Hackers Can Now Use Your Own Headphones to Spy on You

Hackers Can Now Use Your Own Headphones to Spy on You

zzzA few months ago, a photo of Mark Zuckerberg found its way circulating around the Internet. The image (left) features the Facebook CEO positioned in front of his laptop, posing with a huge frame to celebrate Facebook-owned Instagram reaching 500 million users earlier that week. What made this photo the talk of the Internet wasn’t due to “the Gram’s” success, rather everyone was focused on the tape covering Zuckerberg’s webcam and microphone.

Though some called him overly paranoid for believing hackers were really watching his every move and listening in on his private conversations, this fear has been realized as hackers have created a malware that spies on you, not through your webcam, but via your microphone.

A malware, dubbed “SPEAKE(a)R,” converts your headphones into makeshift microphones that can spy on you and record your conversations without you even knowing it.

SPEAKE(a)R, developed by researchers in the Cyber Security Research Labs at Israel’s Ben-Gurion University, was created to show how hackers who are determined to do so could find a way to slyly hijack a computer to record audio in secret. Those who find themselves even more mistrusting of their computer’s microphone than Zuckerberg have gone to such lengths as disabling or completely removing the microphone from their computers; however, this defense does not match up to this malware. The malware alters the speakers in headphones and repurposes them to be used as microphones, “converting the vibrations in air into electromagnetic signals to clearly capture audio from across a room.”

SPEAKE(a)R can infect those headphones with a built-in microphone channel on the wire, such as Apple’s EarPods, as well as the old school versions without such advancements. The way it is able to do so it that the malware capitalizes on a feature of RealTek audio codec chips that is not commonly known. Hackers use this vulnerability to subtly change the computer’s output channel into an input channel. This allows the malware to record audio through any headphones plugged into a computer–a scary thought because these RealTek chips are extremely common. So common, in fact, that researchers have found that the attack could potentially infect almost any desktop computer, regardless of its operating system.

You can see this malware in action below:

As you can see above, the sound is initially recorded via a connected microphone; however, with the microphone turned off while still plugged in and even when it was unplugged entirely as well, the computer can still pick up the music from across the room when the SPEAKE(a)R malware converts the output channel to an input one, all because headphones are still plugged in, continually eavesdropping.

Currently, there is nothing short of entirely disabling all audio input and output from a computer as far as a defense against this vulnerability is concerned. RealTek and other audio codec chip creators can only prevent this from happening in the future by redesigning chips with a higher level of security. Until then, even going to such lengths as removing microphones will not be effective if you leave your headphones plugged into the computer.

Hailey R. Carlson | Axiom Cyber Solutions | 12/28/2016

Cyber-Aware Employees: A Company’s Greatest Asset

Cyber-Aware Employees: A Company’s Greatest Asset

Cyber security professionals often harp on the importance of businesses adopting the latest technologies–Next-Generation Firewalls, cloud-connected-everything, two-factor authentication, and much, much more– to protect their enterprises from attack; However, none of these defenses are effective in the least if their operators are not aware of the vulnerabilities and threats that face them. Who are these operators? Your employees–and they need to know how to protect themselves and your company from attack.

Employee error was sited as the number one cause of data breaches in 2015, and though a small portion of these might have been caused intentionally by malicious employees, IT pros believe that nearly 80% of breaches they deal with are caused by employee negligence and lack of cyber security knowledge.  As Sir Francis Bacon and the characters on Schoolhouse Rock have taught us all, knowledge is power. It’s the kind of power that, when spread to others, makes us all stronger as a unit–and this applies to companies as well. You can strengthen your company’s overall cyber security defenses by educating your employees with these helpful tips:

Implementation of Password Best Practices

Almost every one of us could fill a Rolodex with the number of websites we subscribe to which require some sort of password to access the specific account, so it seems obvious that password security is a key issue when it comes to protecting yourself while online; however, in a world where ‘123456’ and ‘password’ still top the list as the most popular passwords, it is worth reviewing with your employees some of the ‘password best practices.’

