Naavi.org

The Symantec study on Internet threats has some interesting findings on the threats arising out of Mobile devices which needs some deep analysis.

The first alarming aspect thrown open by the study is that of the 6.3 million apps observed by the study, about 1 million apps have been classified as “Malware Apps” . (we shall call this MalApps). These are Programs and files that are created to do harm and includes  viruses, worms, and Trojan horses. 2014 is considered the 10th anniversary of the MalApps since the first worm on a Mobile App is said to be SymbOS.Cabir found in 2004. The 1 million new MalApps found in 2014 consists of 46 new families of Android malware. The study says that this 1 million MalApps does not include about 2.3 million “grayware” which represents Apps that display undesirable behaviour such as advertising.

Symantec expects the growth in mobile malware to continue in 2015, becoming more aggressive in targeting a user’s money. It is estimated that 51 percent of U.S. adults bank online and 35 percent use mobile phones and hence are prime targets for MalApps writers. The study records that  malware can intercept text messages with authentication codes from the bank and forward them to attackers. Fake versions of legitimate banks’ mobile applications also exist, hoping to trick users into giving up account details.

The study notes what it calls as “MadWare” which use aggressive techniques to place advertising in  mobile device’s photo albums and calendar entries and to push messages to the  notification bar.Madware can even go so far as to replace a ringtone with an ad.

An analysis of threats by platform indicates that out of the total of 48 threats (by families ignoring the variants), 45/46 were identified on Android platform and 3 on iOS.

As regards vulnerabilities, 168 mobile vulnerabilities were disclosed in 2014 compared to 127 in the previous year. It is surprising to note that 84% of these vulnerabilities are from iOS system and only 11% are from Android systems. Blackberry counts for 4% and windows 1%.

Probably the documentation of vulnerabilities in Apple could be better organized than the Android and hence there could be a skewed finding about the security of IOS phones vs Android phones. This is an interesting observation and leaves both equally vulnerable to risks.

As of today, Android appears to have a lead in market share of around 51.2 % as against iOS which is around 43.5% Cumulative global shipment of Android phones was around 1644 million units from 2010 to 2014 while the cumulative sales of Apple iOS devices since its launch in 2007 is around 600 million.

This indicates that relatively there were more vulnerabilities in iOS systems than the Android though  there are more threats on Android platform than in iOS.

The type of threats that the MalApps pose is reflected in the following chart.

It may be expected that in the coming years these mobile threats would increase and create more risks for the users since the App Ecosystem is difficult to monitor. The security industry needs to do some thing specific to improve the reliability of mobile platforms so that it can support the market developments in the coming days.

Naavi

Symantec Internet Security Threat report 0f 2015 has provided some interesting insights into the current trends in threats and vulnerabilities in the Cyber space.

One of the interesting findings of the study is the raise of ransomware as a major threat.

Ransomware is malicious software that locks and restricts access to infected computers. The malicious software then displays an extortion message using a social engineering theme that demands a ransom payment to remove the restriction.

In 2014, the ransomware attacks more than doubled from 4.1 million in 2013 to 8.8 million (approximately 24000 per day). The file encryption attacks leading to ransom demands expanded from 8274 in 2013 to a whopping 373,342 in 2014 showing a nearly 20 times jump in the threat. The actual ransom demands on an average was around US$ 1000 to 2000. However, since we have seen ransom demands of upto $5 million in India during the last year, it can safely be said that if the victim is a corporate entity, the damage could be significant.

Yet another point worthy of noting is the use of watering hole strategy for distributing the malware. This strategy plants the trojans in a popular website such as that of a news paper which is both respected and also has high traffic. (The name is taken from the strategy used by hunting animals which wait near water resources in a forest and catch their prey). The downloaded trojans are used for identity theft and other malicious purposes. The advantage of such watering hole attacks is that in corporate networks which maintain restricted internet access, the popular sites may be provided access and hence can reach out to the employees.

The threats analysed in the report give directions to the information security managers to check the effectiveness of their controls. The study also provides some guidelines on best practices which are a good starting point to evaluate the security systems of user organizations.

Naavi

The Norton/Symantec Cyber Crime study of 2014 has tried to provide an insight into the Underground Cyber Crime economy that drives the growth of financial crimes.

Spamming and Phishing continue to be the major tools through which frauds are committed on Cyber Space. Spamming with malicious links and attachments are used to drop Trojans and Phishing is used to make the spam look like a message from a known person.

According to the study, approximately 28 billion spam mails were in circulation worldwide each day in 2014 compared to 29 million in 2013. Overall, for 2014, 60% of email traffic was identified as spam compared to 66.4% in 2013 representing a decrease.

According to the India specific information available from Norton study, an estimated Rs 16558/- was lost on account of Cyber Crimes by Indian consumers on an average. The study estimates that approximately 113 million Indians were affected by Cyber Crimes which constituted around 48% of the Indian online population. There is a little ambiguity on the way the loss is being estimated and hence we shall leave it for analysis at a later time when more information is available while we revert to the figures available in the global study.

The Cyber Crime market has evolved like any other business where the crime ware is being developed by one set of people and exploited by another. There are people who specialize in developing malware, other people who specialize in identity theft and another set of people who drop the malware using spam techniques and yet another set of people who actually draw fraud money out of the victims. Certain trojans are available on lease for a specific period making it all look like an organized business.

