Dec 31 2013

2014 Threats Predictions: Cloud Attacks Could Lead to Data Loss

This post is one in a series of articles that expand on the recently released McAfee Labs 2014 Threats Predictions. In this and related posts, McAfee Labs researchers offer their views of new and evolving threats we expect to see in the coming year. This article was written by Ramnath Venugopalan.

We foresee three broad threat areas that will affect cloud computing in 2014: data breaches and data loss, denials of service, and malicious uses.

Data breaches and data loss

In 2014, we expect to see an increase in attacks aimed at shared resources in any IaaS, PaaS, or SaaS (Infrastructure, Platform, or Software as a Service) cloud environment. Attackers will make an effort to access all client data on a multitenant cloud service by compromising a flaw in one tenant. Attempting to avoid data loss by leveraging alternate sites also opens up additional avenues for data breaches. Trying to avoid data breaches using encryption runs the risk of loss of data due to the loss of the key. This approach also makes the cloud less useful as a storage mechanism because searching for content based on keywords will be that much harder without searchable encryption, which is not very mature as a technology.

Customers risk a loss of control over their data as various free cloud providers effectively own the data that customers place with them. A failure at a cloud provider could result in the complete loss of all data stored there. Many consumers do not back up data at multiple providers or locally; they could lose everything if their cloud service fails.

We expect to see an increase in attempts to compromise vulnerabilities in the APIs exposed by cloud service providers. Cloud customers build upon these APIs, in effect adding attack surfaces that may lie outside cloud provider policies and defenses.

Every year, we add more and more personal data to cloud services such as Facebook, Google, Picasa, LinkedIn, and others. Compromising the authentication data of any one of those clouds could provide attackers with a wealth of information. They might be able guess or gather other authentication data leading to work-related systems, identity theft, family budget figures, physical theft from a residence, threats to personal security, and so on. The online reputation and connections of a compromised account could also be used to launch further attacks using social engineering or malware to infiltrate workplace computers or those of the victim’s connections. These threats will increase in 2014 as the value to be gained grows every year because more data is available and more people are connected.

Denials of service

With the increase in adoption of IaaS and PaaS solutions, denial-of-service attacks will also increase, causing service outages as well as direct financial losses—due to cloud providers billing the costs of the network and computing cycles incurred during an attack to the target of the attack. Victims will lose twice. Thus DoS attacks will have an impact on both the customers of a cloud service as well as on the providers of applications running on a cloud service.

Malicious uses                                                                    

In a related vein, we anticipate next year a rise in attackers using the computing power, flexibility, and ease of deployment of cloud computing to launch large-scale, targeted attacks on businesses and governments. We’ll see more “Dark Cloud” providers that either encourage such attacks or do little to prevent them.

Dec 30 2013

Why NSA spied on inexplicably unencrypted Windows crash reports

The National Security Agency's X-KEYSCORE program gives the spy agency access to a wide range of Internet traffic. Any information that isn't encrypted is, naturally, visible to passive Internet wiretaps of the kind the NSA and other intelligence agencies use. This in turn will typically expose such things as e-mails, online chats, and general browsing behavior.

And, according to slides published this weekend by Der Spiegel, this information also includes crash reports from Microsoft's Windows Error Reporting facility built in to Windows.

These reports will tell eavesdroppers what versions of what software someone is running, what operating system they use, and whenever that software has crashed. Windows also sends messages in the clear whenever a USB or PCI device is plugged in as part of its hunt for suitable drivers.

Read 3 remaining paragraphs | Comments

Dec 30 2013

2014 Threats Predictions: Social Media Changes Keep Users Off Balance

This post is one in a series of articles that expand on the recently released McAfee Labs 2014 Threats Predictions. In this and related posts, McAfee Labs researchers offer their views of new and evolving threats we expect to see in the coming year. This article was written by Aditya Kapoor.

In order to maximize profits, cyberattackers quickly adapt to popular forms of communication; they go where their victims go. Sometimes they even seem to get there first. Every time a new medium gains popularity, fast-moving attackers find the new medium’s flaws and take advantage of its new users. This tactic works because many new services haven’t fully worked out security measures even as their popularity skyrockets.

Email and traditional Internet messaging (Yahoo, Google Talk, MSN, and others) have seen plenty of malware attacks. When we use these “old” systems, most of us know to not open attachments or click on links from strangers. But new systems often seem fresh and different when we first use them.

A survey by McKinsey’s iConsumer report (published by Forbes) confirms the obvious: email usage has been declining for years (36% of users in 2012, down from 42% in 2008), while social media usage rose to 26% in 2012 from a meager 15% in 2008. Overall, people are still communicating primarily by email, but its use continues to drop. More and more people now connect and interact via services such as Facebook, Twitter, Snapchat, Instagram, LinkedIn, WhatsApp, and others. These services are available on any device.

As we flocked to Facebook, it was new and seemed safe. But starting in 2008 and peaking in late 2009, Koobface malware was one of the primary threats against Facebook users. Until it lost steam in 2011, Koobface employed a lot of advanced features in its botnet: using URL-shortening services to send malicious links, hijacking users’ accounts, autoresolving CAPTCHAs, and other methods. Many of these features are still present in similar but much smaller threats.

Three categories of attacks on social media are the most prevalent: data theft, money theft, and profile and network-identity theft. This triumvirate isn’t likely to diminish because its appeal is fundamental to the goals of cybercriminals.

