// archives


This tag is associated with 11 posts

Security Snippets: February Reading Nr. 1


The security snippets series highlights some articles that I read recently. I hope they help in keeping up with the raise of security incidents and trends which becomes more and more difficult with the increasing professionalism of cyber attacks.


Bank Hackers Steal Millions via Malware
as read in the New York Times

The New York Times writes based on Kaperski information that a group of attackers impersonated bank officers and took over cash machines and transferred millions of dollars from more than 100 banks in Russia, Japan, Switzerland, the United States, and the Netherlands into fake accounts set up in other countries. This brings a new scale to Cybercrime.


Evolution and Adaptation in the Security Jungle
as read in Threatpost

 Enterprise security teams need to catch up on understanding the methods that modern attackers use. The article on Threatpost does a good job at giving an overview. Active defense is crucial in that aspect and I described that with the protect, detect, response framework also in my whitepaper on achieving resilience against modern cyberthreats.


Visa Wants to Track Your Smartphone to Prevent Credit Card Fraud
as read in the Hacker News

It seems that Visa plans to release a new location-based feature that will help cardholders update their location via smartphone. With credit card fraud still on the raise that could be a good way to fight that. I just hope that it will be clear to the user that another service performs location tracking.


PlugX Is RAT of Choice for Nation States 
as read in eSecurity Planet

The “2014 CrowdStrike Global Threat Intel” report finds that the PlugX Remote Access Tool (RAT) is the most observed malware variant used by nation-state backed threat adversaries. I don’t think that this is necessarily so clear as in my view many nation states have more customized and elaborate capabilities but it shows how far such tools have come.


One Billion Data Records Compromised in 2014 Worldwide
as read in Softpedia

The article writes about a report from the Breach Level Index (BLI) which finds a 49 percent increase in data breaches and a 78 percent increase in number of records that were stolen or lost in 2014. While the absolute number might be even higher the massive increase is something that we observe as well.


Microsoft Achieves Globally Recognized ISO/IEC 27018 Privacy Standard
as read in the Microsoft Cyber Trust Blog

This more on privacy and trust than security although that also plays an important aspect. Microsoft on February 16, 2015, obtained the ISO/IEC 27018 privacy standard for Microsoft Azure, Office 365, and Dynamics CRM Online. Brad Smith’s blog has more information on that and is worthwhile reading in my view.


How to Keep Your Webcam Safe from Hackers [Video]
as read in We Live Security

If you follow the link you will see a video that covers five tips to prevent someone from spying on you through your webcam. Something becoming more important after an anonymous website began posting live streams of the world’s unprotected webcams.



Snipplet: About the ease to hack hospital equipment

From now on I will be blogging about topics that I have read somewhere else and that I find noteworthy. You will find them in my new “snipplets” category. Today I am starting with the keypoints of a WIRED Magazine Threat Level article by Kim Zetter. Here are the keypoints:

In a study spanning two years they found severe security issues with common medical equipment used across a large chain of Midwest health care facilities including:

  1. Drug infusion pumps for delivering morphine drips, chemotherapy and antibiotics could be remotely manipulated to change the dosage for patients.
  2. Bluetooth-enabled defibrillators that can be manipulated to deliver random shocks to a patient’s heart or prevent a medically needed shock from occurring.
  3. X-rays that can be accessed by outsiders lurking on a hospital’s network.
  4. Temperature settings on refrigerators storing blood and drugs that can be reset, causing spoilage.
  5. Digital medical records that can be altered to cause physicians to misdiagnose, prescribe the wrong drugs or administer unwarranted care.
  6. In some instances you can blue-screen devices and restart or reboot them to wipe out the configuration settings, allowing an attacker to take critical equipment down during emergencies or crash all lab test equipment.

Many hospitals are unaware of the high risk associated with these devices. A wide cross-section of devices shared a handful of common security holes, including:

  1. Lack of authentication to access or manipulate the equipment
  2. Weak passwords or default and hardcoded vendor passwords like “admin” or “1234″
  3. Embedded web servers and interfaces that allows an attacker to identify and manipulate devices.