  • Create unique, strong passwords for each accountEmployees should create passwords that are longer than 8 characters in length, have a combination of letters, numbers, and symbols, and these passwords should not contain “guessable” words and phrases, such as employee’s username or the company name.
  • Change passwords oftenOf those surveyed, 76% of employees are prompted by IT to change passwords on work accounts every 1-3 months. This not only allows for current employees to protect their active accounts, but it gives the IT department the ability to detect dormant accounts which are often the gateways which leave a company vulnerable to attack.
  • Require multi-factor authenticationIn addition to passwords, many companies require their employees to enter in another identifier in order to indicate their true validity. These include things such as a time-sensitive code, facial recognition, fingerprints, and even retina scan.

Training of All Employees

  • Have a cyber security plan–All companies should have a strong cyber security plan in order to protect their business. Many people think that the IT department of a company is the only place where people need to be well-versed in all that is cyber security, including knowledge of the company’s cyber security plans; however, the reality is that protecting a company on the cyber front is the responsibility of all employees. Pat Toth, a Supervisory Computer Scientist at NIST, said, “You can’t just rely on one person in a 10-person company; everyone needs to have a good understanding of cybersecurity and what the risks are for the organization.”
  • Educate everyone–Toth’s sentiment not only applies to lower level employees, or even solely to mid-level employees and below–Everyone from the CEO on down to the newest employee should be knowledgeable, not only of the corporation’s cyber security plan, but also current cyber threats and how to identify them.
  • Threat awareness & testingRansomware and DDoS have plagued companies more than ever in 2016, and the primary way they got access to private information has been through phishing schemes. Phishing occurs when impostors pose as reliable entities, such as banks, universities, or other well-known companies, via electronic communication, to solicit personal information which they can then use to steal people’s identities or infect their computers with malware. Employees receive emails with a suspicious link and when they click on it, they are infected with some cyber-attack which can either leak data from their own computer, or give the hacker unauthorized access to vital information. It is important for corporations to train their employees to be able to spot such threats. Companies like J.P. Morgan have taken a different approach to training employees on this when they sent out fake phishing emails to employees shortly after training them on the cyber-scheme. They were able to trick 20% of their employees–a scary thought when factoring in the massive size of the company.
  • Secure handling of sensitive dataEmployees need to know how to handle your company’s sensitive data. Be it digital encryption or hard copy paper shredding, employees need to take every precaution when it comes to protecting your data. Though it is important for employees to do things such as back up information to an external hard drive, they should be responsible in making sure that that is not stored in an easily accessible place.

Promotion of Open Communication Among All Employees

If an employee finds a suspicious email in their inbox, they should feel comfortable verifying its validity with others. It is important for employees to be able to ask questions when they are in doubt, as this shows that they have paid attention during training sessions and don’t want to do something that would put the entire company in jeopardy. Promoting open communication about cyber security best practices among all employees will help them to learn from and teach each other, making every member of the company cyber-aware.

Educated employees are able to recognize threats and they continually take simple steps that allow them to practice strong cyber security defenses– if you fail to teach your employees how to defend against attack in the first place, it is not them who have failed the company, rather you. By making your employees cyber-aware, you can protect your business better than with any other piece of machinery. Employees don’t have to be tech savvy to be technologically responsible and aware of their impact on the company’s overall cyber security.

For more tips on how to keep your employees educated on the latest cyber security threats, read Employees: The Greatest Risk and Defense In Cyber Crime, written by Axiom Cyber Solutions President, Shannon Wilkinson.

Hailey R. Carlson | Axiom Cyber Solutions | 12/22/2016

“Name Brand” Malware: Malware Variants You Should Know

“Name Brand” Malware: Malware Variants You Should Know

Malware, short for ‘malicious software,’ is a type of software meant to harm computers and computer networks. We hear about different types of malware, such as botnet malware and ransomware, and different variants of those types of malware as well; but do we know enough about those malware currently threatening us? Here, we take an in-depth look at three of the most talked about malware of 2016.

Mirai Botnet Malware

Mirai is the Japanese word for the future, fitting, in that this is one of the most advanced types of malware yet. This malware, created in August 2016, turns any Internet of Things (IoT) device running Linux into a remotely controlled bot, or application that performs automated tasks, such as setting an alarm, that can be combined with other bots and used as part of a botnet in large-scale network attacks. Though these bots are meant to make our lives easier, they are often not properly secured and can consequently be used in malicious attacks. The most notable use of Mirai botnet malware in an attack happened in October of this year in a Distributed Denial of Service (DDoS) attack against domain name service (DNS) provider, Dyn.

