Friday, March 10, 2023

What is ZT - CDR?

Ever wondered why cyber security always has to follow cyber crime?

The pattern always is:

Malware is born -> Zero day attacks -> Malware is discovered -> Signatures are written -> Databases are updated -> Malware is contained.

This cycle repeats for every single malware and as we now know - we are still after the malware.

The basic signature based method has its own flaws and to date has never been able to stop the malware menace.

CDR is a rare cyber security solution that is not dependent on Signatures.


Why CDR?

The bad actors hide malware in files and attempt to infect networks. These are difficult to detect zero day attacks. Networks that use CDR in their threat vectors like Email or Cloud apps or internet traffic are benefited by having a Zero Trust CDR which is 100% fool proof. It works by scanning incoming files to copy only the content from the file, the copied content is written on to a new file. The clean file with the reconstructed content is delivered to the end-user.






CDR reduces the risk of data breaches and system infections. It also ensures that files can be safely shared within a network without compromising the security of the system.

While CDR is an effective security solution, it is not a silver bullet. It should be used in conjunction with other security measures, such as email security or proxy or CASB. By combining these different security measures, businesses can reduce the risk of cyber attacks and ensure the safety of their data.

In conclusion, Content Disarm and Reconstruction (CDR) is a powerful security technology that can help businesses defend against file-based attacks. By removing potentially malicious elements from files, CDR reduces the risk of data breaches and system infections. It is an effective tool in the fight against cybercrime and should be used in conjunction with other security measures to create a comprehensive security infrastructure.
Use-cases:
1. For outgoing traffic - can block Steganography attacks.
2. For Incoming traffic - email such as these will tempt some of our employees to open the attachment and compromise the whole network. CDR with email will block such attacks.


Tuesday, September 13, 2022

GO#WEBBFUSCATOR

GO#WEBBFUSCATOR

How does it work?

Hacker send an EMAIL with MS Attachment. The Attachment has a XML in it. Once the attachment is opened - the XML connects to XMLSchemeFormat[.]com and downloads a malicious Macro.

The Macro runs a VB script and downloads an image of the outer space – the famous image from the James Webb Telescope.


This image contains a hidden Base64 file, which when decrypted turns into a 1.7MB windows executable file. Once executed it makes DNS connections and using DNS data exfiltration techniques steals data.

This is sophisticated multi-stage attack that includes email, web, native endpoint tools, steganography and DNS exfil.

Signature based technologies / non of the AV vendors, were able to detect and stop this as of Aug 31st 2022. The very basis of signature based methods cannot stop something like this and this has been a bane to the cyber security industry.

What we need is a technology that does not rely on signatures.

CDR - Content Disarm and Reconstruction (CDR) is one technology that does not rely on Signatures. CDR just extracts the content and writes it on to a new file - leaving behind the hidden malware.

Only networks using CDR are protected against such sophisticated attacks. 

CDR cleans the files of macros and as you can see below – the before and after of the file properties of the image– most of their properties are same except for the file size.

 

 Further reading:

https://www.forcepoint.com/blog/x-labs/combatting-james-webb-telescope-image-malware-attack

https://securityaffairs.co/wordpress/135090/malware/gowebbfuscator-james-webb-space-telescope.html

https://www.securonix.com/blog/golang-attack-campaign-gowebbfuscator-leverages-office-macros-and-james-webb-images-to-infect-systems/

 

 

Saturday, May 23, 2020

To do or not to do….the Covid app.



Corona or Covid-19 as some like to call it – is in the news everywhere. It has practically become the central theme of the world now. With due respects to people and families who lost their loved ones – it would be safe to say that Covid-19 has also spun off many unexpected positives. Low levels of pollution,  Himalayas visible from far off places, free movement of wild animals etc. It also has spun off a technology challenge / opportunity.

‘How can we?’ or ‘can we at all?’ use technology to map the infected patients and alert the healthy ones?

There are several countries like Australia, Singapore, China and many more that have launched COVID apps for contact tracing. Aarogya Setu is one such app launched by Govt of India.

Not surprisingly there are naysayers and sceptics who are thrashing this initiative.  In this article – let us take a view into some of these and objectively look at it.

How do the contact tracing apps work?
Not very different than Google Maps. The first step is to get as many people as possible to use this app. Now, when a person (of course with the app) is moving around say in city – his movements are kept track of in the app. If the person happens to be Asymptomatic patient and figures it - 2 days later, then all the people he was in touch with for the past 2 days can be alerted. The app also helps to identify clusters or hot spots of infection, helping local authorities to initiate containment in that area.
Great logic and will work for sure. The Govt needs to make sure a large volume of people use the app for this to be successful.