There are very few devices that are firewalled off from the rest of the organization, once you get a foothold into the network, you can scan and find almost all of these devices.

  • The vendors don’t have any types of security programs in place, nor is it required as part of pre-market submission to the FDA. The guidelines for medical devices now place the onus on vendors to ensure that their systems are secure and patched.
  • Vendors often tell customers they can’t remove hard coded passwords from their devices or take other steps to secure their systems because it would require them to take the systems back to the FDA for approval afterward, the FDA guidelines for medical equipment includes a cybersecurity clause that allows a post-market device to be patched without requiring recertification by the FDA.

This reflects unfortunately the discussions that I am having with healthcare Providers across Western Europe. Considering that Cybercrime is only starting to become “mature” (not happy to use this word in a criminal context but it describes it best) then the risks need to be mitigated and hospitals have an important aspect by insisting on secured systems and investing overall into their own IT hygiene.

The original WIRED article can be found here.

Targeted Attacks Video Series

Cybersecurity is currently on the top of the mind of many organizations trying to protect their intellectual property, research, customer and employee databases and other valuable information. In almost every discussion that I have on cybersecurity the topic of targeted attacks is put into the center. This is now even encreasing as we see such attacks being used much more commonly than usually assumed and only a small number of organizations have the resources to limit or even detect them.

The question is then often what a targeted attack really is and to answer that we have created the Targeted Attacks Video Series  on Advanced Persistent Threats (APTs), or what we at Microsoft call Targeted Attacks by Determined Human Adversaries. These five short informational videos summarizes three security whitepapers, Determined Adversaries and Targeted Attacks, Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques, and Best Practices for Securing Active Directory.

Take the time to look at them below – it is well worth it:

  • Introduction to Determined Adversaries and Targeted Attacks: Tim Rains, Director, Microsoft Trustworthy Computing, provides background information on these types of attacks and set the context for the rest of the video series.

  • Mitigating Pass-the-Hash Attacks: Patrick Jungles, Security Program Manager, Trustworthy Computing, explains what a Pass-the-Hash attack is and some tested mitigations to help manage the risk associated with credential theft attacks.

  • Anatomy of a Cyber-attack Part 1: Sean Finnegan, CTO of the Microsoft Consulting Services Cybersecurity Practice, walks through a typical targeted attack, step by step, describing how attackers perpetrate these attacks.

  • Anatomy of a Cyber-attack Part 2: Sean Finnegan finishes his briefing on how determined adversaries commit targeted attacks.

  • Importance of Securing Active Directory: Bret Arsenault, Microsoft CISO, discusses the importance of protecting your Active Directory in the context of target attacks.


I hope this helps for the next discussion on the topic of targeted attacks – and if you work for an organization that has information with commercial value then that discussion that discussion should start sooner rather than later.

Microsoft phases out MSN Messenger – Cybercriminals try to profit

Microsoft informed a while ago that Skype and Messenger are coming together. That means that millions of Messenger users will be able to reach their Messenger friends on Skype. By updating to Skype, Messenger users can instant message and video call their Messenger friends. This good news seems to being used now cybercriminals for attacking new systems. The criminals approach is fairly simple – they take advantage that MSN Messenger is still popular. Microsoft now promotes the download of Skype on the former MSN Messenger page and informs that the Messenger contacts will be available in Skype. There are then people that then still want to download MSN Messenger and this is the window of opportunity that cybercriminals exploit. They are registering malicious domains, buy advertising links on search engines and try to trick the user to download and install malware that masquerades as the MSN Messenger. With this they then get access to the computers of the victims and from there on the computer of the victim is under their control.

Don’t fall into that trap! Take steps to protect your computer (I wrote earlier a blog post about this that I now updated) and only download software from official sources which in this specific case download Skype from the official Microsoft site or from skype.com and you will be able to merge your messenger and skype contacts.


Migrate to Skype

Migrate to Skype


Empfehlungen zum Säubern eines Computers

Normalerweise schreibe ich meine Blogposts auf Englisch aber da ich viele Anfragen auf Deutsch erhalte was jemand machen kann wo sich ein Cyberkrimineller (z.B. ein falscher “Microsoft Supporter”) Zugang zu einem Computer erschlichen hat poste ich mein empfohlenes Vorgehen auf Deutsch.

