Threat Analysis: Third Party Apps

Locked-down

Bypassing security in computers can be as easy as tricking someone into downloading something that they should not. This is especially true of third party apps.

Third party applications are programs written to work within an operating system but were not created by the makers of the operating system. In short, they were not created by one of the big three: Microsoft, Apple, or Linux.

These applications can be standalone, like the Youtube app, or they can be plugins that add functionality to another program, such as AdBlock for the Chrome web-browser. This means that the majority of programs, including most anti-virus programs, firewalls and multimedia programs, are third party.

Theoretically speaking, using third party applications can lessen the number and extent of potential vulnerabilities in a system when used to isolate certain functions, such as email, from other applications in the system. The problem is that many third party apps do not isolate themselves. Instead, many want access to other parts of the system.

Many applications are transparent and innocuous in their requests for access, like a photo-alteration program wanting access to your camera and photos. These requests are necessary for the program to work. Other applications are not. On example is ransomware, a malicious program that gains administrative access to the system to “lock” your keyboard or computer and prevent you from accessing your data until you pay a ransom.

One such ransomware is an app called Porn Droid. Porn Droid masquerades as an app for viewing adult videos. The underlying malicious code is known as a LockerPin Trojan that activates the devices administrator privileges in a hidden underlying window. The malicious code uses this access to take a picture of user, lock the system and display a message directing the user to send money in the form of Bitcoin to the maker.

Similar applications can be found in application download centers such as the Google Play store, which does not investigate all apps that is makes available for download. Even companies that have strict guidelines on what can enter the marketplace on their devicesre susceptible. This has been demonstrated by the release of malware on the Chinese iOS store.

What we learn from these examples is that users must be wary of what they download onto their devices. Every application has the potential to harm the system for which it was downloaded. Good questions to ask before and after downloading an application include:

  • Do I really need this app?
  • Are there any negative stories about this app online?
  • Does this app really need these system privileges to properly run?

Trolling for the Terrorists: The Many Faces of Joshua Goldberg

In mid-September, a man who went under the Twitter handle “Australi Witness” was charged with illegally distributing information relating to the creation of explosives in a plot to bomb a 9/11 memorial ceremony in Kansas City, Missouri, in violation of Title 18, United States Code, Section 842(p). This arrest was the result of a FBI joint investigation with the Australian Federal Police.

However, all is not what it seems. Australi Witness was an atypical Australian jihadist. In fact, Australi Witness turned out to be neither Australian nor a jihadist. He was instead 20-year old Joshua Goldberg, a U.S. citizen from Florida. Goldberg was an Internet troll who delighted in creating controversy and upsetting his fellow Internet users.

Read More

Law Enforcement and Social Engineering

PoliceandSM

It is not just the criminals and terrorists who use social media to perform social engineering. Law enforcement agencies have been known to use social media for investigative purposes as well, with varying results.

Private investigators use social engineering techniques to trick people into giving up personal and financial information all of the time. In fact, Kevin Mitnick, the infamous social engineer, worked as a private investigator for several years. It appears as though the police and federal authorities are beginning to adapt these practices as well.

Social media is already a well-established tool of Real-time Crime Centers for police departments in places such as New York, Houston and Cincinnati. However, there is a difference in passively analyzing social media data to detect crimes and actively using it to investigate. One of those active means involves creating fake social media accounts and using them to gain and exploit the trust of the “bad guys.”

The U.S. Federal Bureau of Investigation has used Facebook to go undercover with false online profiles to communicate with suspects. They have also gathered private information such as the identity of a target’s friends or relatives, postings, photographs and videos through these means.

These methods have not always been viewed as proper by the courts. The U.S. Drug Enforcement Agency was recently sued in civil court by a woman whose likeness in the form of pictures was used in an undercover sting. They ended up settling for 134,000 USD.

This trend appears to indicate that investigative techniques using social media will only grow in the future. Whether or not those techniques will involve social engineering remains unanswered.

Social Engineering for the Terrorists: The Death of Junaid Hussain

On August 28th 2015, an ISIS hacker named Junaid Hussain was killed in air strike. While the death of a member of an extremist movements falls outside our usual topics of discussion, it was his job description that is of particular interest here.