Dyn, the DNS provider for major websites including Twitter, Netflix, Reddit, and Spotify, was attacked by one of the largest DDoS attacks to date, an attack that was fueled by Mirai-infected IoT devices including Internet-enabled DVRs, surveillance cameras, and other Internet-enabled devices. Because of all of the popular websites it affected, this Mirari botnet attack is considered the attack that ‘shook the Internet.’

Mirai easily infects its victims because IoT devices are some of the least protected things out there. The only way as of right now to combat this malware is to secure your IoT devices in various ways.

Locky Ransomware

Scanning the news online with just the search term ‘ransomware,’ delivers a whole host of recent ransomware variants that are threatening our files. One of the variants that is most common among these search results is ‘Locky’ ransomware. This strain of ransomware is titled as such because it renames all of your important files so that they have the extension .locky.

The most common way that Locky infects your computer is via email. What happens is that the victim receives an email containing an attached document (Troj/DocDl-BCF) that is an illegible mess of odd symbols. The document then advises you to enable macros if the ‘encoding is incorrect.’ Seeing that the message on the document file is indiscernible to the reader, he or she will likely enable these macros, resulting in infection. If the macros are enabled, the text encoding is not actually corrected, instead, code inside of the document is run which then saves a file to disk and runs it. The saved file (Troj/Ransom-CGX) serves as a downloader, which fetches the final malware payload from the crooks, which could be anything, but in this case is usually the Locky Ransomware (Troj/Ransom-CGW); Locky then scrambles all files that match a long list of extensions, including videos, images, source code, and Office files.

Once a computer has been infected with Locky Ransomware, the victim’s desktop screensaver is changed to display the ransom payment instructions. These instructions lead the victim to the dark web, where they can pay the ransom. Unfortunately there is not much that can be done other than paying this ransom, which is why it is important to take preventative measures, such as those listed at the end of this article.

Popcorn Time Ransomware

Of all of the current, popular malware out there, ransomware variant, ‘Popcorn Time,’ is among the newest and most evil of them all. This form of ransomware is named after, but not related to, the torrenting site of the same name and it is believed that this malware was created by a team of Computer Science students from Syria.

This variant takes its cue from movies like The Box and the Saw movie series in that it forces its victims to make a detrimental choice: infection of their own files, or their friends’. Once hit with the cyber-attack, the victim has seven days to determine whether her or she will pay the 1 bitcoin ransom, equivalent to about $780 currently, or pass it along to two ‘friends’ instead. If the victim decides to give up his or her comrades’ information, the malware is allegedly deleted from the initial computer entirely and it moves on to ask for payment from its new victims. Once the ransom has been paid by either the initial or secondary victim(s), they will get a decryption code; the victim has four tries to type in the code before his or her computer files are all deleted.

This ‘pass the buck’ payment method is what makes this malware variant so unique. It prompts victims with a moral question that might turn up surprising results when their backs are against the wall.

How to Avoid These Major Malware Threats

  • Avoid suspicious downloadsMalware infects computers primarily through the user clicking on a malicious link in an email or via a suspicious download. If you do not know the validity of a link, you should not click on it. This is a simple step that can go a long way when it comes to protecting your files.
  • Back up your filesIf you are unfortunate enough to be the victim of a malicious ransomware attack, you can avoid paying the criminals if all of your data is backed up to an external hard drive or some other source. The FBI advises victims of this crime to not pay the ransom, so as to discourage the hackers from doing the same thing again; they instead recommend that victims of the cyber-crime report the incident to the government agency so that they can hopefully track down these people.
  • Secure your IoT devicesWhen it comes to Mirai botnet malware in particular, it is important to secure your Internet-connected devices. Many of these devices come with a default password which you should change in order to make it harder for cyber-criminals to get to your data. Also, when at all possible, turn off remote access to your IoT devices. By leaving a device active while not in use leaves it extremely vulnerable to use in an attack similar to that against Dyn DNS.
  • Don’t enable macros in documents received via emailMicrosoft itself turned off auto-execution of macros by default many years ago as a security measure. Many malware infections rely on persuading you to turn macros back on, so don’t avoid them by not enabling macros.
  • Keep your anti-virus & anti-malware updatedWhile backing up your data and avoiding sneaky sites or links is effective, preventing these malware from getting onto your computer in the first place is a key preventative measure in fighting malware. Keeping your computer’s anti-virus and anti-malware up-to-date is something simple you can do to protect against malware, and most even allow you to set automatic updates, so you rarely need to think about it at all.