Die Frage was auf einem Computer während einer falschen “support session” gemacht wurde kann man leider nicht generell beantworten, da das Vorgehen nicht immer gleich ist. Wenn Sie jemandem Zugriff auf das Gerät gegeben haben oder ein Programm heruntergeladen und ausgeführt haben dann kann grundsätzlich alles „passiert“ sein. Sehr Wahrscheinlich haben es die Kriminellen auf Ihre Bank- und Kreditkarteninformationen abgesehen. Das Ziel können sie auf verschiedene Weise erreichen – sei es dass Sie direkt einen falschen Virenschutzservice bezahlen oder indem ein Spionageprogramm auf Ihrem Computer installiert wird.

Bezüglich des weiteren Vorgehens schlage ich das Folgende vor: • Schliessen Sie Ihren PC nicht mehr ans Internet an bevor dieser „gereinigt“ wurde • Ändern Sie alle Passwörter • Lassen Sie den PC von einem Fachmann untersuchen ob er Spionageprogramme oder ähnliches installiert hat. Wenn Sie dies selber machen wollen/können dann ist ein gutes Hilfsmittel dazu unter http://www.retohaeni.net/2012/04/windows-defender-offline/ aber leider bietet auch dies keine 100% Sicherheit. Ich würde empfehlen, dass ein Computerspezialist den Computer untersucht. Alternativ ist es wohl das Sicherste das Betriebssystem von Grund auf neu aufzusetzen (Windows und alle Applikationen neu installieren – nicht update oder upgrade) und anschliessend den Computer wieder so zu sichern wie ich es in meinem Blogpost dazu aufzeige. Hier vergessen Sie bitte nicht alle Daten etc vorher zu sichern. • Nehmen Sie Kontakt mit Ihrer Bank auf und beschreiben Sie den Vorfall um abzuklären ob zB Kreditkarten ausgetauscht werden müssen oder ähnliches.

Als Microsoft sind wir hier auch Opfer und können gegen kriminelle Handlungen wenig unternehmen da wir nur indirekt betroffen sind. Entsprechend müssten Sie gegebenenfalls Anzeige erstatten. Melden können Sie den Fall zB unter http://www.cybercrime.admin.ch/kobik/de/home.html. Dies ist noch keine Anzeige aber KOBIK wird Ihnen dann ein weiteres Vorgehen empfehlen.

Ich hoffe, dass dies als Ausgangspunkt hilft.

Windows Defender Offline – new tool against advanced malware

I wrote previously about how to secure your computer but last week Microsoft’s Malware Protection Center released a new tool against rootkits and other advanced malware that I would briefly like to review – the Windows Defender Offline.

Windows Defender Offline is scanning your PC to remove rootkits and other advanced malware that can’t always be detected by antimalware programs. If such a type of malware is detected on your PC you will be prompted by Microsoft Security Essentials to use Defender. However, it is good practice to run the Defender Offline on a regular basis as some advanced malware doesn’t necessarily get detected by any anti-virus program.

The main difference between Defender Offline and most other anit-malware tools is that it is run from a clean boot disk/CD/USB Stick and that way anti-malware that tries to use some cloaking technique will not have the possibility to hide.

For more information on what Windows Defender Offline does and what the system requirements are, please visit this website: http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline.

Less Spam today? Good news – I will tell you why

Microsoft Digital Crimes Unit

Did you notice that you got fewer spam e-mails today? All in all there were about 3.8 Billion fewer spam mails sent out. Why? Because there is one less Botnet in operation. Today Microsoft annaounced that we have taken down the Kelihos botnet in an action codenamed “Operation b79”.  This is the third botnet takedown in Microsoft’s Project MARS (Microsoft Active Response for Security), a program driven by the Microsoft Digital Crimes Unit in close collaboration with the Microsoft Malware Protection Center (MMPC) and the Trustworthy Computing team to annihilate botnets and advance the security of the Internet for everyone. Why does it matter? Because it is one step further in making cybercrime more expensive and it is the first time Microsoft has named a defendant in its fight against botnets making suddenly cybercrime much less anonymous.