Hussain’s job primarily involved online recruitment and propaganda. During his tenure, he is alleged to have been a part of the team responsible for the posting of personal information and financial details of United States military personnel online for others to exploit.

Hussain’s method included aggregating openly available information from the Internet. He then used this information to further ISIS goals such as breaking into a social media accounts, such as US Central Command’s Twitter and YouTube accounts, to send pro-ISIS messages. In effect, Hussain was a social engineer.

Hussain had a history of using social engineering skills before he joined ISIS. He plead guilty in 2012 to publishing former British Prime Minister Tony Blair’s address book. He accomplished this by gaining access to the email account of one Blair’s staff. In other words, he found a week point in their human security and exploited it to further a goal.

This example points to the dual nature of the social engineer. These skills could have proved invaluable in protecting critical information. Instead they were used to perpetuate jihadi goals. This decision ultimately cost Hussain his life.

Con-Artistry 2.0: Two Ways Social Engineers “Phish” for Personal Information

Earlier, we discussed the four steps that social engineers use to penetrate a corporation’s online security. These same steps are used to attack personal security in online settings. One method of social engineering known as “spear phishing” uses the social engineering cycle as described by Mitnick and Simon. Spear phishing involves an email that appears to be from an individual or business known to the victim, and either solicits information or asks targets to click on a link, which redirects them to another website which loads malware onto the victims computer.

However, not all uses of social engineering are as finely tuned as spear phishing attacks. Mass email phishing scams have been the scourge of inboxes for decades. The most famous of phishing attacks has been the Nigerian 419 scam, which makes false promises of future profits to convince the target to send funds to the attacker. These scams thrive on the idea that the larger the number of recipients, the more likely the scammers will receive a response.

Simple ways of avoiding both kinds of phishing attacks include:

  • Never disclosing personal information through email. Very few companies, especially financial institutions, ask for this information through an insecure email account
  • Never clicking on a link in an e-mail. Instead, enter the URL manually into the browser to avoid redirection to another website
  • Contacting the person or entity using a trusted phone number to verify emails independently when in doubt

Con-Artistry 2.0: How Social Engineers Bypass Corporate Security in Four Steps

The weakest link in any security system is the human element. Tricking humans into voluntarily divulging secrets or performing counterproductive activities is the easiest way to subvert protective measures. In the world of information security, social engineering is this feat of trickery.

Social engineering is described by Thornburgh as the “…psychological manipulation and exploitation of people into performing actions or divulging confidential information.” When applied to network technologies, we refer to it as Con-Artistry 2.0. This is because, at its heart, social engineering is a confidence trick.

As with any con, there is a procedure that is used by potential intruders. Mitnick and Simon, in their book the Art of Deception, described social engineering as a cyclical process composed of four interrelated steps:

The Social Engineering Cycle

The Social Engineering Cycle

  • Step 1: Research- Specifically this step consists of research into the target. Such research may include learning the “lingo” of the target but may also include basic Google searches for background information. Also included in this step is public information from sources such as SEC filings and press clippings as well as “dumpster diving.”
  • Step 2: Development of Rapport and Trust- The thieves make contact with the target and establish trustworthiness. Methods of creating trust include invoking an authority figure by using insider information, misinterpretation their identity and referencing people they know.
  • Step 3: Exploiting Trust- Using this newfound trust, the attacker asks the target to provide information or to perform an action.
  • Step 4: Utilizing Information- Repetition of former steps is continued until the ultimate goal is reached.

Understanding these steps can help corporations protect themselves as well as understand that not all threats to security are high tech. Sometimes picking up a phone can be as dangerous to the bottom line as a robber with gun.

Social Media Vulnerability and Large Numbers

Safety on social media is difficult to maintain for all users, especially for those users who use platforms with millions of members and relatively small staffing ratios. A 2014 TED Talk by the Vice President of Trust & Safety at Twitter emphasizes this point. The complete Del Harvey Ted Talk is included bellow and worth the watch:

 

This speech raises several good points to consider for user safety. The idea of “visualizing catastrophe” is the perfect encasement of our mission here at the Direful Media Lab. Thinking of how the benign can be turned dangerous, and how to prevent those repercussions through user education, is a major goal of ours. As we have pointed out with smartphone applications like Ruby by Glow, information is vulnerable to the provider of the service. However, it is also vulnerable to threats from other users. Read More