Data theft: malware installation

Social media features change rapidly; many users have a hard time determining what is legitimate versus what is not. Attackers take advantage of the confusion of ever-changing applications and policies. Recently we have seen numerous social-engineering tactics that trick users into installing an application for a service that does not exist. These campaigns use a similar tactic: Users receive an email purportedly from a social media company with a link to a “new” app. After clicking the link, they are asked to download a plug-in, which installs malware and steals information. For example, one recent attack sent an email with a “voice message notification” apparently from WhatsApp. Listening to the message, however, added the user’s machine to a botnet. These methods are not new, but mixing the malware message with social media often confuses users who don’t know what the norm is.

Money theft: spam and scam

Scammers also use fake notification systems that masquerade as updates from social media sites. A notification email apparently from a social media site claims there are unread messages. Clicking the message redirects users to fake pharmaceutical items, for example. Some users buy these items, sending money to crooks.

Scammers are quick to use new communication mechanisms and abuse them to generate money or steal personal information. Recently criminals used Snapchat in a pay-per-install affiliate model: Users received nude pictures and in order to see more snaps, they had to download an application, which in turn paid the spammer money for the installation.

Snapchat has become very popular for the wrong reasons—such as sending explicit images—because the service promises to delete the images after a set time. Recently scammers used Snapchat to show “leaked” pictures; users had to enter their Facebook login credentials to access the information. You can guess where the login information went—to the scammer’s server.

Profile and network-identity theft: Spearphishing on social media

Social media sites like Facebook have done a lot of work to keep their users safe. It is difficult for scammers to pose a malicious link to another user who is not in the friend network. But a social network is only as strong as the weakest link, which can compromise the entire friend network because we tend to trust our friends and what they post. (Security blogger Dancho Danchev writes about one example in “Continuing Facebook ‘Who’s Viewed Your Profile’ Campaign Affects Another 190k+ Users, Exposes Malicious Cybercrime Ecosystem.”)

LinkedIn has become fertile ground for attackers. By watching for the updated status of executives or sales people and their new connections, online spies might gain a competitive edge or knowledge of unannounced products.

What’s coming

The social media landscape is changing rapidly, with new services being introduced faster than they can be secured. Scammers and malware authors abuse these services and make the most of them while people are still learning about the new security risks. When the security bar is raised high enough, these scammers move on to newer mass communication methods. Their methodologies and motives remain largely the same.

In the coming year we are likely to see an increase in corporate espionage via social networks such as LinkedIn. It’s a good idea to verify a message even when a known person tries to contact you on social networking sites. A simple IM or email to verify identity is enough to keep scammers at bay.

Scammers will use apps like Poke and Snapchat to prompt victims to “win a free iPad,” for example, by visiting a website within 10 seconds. Some unsuspecting users will give out their information as fast as possible, succumbing to rush tactics.

A continuing worry about social media services is the false sense of privacy they encourage. We will continue to see children and adults become complacent and share private pictures and other information. Parents need to talk to their kids who use social media about safe sharing practices.

In the coming year social media attacks will continue and mature, as attackers find new ways to craft their attacks. We expect spam and phishing attacks will gain momentum. In the corporate world, stealing data related to business social networks and contacts will become a greater target than passwords or credit card information.

Dec 30 2013

2014 Threats Predictions: Everyone Wants a Piece of Big Data

This post is the first in a series of articles that will expand on the recently released McAfee Labs 2014 Threats Predictions. In this and upcoming posts, McAfee Labs researchers will offer their views of new and evolving threats we expect to see in the coming year. This article was written by Dr. Igor Muttik and Ramnath Venugopalan.

Big Data is a popular term. The concept feels important, and menacing, because we know that the amount of knowledge available on the Internet is enormous and it grows at a staggering rate. But data accessible via the Internet is only the tip of an iceberg: The Internet as we know it is only the public part of massive amounts of online data. Knowledge is power; that hasn’t changed. And extensive knowledge (which Big Data provides) leads to a lot of power.

Those of us who often shop online notice that commercial websites are getting better at focused personal advertising; sometimes they identify our interests even before we realize them ourselves. Commercial sites gather and share (often indirectly, via ad providers) information about web pages we visit. In 2014 we expect commercial companies will become more effective and more aggressive in tracking consumers by analyzing their growing pieces of Big Data. Driven by further adoption of “do not track” functionality in browsers, we foresee an accelerated shift from tracking based on cookies toward fingerprinting based on browsers and behavior. As a result, there will be deeper and wider online tracking and an increasing number of privacy concerns. Unprotected users will continue to lose control over who analyses and records their online actions and when it happens. Staying anonymous when browsing will be harder next year.

Security companies are also creating Big Data stores, but the data we gather is very different from the information that commercial interests and cybercriminals seek. Security products do not need personally identifiable information to discover malware, spam, and other intrusions—only the data to uncover new attacks.

Tracking consumers using Big Data is easy. However, discovering new and unknown intrusions is much harder as we deal with professionally organized malware-writing gangs. Despite their efforts, we predict that machine learning and data analytics based on Big Data will improve the discovery of targeted attacks and persistent threats in 2014.

Many large-scale organizations are deploying Big Data analytics, at the cost of millions of dollars, to identify threats within their environments. In 2014 and beyond, however, we expect to see the first signs of evasion maneuvers targeting Big Data analytics as malware and spam gangs, for example, will attempt to poison security telemetry to make their activities less noticeable.