Chinese APT Group Weaponizes COVID-19 Fears

While there are currently upwards of seven cyber threat campaigns centered on SARS-CoV-2 (the virus that causes the illness now known as COVID-19); one stands out from the rest.  According to CheckPoint Research (https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/), this campaign is a continuation of previous attacks by the Vicious Panda APT group, with the latest iteration using the threat of the Coronavirus to entice users into falling for the downloader/stager scheme.

 

Though not particularly novel or intricate, the somewhat complex stager to downloader to dll methodology does have one thing that sets it apart.  Vicious Panda is the codename of a Chinese APT group – meaning that the country which saw the first devastating wave of COVID-19 patients, and the first loss of life from the disease, is now using it to disrupt data systems in other parts of the world.

 

The attack itself is straight-forward.  An email hook via a poisoned attachment – in this case a rich text file – is emailed or otherwise delivered to the target. Relying on a known exploit in the Equation Editor component in Windows systems installed with Microsoft Office, the RTF file executes code that performs additional actions on the infected machine.  In the case of this campaign, a series of download files (mostly DLL’s) sets up both a persistence factor so that the attack re-launches itself until removed whenever a Microsoft Office app is run; and a Remote Access Trojan (RAT) to allow the attackers to gather details and data from an infected device.

 

The RAT is the more problematic of the executable components; as in addition to stealing data and user information through screen shots and process dumps, a RAT can be configured to download and launch additional executable code. While the initial attack is independently dangerous, this ability to persist beyond reboot and to download more attack code at any time makes this significantly more worrisome.

 

As for mitigation against this threat, while the actual downloaded vector is new, the methods and techniques used to successfully land the attack are not.  Updates and patches exist for Windows to defend against the Equation Editor exploits, which have existed since 2017 but have remained unpatched on many Windows devices.  Patching against CVE-2017-11882, CVE-2018-0798, and CVE-2018-0802 will limit the ability of the initial infection vector (the poisoned RTF file) to land, and thereby defend the device itself.  It’s recommended that systems be patched as soon as possible if the fixes for these three CVE’s have not yet been applied.

 

While the actual attack binaries do appear to be new, they function with the same effect as most RAT’s; so monitoring for unusual activity around screenshots, file manipulation, data exfiltration, and unknown process initiation can identify that a device is infected.  Any device that exhibits these unusual behavior patterns should be temporarily isolated until further investigation can be performed to confirm infection or identification of the reason for the unusual operations.

 

Leveraging the COVID-19 fears of the world is despicable.  Threat groups have never been known for their reserve or decency, but launching attacks that play off the panic of the world right now is unacceptable beyond belief.  That it is coming from the country that experienced the first outbreak is even more bewildering and disappointing.  I urge all threat groups to not make the situation worse by playing off the fears of an international pandemic crisis.

 

It’s doubtful that we will see an end to attacks taking advantage of national and international crisis events.  As disheartening as that it, we must face reality and realize that any opportunity can and will be used to spread malware that disrupts and/or destroys businesses.  This example, though, is extraordinarily despicable for two reasons:  First, the disruption of many businesses during this specific crisis can, and will, lead to the loss of lives.  Disruption of a single manufacturer or medical equipment or devices will make the already devastating shortage of masks, sanitizers, ventilators, and other vital healthcare equipment so much worse.  People who might have lived will die, and their blood will be directly on the hands of these threat actors.  Secondly, the apparent origination of this specific threat from an Advanced Persistent Threat group from China – the first and one of the most significantly impacted countries – is simply baffling.  After the loss of life, disruption of business, and overall health impact of this virus; the country that was at the start of the chain of the pandemic should not be weaponizing the fear of that pandemic for furtherance of state-sponsored cyber threat goals.

 

Newbie2Security: Passwords

A reader recently asked: “Everyone is saying to create difficult to guess passwords and not reuse them, but it’s impossible to track different passwords for every site – much less complex ones for every single site.  How do I make sure my passwords are good enough for security, but not forget them continuously?”

Well, passwords are a tough nut to crack these days.  Since you’re not supposed to re-use a password for more than one application/website, and since passwords should be complex, you’re stuck with trying to remember dozens of complex passwords.  Most people give up and re-use passwords or use simpler and easier-to-guess passwords, leaving them open to attack.  There’s good news, though, so let’s talk about passwords:

Passwords should be:

1 – Difficult for an attacker to guess

2 – Easy for you to remember

3 – Never re-used

4 – Complex enough so that they can’t be brute-forced (i.e. resistant to attacks)

Brute-force password cracking is simply an attacker trying a series of different combinations of letters, numbers, and symbols in turn to an attempt to happen upon your actual password.  Most – but not all – applications and sites have some method in place to stop this from working; either by limiting the number of attempts at a password before the account becomes locked, or progressively slowing down the time between attempts until it becomes too difficult to carry out the attack.