The study estimates that a A drive-by download web toolkit, which includes updates and 24/7 support, can be rented for between $100 and $700 per week. The online banking malware SpyEye (detected as Trojan.Spyeye) is offered from $150 to $1,250 on a six-month lease, and DDoS attacks can be ordered from $10 to $1,000 per day. The value of information sold in the market for Cyber Crime is indicated by the following table.

If Cyber Crime has to be curtailed, then it is important to recognize the existence of this chain of actors and eliminate the participants at each of these levels.

Naavi

The Symantec Internet Security Threat report of 2014 released recently indicates that in 2014 6549 new vulnerabilities were reported as compared to 6787 in 2013.

Out of these,  there were 891  Web Browser vulnerabilities which  are a serious threat to ordinary Netizens.

As can be observed from the above table, the total number of vulnerabilities in the 5 major browsers declined from around 891 in 2012 to 591 in 2013 and again went up to 639 in 2014. Internet explorer recorded the highest number of vulnerabilities at 282 while Opera appeared to be the most secure browser.

Browser plug ins including Adobe Reader, Flash Player, Apple Quicktime, Microsoft Actve X as well as Firefox extensions and Java constituted additional vulnerabilities.

Inference is that using Opera web browser and avoiding plug ins could reduce the risks of being exploited by these vulnerabilities.

The study has also tried to track what it calls as ICS vulnerabilities. These represent the vulnerabilities with Industrial Control Systems including SCADA (Supervisory control and data acquisition) systems of the type attacked by Stuxnet virus in the past.

ICSs are typically used in industries such as electrical, water, oil, and gas. Based on data received from remote stations, automated or operator-driven supervisory commands can be pushed to remote station control devices.

This is of special interest to non IT manufacturing companies who have a huge stake in terms of exploitation particularly by Cyber terrorists. It is also of relevance to Secure Digital India where stakes are being placed on Smart Cities.

Siemens products continue to find a place in the list of such vulnerabilities along with Advantech WebAccess and Schneider electric products. A total of 35 such vulnerabilities have been disclosed in the report.

Industries using such products should pay special attention to these vulnerabilities and Cyber Insurers and CISOs also need to take special note of such vulnerabilities.

Naavi

The Symantec Internet Threat Study indicates that in 2014, there were 24 Zero day vulnerabilities as compared to 23 in 2013.

Zero-day vulnerabilities are vulnerabilities against which the vendor has not released a patch. The absence of a patch  presents a threat to organizations and consumers alike, because in many cases this type of threat can evade purely signature-based detection techniques used by Anti malware software until a patch is released.

The zero day vulnerabilities if found by the fraudsters, will be exploited by them more easily than otherwise.  Some times the vendors come to know of the vulnerabilities but are unable to release a patch and for fear of reputation and business loss remain silent and  not announce the presence of unpatched vulnerabilities. This makes them complicit to the frauds that occur and should make them legally liable if law takes its normal view on such “negligence”.

When a Cyber Insurer has provided a liability insurance, he is also at a great disadvantage when Zero day vulnerabilities are exploited since security professionals may find it difficult to counter threats targeting such vulnerabilities.

The Study lists the 24 Zero day vulnerabilities found in 2014 and it is observed that 16 of them relate to Adobe. It includes vulnerabilities in Adobe Flash player as well as Reader. Microsoft accounts for 7 and the other is on Linux.

The study notes that their data base has over 62300 vendors of whom 62400 recorded vulnerabilities have been found.  It also states that the top 5 vulnerabilities were exploited for a combined period of 295 days during the year highlighting the risks that we are facing.

Naavi

The recently released Cyber Crime study released by Symantec captures the status of the Internet risks in 2014. Titled Internet Security Report (ISTR 20), the report with its annexures provides an indepth insight into the threats and vulnerabilities that most of us face on a day to day basis.

The first thing that any observer of Internet should note is that the study points out that in 2014, there were more than 317 million new pieces of malware created during the year meaning that there were nearly 1 million each day (leaving Sundays).

What is equally alarming is that the study points out that Symantec data base of vulnerabilities consist of 66400 recorded vulnerabilities from 21300 vendors representing over 62300 products.

With such a huge number of vulnerabilities in genuine software and the vast number of threats, the Cyber Risk poses an enormous challenge to everybody.

The report in fact marks that the year 2014 was notable because of the high profile “Vulnerabilities” such as “Heartbleed”, “ShellShock” and “Poodle”.

Another interesting observation that the study points out that apart from focussing on exploitation of Zero day Vulnerabilities, attackers moved much faster to exploit published vulnerabilities than the defenders moving in to release patches.

During the year 24 Zero Day vulnerabilities were discovered. Vendors took 204 days, 22 days and 53 days to release patches for the three top Zero day vulnerabilities. Top 5 Zero day vulnerabilities were used by attackers actively for a combined 295 days before patches were available. In 2013 this period on an average was only 4 days highlighting the increasing risk that the community faced during the year due to the inefficiency of the software industry.

These findings indicate that there is a lot of ground that the industry has lost to the Cyber Crime industry and this needs to be recovered.

We need to analyse the report in greater depth to understand how the growth of Mobile apps on the one hand and Cyber terrorism on the other has contributed to the growing insecurity in the Cyber world.

The findings of this report will inevitably have an impact on the Cyber Insurance industry which needs to take a re-look at its policies. premia etc.

(More details of the report would be discussed in the forthcoming articles)

Naavi