Microsoft has a very interesting unit in the fight against Cybercrime – the Digital Crimes Unit. I had the opportunity to spend last week at their premise in Redmond, to have interesting discussions and get our efforts in regard to child abuse and digital crimes aligned. With our ever increased dependance on our computers, smartphones and networks at home, on the road and at work, it becomes more and more crucial to keep this infrastructure safe, secure and private. To achieve this we are working in close cooperation with local law enforcement agencies, government CERTs, Internet Providers and other organizations and agencies. From a personal perspective it is highly interesting to have the opportunity to work at national level as a facilitator and sponsor between these Swiss entities and the different units of Microsoft Redmond and to be able to participate in the fight against child abuse and cybercrime.

The fight against botnets will continue. There are still tens of thousands of computers infected that regularely try to connect to the three botnets Microsoft took down. The following video gives an impression of the state of two botnets as of 21. September 2011.

What now needs to be done is to clean up the infected computers. To aid in this I started working together with Government, Internet Service Providers and Community Emergency Response Teams so that we can also take advantage in Switzerland of the work that is done in Redmond. More on that in a later post once the initiative has advanced and all partners are on board. In the meantime – please keep your computers safe and private. With that you are participate in the global fight against cybercrime and you keep your privacy protected. You can find information on “how-to” in this earlier blogpost.

Interested to know more about the botnet takedown? Read here the official Microsoft Blog.

Follow the Microsoft Digital Crimes Unit on Facebook and Twitter.


One man’s terrorist is another man’s freedom fighter – Is it?

I just read an article in the New York times on Suspected Hackers, a Sense of Social Protest. It made me think of the often quoted “One man’s terrorist is another man’s freedom fighter“.

For me the facts are clear. Nobody should attack the infrastructure or privacy of somebody else. Full stop. I cannot see that attacks can lead to anything positive and we have had plenty of examples showing that peaceful protest in the end works best to initiate change. However, other people see it different. They see it as a kind of social protest if they direct attacks at targets that they see as “evil”. Might these targets be individuals, corporations or governments. And then there are the ones that don’t think at all. That just follow a “cool” call for action. Have you ever seen the youtube video where an anonymous branch calls for attacking Telefonica? Pretty cool I must say. If I would be bored that weekend and looking for something to do – anything really – to fit into a group…. I can see why kids are tempted to point their Low Orbit Ion Cannons pretty much anywhere.

The part that worries me is not so much the individual person that might or might not participate in an attack. What worries me is that we as a society don’t have an understanding what is acceptable behaviour and what not. Sure – we might have a legal definition in some countries – but then does that help much? What we need to come to is a social value of what is acceptable and what not. What is a terrorist – and what is a freedom fighter. What differentiates them from eachother. Only then we can sit down and talk to our kids, our friends, our employees about values. Only then we can blog about it – about making people think about what they are doing. Make them aware of the line that they are crossing when they tinker with other people’s privacy and with intellectual property of enterprises, governments etc.

I don’t have the answer. But I am putting this out as a starting point to talk about it. Do the first step, take this and start talking about it and hopefully make some people think about values. Talk to somebody and lets start a snowball effect. Lets take this as a start to accept other’s privacy and values and use our right of free speech and social protest where we have them – and with that help others to achieve what we already have . Freedom of expression. But it comes with a price – and the price is responsibility and values – and we need to get better in accepting our responsibility.

Microsoft support does not call you – fraud alert!