Hailey R. Carlson | Axiom Cyber Solutions | 12/14/2016

Suspicious Images on Social Media Are Spreading Malware to Your Computer

Steganography, the practice of concealing a hidden message or other data in an otherwise legitimate- or innocent-looking image, is something that has been around since ancient Grecian times as a way to sneak information passed enemies without them realizing it.  Whereas in those days, the images were hidden in paintings, texts, and sculptures, today, they are ‘hidden’ on the Internet in plain sight all across social media in the form of malicious images.

ImageGate

Users of social media sites such as Facebook and LinkedIn are being infected by hackers who are embedding malicious code into image files that then deliver malware to innocent users’ computers in a new attack vector, jokingly refered to as ‘ImageGate.’ The attackers exploit a misconfiguration in security on the websites to deliberately force their victims to download the image file which begins its infection once the downloaded malicious file has been clicked on.

The company who has been conducting much of the research surrounding these malicious files is Israeli software technology company, Check Point. The company’s research team uncovered a few methods that could be fueling this new attack vector; Oded Vanunu, head of products vulnerability research at Check Point states, “Our primary finding is embedding an .HTA format into an image file (could be a JPEG too), which is relevant to all browsers. . . It can also be executed with a .SVG file that is embedded into Java Script.” A Scalable Vector Graphics, or .SVG, file is a fairly new file type that is very attractive to cyber-criminals. SVG is XML-based, meaning a criminal can embed any type of content they want – like malicious JavaScript code, as mentioned by Vanunu.

If a user does end up clicking on these files, the malicious image will direct them to a website that appears to be YouTube, however, its URL shows that it obviously is not a legitimate YouTube link. Once the page is loaded, the victim is prompted with a vicious Chrome extension pop-up in order to play the video that’s shown on the page. If the extension is installed, the attack is then spread further via Facebook Messenger and it sometimes even installs the Nemucod downloader, which ultimately delivers the Locky variant of ransomware.

Social Networks’ Comments

Facebook and LinkedIn, the primary sites that are affected by the malware- and ransomware-ridden images, have both commented on the issue:

Facebook representatives said:

“We maintain a number of automated systems to help stop harmful links and files from appearing on Facebook, and we are already blocking these ones from our platform. In our investigation, we determined that these were not in fact installing Locky malware—rather, they were associated with Chrome extensions. We have reported the bad browser extensions to the appropriate parties.”

LinkedIn also addressed ImageGate via a company spokesperson who said:

“We investigated this report and believe this method is not especially effective. . .While we have not found any exploitation of our platform using this vulnerability, we are taking additional steps to ensure our members are protected.”

How to Avoid Infection

Though it is apparent that social media sites are adamant that these threats are not a serious issue, many users have claimed ‘ImageGate’ has affected them personally. Regardless of whom you choose to believe, it is important to take any possible precautions you can in order to avoid attack.

  1. To avoid infection, social media users should avoid opening files that are downloaded as a result of clicking on an image, or that contain unusual file extensions such as .SVG, .SJ or .HTA. Some of these files are downloaded in the background, so users do not see them initially; this is why it is important to be cautious of these file extensions when clicking on any file that is on your computer, as it may have been lying dormant in the background without your knowledge or consent. The threat that ImageGate poses can only come to fruition if the user clicks on the malicious files, so avoid clicking on those at all costs.
  2. Be wary of messages you receive that are just an ‘image’ – especially if it is in a manner in which the sender would not usually behave. Many of the malicious images people claim to have Locky ransomware embedded in them have been sent through Facebook Messenger, not just images on users’ homepages.
  3. Stay up-to-date on your security measures when it comes to social media. Change your password often and take advantage of many sites’ two-factor authentication feature in order to better protect your accounts with minimal effort required on your end.
  4. Do not click on any suspicious-looking pop-up extensions such as the Chrome extension used to spread Locky ransomware. If something doesn’t look right about the image or the pop-up, there probably is something wrong with it. Trust your gut and avoid these malicious links.

