in the same boat as OPM and not even know it.


Privacy Group Files FTC Complaint Against Uber

As if Uber didn’t have enough challenges, the Electronic Privacy Information Center (EPIC) filed a complaint with the FTC against Uber.  EPIC says, in it’s complaint, that Uber’s new privacy policy allows Uber to collect precise customer location information, even if the app is running in the background or the customer has turned off their GPS location finder.  EPIC also objects to the fact that, if the user allows it, Uber can access the user’s address book and use the names and contact information it finds there (see article).

Uber, in responding to the complaint, says that there is no basis for the complaint – that they have always done this; they are just making sure that people know what they are doing.

It seems to me that saying that they have always done this – just without clearly telling people they were doing it – is not exactly helping their case.

Uber also said that users will be able users will be able to choose whether they share their data later by opting out.  Uber, of course, is counting on users not knowing how to do that and not doing that.

EPIC says that while users on iPhones can opt out, there is no way for Android users to opt out at all.  EPIC also says that forcing users to opt out puts an extra burden on the user.

Uber says that they want your contact information so that they can spam your friends and family.  Really.  They said that.  They didn’t use that word, but that’s is what they are proposing to do.

The complaint asks the FTC to direct Uber to stop collecting data not needed to provision the service that the customer asks for.

A copy of the actual complaint is available in the link above.

Who knows how long it will take the FTC to respond, but when they do, I will write about it.