Unfortunately, normal humans have a lot of trouble keeping track of dozens – if not hundreds – of very complex passwords.  They might be able to manage 1, 2, and 4; but only at the expense of 3.  If they do keep 3 as the primary goal they often run afoul of 1, 2, or 4.

The good news is that there are several ways that you can follow all four rules without losing track of any sites or losing your mind:

1 – Use a Password Manager: A password manager is simply a piece of software that will allow you to store your usernames and passwords for various sites and applications in a vault that is securely protected.  This means you only have to remember one password (the one that lets you access the vault) instead of all the passwords for your sites and apps.  You do need to be sure the password manager vendor is reputable and has a good history at security, but otherwise you set them up and keep them updated, but don’t have to worry about forgetting passwords.  Even better, most will generate strong passwords on demand, allowing you to have unique passwords for every site and app without having to think them up yourself.  1Password and LastPass are two examples of well-established password managers that work across PC, Mac, and Mobile; and are also easy to use and work with no matter what browser you use. They’re not free (at least for the full feature-set you need to be using), but they’re reasonably priced and worth every penny.

2 – Use a Pass Phrase Instead:  Who says a password has to only be one word?  Complex passwords can just as easily be phrases or sentences if the site doesn’t limit how many characters you can use.  How about “ThisIsMySecureGooglePassword!” for your Google account?  It’s the right length, has upper and lowercase letters, has a special character, etc.  It can also be modified for each site – and those modifications can be hard to guess if you change which word gets modified in a way you’ll remember.

NOTE: Do not, and I really can’t stress this enough – do NOT use that particular sentence. Now that it’s posted to a blog that’s online, it is public information and will get added to databases that attackers use to guess passwords.  PLEASE think up a passphrase or sentence of your own.

4 – Never Use Public Information: Your maiden name, mother’s maiden name, zip code, pet’s name, kids’ names, etc. are all public information and should never be used in a password ever.  If you have to give that information to other people (on Social Media, to your bank, etc.) in the clear (i.e. in plain text or verbally); then it is not suitable for use as a password.

5 – Keep Your Passwords Secure: Remember that no reputable site, service, app, or business will ever – EVER – ask you to tell them your password either online or on the phone.  It is never necessary for them to do so.  They can access your information via their own methods, and don’t need you to tell them your password in order to do it.  So, if anyone claims they’re from FaceBook, or Microsoft, etc. either via email or phone and asks for your password; they’re lying and trying to steal your info.  Also, never keep passwords written down in the physical world, or stored in a file in the digital world unless that file is properly encrypted and secured.  So, a password manager that encrypts its vault is fine, but an excel spreadsheet that isn’t protected is not.

Defending yourself with strong, non-reused, passwords is a critical part of online security.  These tips are not difficult to use, and typically cost either little or nothing at all to take advantage of.  Take some time to follow proper “password hygiene” and you’ll find yourself in a safer place.

Newbie2Security: What Your Browser can Tell Sites About You

Here’s a great reader-submitted question, “I heard that if I connect to a site from a web browser, they can tell a lot about me.  Is that true? What can they see?”

It’s absolutely true, and your browser can tell a website or service a tremendous amount of information about you.  This can happen even if you haven’t specifically given the site, service, or app any privileges beyond just connecting to it in your browser.  That’s been the case for a very long time now – and this data doesn’t take a lot of technology or expertise for someone to see it and learn about you from it.  Let’s take a look at what your browser can be telling people about you.

Browsers transmit and receive a lot more data that is visible on your screen.  They also transmit what are known as browser headers – metadata (data about data) that identifies what your browser is capable of displaying, how much data it can accept, and a lot more details

When you connect to a website or service via a browser, the web server and your machine exchange a lot of information.  This is necessary since thousands if not millions of people visit a website, and not all fo them use the same web browser, Operating System (Windows, Mac, Linux, etc.), have the same fonts installed, have the same browser add-ons and extensions, etc.  So, in order to figure out what should be sent to your machine, the web server needs this metadata so it can send you the right information to display in your browser.

Most, but not all, of this data is sent in the browser headers.  Here’s what can be sent via headers during any connection to a web server:

 The IP address (a digital address assigned to your computer by your Internet Service Provider) so that the website knows who it is talking to.
The browser you are using (Internet Explorer, Firefox, Chrome, etc.) and what version of it you are running so that the website knows what your browser is capable of displaying
What fonts, add-ons, and extensions you have installed in your browser – also to help the website figure out what can be displayed.