I still hear frequently about calls people receive from – supposedly – Microsoft support and they have even called our house. The callers claims to be a Microsoft representative or working for a Microsoft partner. The usual call goes about the following:

  • The caller calls from either the UK or the US and informs the Microsoft customer that there is supposedly a problem with some software on the computer or that they have indications that the customer has had recently some security problems.
  • The caller claims to be from either a Microsoft Partner or a “Windows Service Center”.
  • The caller speaks English but often with an accent.
  • The caller will try to gain remote access to the computer e.g. by asking the customer to go to a – fraudulent – support website and download software or then send something by e-mail.
  • Usually, if the customer is suspicious and starts asking questions, the caller hangs up.
You might guess already – the person calling is neither from a Microsoft Partner nor from a Microsoft Service Center. The trick is old but still widely in use and currently there seems to be an increase in these calls. They go to private numbers as well as business numbers.
I recommend that if you receive such a call that you just hang up and if a notice arrives by e-mail to immediately delete it. The following points may help you determining if you are talking to a real Microsoft representative or not and cover some additional aspects in addition to fraudulent support calls:
  • Microsoft does not send unsolicited e-mail or make unsolicited phone calls to request personal or financial information.
  • Microsoft does not make unsolicited phone calls to help you fix your computer.
  • Communications claiming that you have won the “Microsoft Lottery” are fraudulent because there is no Microsoft Lottery.
  • Microsoft does not request credit card information to validate your copy of Windows, Office etc.
  • Microsoft does not send unsolicited communication about security updates.
I hope that this information helps you in avoiding being a target in one of these scams. If you are no concerned that your computer was actually victim of a security incident you can read my blog post on securing your computer.
Update: I also added some recommendations on what actions I advice if somebody has had access to your computer (in german).

FaceNiff – who is posting your Facebook updates?

So, you are sitting at Starbucks or at the airport or any other relatively crowded place and you have Facebook open or twitter or Amazon. You look to your right and see a nicely dressed woman/man tap on his/her mobile. Maybe you are smiling – thinking that he/she texts too much. Well – think again – because your seemingly nice neighbor might be in that second updating your Facebook status, adding weird “Friends”, posting a twitter message or rummaging through your Amazon shopping basket.

What? How? Why? These are the thoughts that might run through your mind. Well it’s easy – because there is a new app in town running on Android. It’s called FaceNiff and it highjacks everybody’s Facebook, Twitter, Youtube, Amazon and Nasza-Klasa account (more to come) that has it open on the same wireless network. It’s not really much new – firesheep did more or less the same a while ago but now it’s even less obvious and even easier (watch the video on here). It is a shame that the platforms that are affected did not take the firesheep warning serious and secure their systems better and maybe they learn from it. However, I see the problem at least as much in the mobile platform. Android is in effect an open platform. If you have an app that runs on it – you can install it. It might be easier or harder but even something that is just out there to download can be put on a rooted device. This leaves the door wide open to take the step to develop mobile platforms into mobile attack platforms. The mobile devices get more and more powerful and they are so unintrusive – the perfect platform for the new cyber criminal. And yes – I regard everybody that breaks into my accounts as a cyber criminal. There is no glory involved – it is just cheap and it’s exploiting my privacy and might be harmful to me and/or my reputation.

So what should we do? First – think again if you sign into any of the affected platforms when connected to a shared network. Second, show to providers that you support closed platforms. As an example, you will not find FaceNiff on a Microsoft Windows Phone platform because Microsoft (and others too to some extent) has a phone architecture that only lets apps installed through the their marketplace. Only apps get onto the marketplace that have been tested. And there is no jealbreak for WP7 so that option is out too. So you can favor platforms that protect you and you can write to the makers of the less secure platforms and voice your concern. Please do iit if you care. Will it help for the next time you sit at Starbucks? No it will not – but I believe that in time the platform(s) will survive that serve all customers and not just an individual. This is not about telling you what you are allowed to do on your mobile – as long as you are doing something legitimate. Consumers should have a choice, they should be able to make choices. That is what brings us further and boosts innovation. But I also want to have my private and work life on an Internet that is more secure for everybody than what we see today and phone platforms will have a massive impact on that.

So, if you sit at Starbucks next time – maybe look around with a new question on your mind. Who is posting updates on their own – and who on other person’s accounts. You might be surprised.

About the Author

Reto is partner at PwC Switzerland. He is leading the Cybersecurity practice and is member of PwC Digital Services leadership Team. He has over 15 years work experience in an information security and risk focused IT environment. Prior to working at PwC he was Microsoft's Chief Security Officer for Western Europe and also has work experience as group CIO, Chief Risk Officer, Technical Director and Program Manager.

more about me and contact info

replica Rolex