Privacy concerns?
One of the biggest concerns is that there is no specific Data Protection Law in India under which this App could have been safeguarded or evaluated. Though there is a proposed bill - Personal Data Protection Bill 2019 – but that is yet to become a law. Work in progress.
The other big concern is what happens to the data being collected. I installed the app on my phone to figure that app takes information like name, gender, travel history, telephone number, basic health info and location. I will be concerned if this data is misused by tele-callers who inundate me with unsolicited sales calls. There is no financial data or major identity data– so I do not have to be bothered about losing my identity or bank balance.
On one hand most of the users would happily and voluntarily part with data on social media platforms and other apps. How else do you think Amazon and Facebook know what is (was) on my mind? Which product or service interests me. I can say with confidence that possibly Facebook, Amazon and Google know more about us than any company HR where we work or even our near and dear ones.

Track the tracker!
Various benchmarks are used to track the tracker– of course there is no standard way of doing it. Looking at the way MIT Technology review does it. It looks at 5 areas:
a)       Is the App voluntary?
To begin with the app was said to be Mandatory. Driver’s license is mandatory, and one can be punished for driving without one. This app was compulsory, but cops were not stopping you to check if you obeyed the Govt. The government, to their credit, is trying to allay the fears around data misuse and have made the use of Arogya Setu completely non-compulsory. The app now holds the record for world's fastest-growing mobile app with over 100 million downloads.

b)      Limitation on data use?
The govt has not clearly mentioned nor the data protection provisions elaborate on this. We just need to trust the govt here. People who are worried this could be used for surveillance should remember that if you use anything that is “SMART” – it is watching you – Smart phone, Smart TV or Smart home.

c)       Data Destruction?
Here the Govt has come clean. It has a data destruction policy and most of the data is stored in the phone itself for unaffected people.

d)      Data Collection?
This is a relative comparison. Compared to China and Turkey – India is collecting data that is absolutely required. Compared to some EU countries – India may be overstepping – like it asks questions like – do you have Diabetes or BP? Anyway, for most of the Indians Health info is not a very big secret.

e)      Transparent coding?
The app is developed by NIC. Not sure if they have adhered to any specific standards but if the app must be successful in the long run – it will become standardized and interoperate. I am hoping it will work well with Apple and Google’s initiatives.

Conclusion:
Comparing the potential upsides and the potential downsides – I would choose to have the app installed on my phone with a hope that all those around me too do it as well. Until the vaccine comes – until corona is overcome – let us do all that we can to stay safe.

Tuesday, October 1, 2019

Almost Hacked...

I always kept wondering why the bad guys (in Cyber security) succeed most of the times and I got my answer this morning.
It is that time of year when we have all file our IT returns and await our refunds or confirmations from the IT department. It is almost a month since I filed my returns and have been waiting for that SMS. This morning at 4:47am my phone beeped and the much awaited SMS popped. 


I was excited when I saw my name and ITFUND as source of the message.  I was wee bit disappointed on the amount as I was expecting a higher refund. Nevertheless I clicked on that link from my mobile. I noticed it got re-directed a couple of times and landed on this Income Tax Department page (look alike page).







By now, I knew this was a fraud but went ahead and choose a bank – obviously – these fellas have setup a trap to steal banking credentials – I did choose a random bank and gave some random credentials – the hackers now take me to a RBI website (look alike) and ask for all personal data. With this they will create a fake ID and swap my SIM to steal my OTP as well.

Tell me one thing – would you have clicked on that link and would have keyed in your password? - Put your answers in the comment section

I also clicked that link from my laptop and as expected our web security solution blocked that link.


Friday, June 22, 2018

Disgruntled employees can pose serious threat


Tesla, the American multinational corporation that specializes in electric vehicles, energy storage and solar panels. A disgruntled Tesla employee broke into the company’s manufacturing operating system and sent highly sensitive data to unknown third parties. This is a steadily growing trend that is being witnessed in various parts of the world. Unhappy employees / sacked employees and some cases even high performing ex-employees try to actively damage their ex-employer. Such employees should be ashamed of themselves.

What can Employers do?

well, there is help available now. Technology can help address this issue. We now have Behavior analysis solutions that can figure out the current mood of your employees - are they happy? sad? Angry? Frustrated? Pose a danger to organization? The solution is called User and Entity Behavior Analytics.




Saturday, May 26, 2018

Fancy Bear returns


The hackers responsible for Democratic National Convention (DNC) hack in 2016 are back in the news again. On May 23rd - Cisco announced a major breach of over 500,000 routers and network storage devices. FBI acted swiftly and seized the internet domain that was used in the attack, cutting off the communication between the hackers and the infected devices. For now, the hackers will not be able to exploit these half a million devices for their malicious intentions but the malware still resides in all these devices. The infected devices are spread over 50 countries and the most likely author of this Malware is Fancy Bear - the hackers behind the 2016 DNC hack.

Researchers found VPNFilter source code on these infected devices - the malware that was used by Russia to attack Ukraine including the massive power outage. VPNFilter is hard to detect, works in Stealth mode and is known to steal critical data from Infrastructure systems.

As an immediate next step - it is advised to reboot the devices, change the passwords, do not use default passwords and disable remote admin on all internet facing devices. Legacy security systems depend on static policies and rules for their providing security, In an ever changing threat landscape of current times - there is a need for RAP - Risk Adaptive Protection, which will understand the behavior of people and adversaries to dynamically change policies and rules to provide better security.