Hailey R. Carlson | Axiom Cyber Solutions | 12/8/2016

All Aboard the Ransomware Express

All Aboard the Ransomware Express

Ransomware

Ransomware, an attack that has been around in some form or another since 1989, is one of the biggest cyber-crimes of 2016. Instances of this attack have quadrupled in number during 2016 from the same time period last year, and while some are hopeful that these rates will decrease in the coming year, ransomware has expanded its grasp to reach almost every industry out there. It’s latest target? Transportation networks. More precisely, San Francisco’s Municipal Transportation Agency.

The San Francisco Fiasco

San Francisco’s Municipal Transportation Agency (SFMTA), was hit last Saturday with ransomware. The attack actually began the night prior as SFMTA reported that agents’ computer screens displayed the message “You Hacked, ALL Data Encrypted.” These broken English displays and emails, received from a Yandex address, a Russian email provider, led the company to believe this attack was carried out by foreign hackers, however, they are not certain about that at this time. Whoever these hackers might have been, they requested payment of 100 bitcoin, equal to approximately $70,000, as ransom for the safe return of these encrypted files. However, the transportation agency took the FBI’s recent advice to those hit with ransomware and did not pay the ransom. Paul Rose, a SFMTA spokesman said, “We never considered paying the ransom. We have an IT team on staff who can fully restore all systems.”

 

Rose also stated that after investigating further, it has been determined that the hackers didn’t steal any financial records or other potentially damaging information about their customers or employees. This was extremely lucky for the transit system, as ransomware is often used to steal highly sensitive data from its victims. While there were disruptions to the system operations, in an attempt to avoid mass chaos, SFMTA decided to run their buses and light rail vehicles regardless, an added gift to riders of the ‘Muni Metro’ light rail as their fares were waived during this time. These free rides are, thankfully, the only major cost to the transit agency from this attack, and as of Monday, SFMTA was still trying to determine the magnitude of this financial damage.

Though San Francisco’s Municipal Transortation Agency was rather lucky despite having been hit by ransomware, this attack should be a wake up call for all transportation networks to amplify their cybersecurity measures.

Transportation Network Vulnerability

While San Francisco was fortunate in that this attack did not result in any disruption of their services, other transportation networks have not been so lucky. In 2008, a Polish hacker succeeded in derailing four vehicles after hacking into his local town’s transit system, injuring a dozen people, though thankfully killing no one. While not many cases of cyber-attack exist within the transportation world yet, the transportation industry is highly susceptible to attack, as is clear below in PhishMe’s 2016 Phishing Susceptibility and Resiliency report.

While cybersecurity can be an intimidating hurdle for any industry, it is especially important for companies like railways, whose entire operations would be derailed without the use of technology, to be strong in this area. As is true of every sector, there is no silver bullet to enhanced cybersecurity; multiple steps need to be taken in order to be strong against attack. By taking these simple steps, among others, transportation networks can be strong against cyber-criminals.

  • Educate employees– Computers were infected in the San Francisco ransomware attack because of employees clicking on malicious emails from hackers. Had the internal IT team who was able to recover the files on their own focused more of their efforts on preventative measures, such as educating the Agency’s employees on what factors indicate a phishing email, they would not have had to worry about the recovery aspect of this cyber crime at all. It may have even been avoided.
  • Have a recovery plan– Though all companies want to prevent an attack, having a backup plan is key in those cases where the cyber-crooks get through the cracks. As with overall cybersecurity, there is not one solution which will work every time for every company, but by speculating potential threats and developing customized plans of attack for each, companies can be prepared on the back end to recover data and get back to regular business operations as quickly and smoothly as possible.
  • Install and/or update hardware & software– You can never be too protected against attack, and it is important to protect your computers and their networks in as many ways as possible. By keeping up-to-date on softwares such as anti-viruses, as well as installing firewalls with Next-generation software, you can further protect both your employee and customer information.

By combining multiple, simple steps, cybersecurity becomes less threatening and much more manageable for companies across all industries. Implementing these tips as well as others and learning from similar networks’ security errors will result in transportation networks decreasing their vulnerability against attacks, such as ransomware.

Hailey R. Carlson | Axiom Cyber Solutions | 12/02/2016

SFMTA Image