That may no sound all that informative to a website, but it really is.  With the right tools, here’s what a website can find out based on that information:

 Your IP address can identify where you physically are at the moment.  While it’s not precise, IP geo-location is capable of finding your location within a couple hundred meters if not closer.  IP addresses can also identify what Internet Service Provider you use, if the connection is a cable modem, DSL, fiber, etc. and if you’re using something that can anonymize you (like a VPN or TOR networks).
Your browser type and version can identify what Operating System you use – Internet Explorer only runs on Windows and Safari typically runs on Mac, for example.
The combination of the above information combined with the add-ons, fonts, and other details can allow a website to “fingerprint” your machine to a high degree of accuracy.  This means that if you visit the site again – or go from site to site between websites that share information – these sites can track you and establish a pattern to your browsing history that cannot be removed by clearing your cache.

There are also small text files known as cookies that are placed on your computer/laptop/tablet/phone disk.  These cookies allow a specific site to recognize your device when you re-visit that site, and it’s how sites like FaceBook, Twitter, Amazon, etc. know you when you return to them later on.  Generally, cookies are harmless and only apply to a specific website you visit.  Others, known as “supercookies” are used by advertising networks to track you all around the Internet, however. By setting your browser’s “Do Not Track” settings you can eliminate most – but not all – of them.  Clearing your browsing history, cache, and cookies will get rid of them, though.

There are also tools for most major browsers that can help keep you more private while web surfing.  The Electonic Frontier Foundation (https://www.eff.org) has a tool called Privacy Badger that blocks most tracking cookies but can let you allow them on sites you do trust.  Ad Blockers can stop ad networks from landing supercookies on your machine.  They’re usually free, and well trusted tools like uBlock Origin are regularly checked for malware to make sure you’re not opening more security holes than you close.

So, as you can see, a browser can leak a lot of information about you and your devices.  Headers and cookies can tell a website a tremendous amount about who you are, where you are, and where you’ve been online.  Normally this isn’t a problem, as this information is fairly public and not considered Personally Identifiable Information like your name, phone number, social security number, etc. would be.  Just be aware that sites can see this information about you when you visit, and avoid even visiting sites that you don’t ever want to have this level of detail about you in the first place.

Newbie2Security: Is the Cloud Safe, Part III

Noun Monitor Cloud 66781
A reader asked a particularly complex question recently: “Is the cloud safe to use?”

In my continuing answer to that complicated question, let’s look at the cloud desktop experiences.

Cloud desktops are becoming more and more common as we move toward doing more within the cloud, as opposed to on our own networks and hardware. A cloud desktop is exactly what it sounds like; namely, a virtual desktop computer that runs within a cloud vendor and not on your own desktop, laptop, or tablet itself. They’re currently very popular for PC gaming when you want to play a very resource-heavy game and don’t own a powerful gaming desktop – or a PC at all. I myself use one to play PC games on my Mac (there’s a post on Paperspace and Parsec from a while back still posted here on the blog). While cloud desktops are incredibly useful, they’re still quite expensive to run and therefore not something everyone would use. That’s changing though, as prices come down just like all technology. This means you might be interested in using one in the near future if you’re not using one already.

If you do use or end up using a cloud desktop, its security is a lot different than using the cloud to sync data, or manage your Internet of Things (IoT) devices. Since a cloud desktop is an entire Operating System (Windows, Linux, etc.), it has to be secured in very much the same way as a desktop or laptop – but without the physical security you can put around a physical device you own and control.

So, how do you secure cloud desktops? Let’s take a look:

1 – Remember it’s a desktop. You should always keep your cloud desktop up to date with patches and fixes, and install and maintain an anti-malware tool on it as well. In much the same way as you would do these things on your own desktops and laptops, you must do them on cloud desktops too. Some service providers take care of some or all of these things for you; so check to see what they do in terms of updates and anti-malware and what you are responsible for yourself.

2 – The trust factor exists here too. Much like with IoT devices in the previous article, you have to know your cloud desktop vendor and put your trust in them. Most cloud desktop platforms are very new, so you won’t find a well-established company to go with; but you can research the company and find out if you should be trusting them. Where are they located? Is it in your country or off-shore? What back-end do they use to host their services – is it an established platform like AWS or RackSpace, or some cloud company no one has ever heard of? Who handles their billing – is it a reputable vendor like PayPal or directly with credit card companies (including all the Visa/MasterCard/Amex security methods) or with some payment provider no one has heard of? All of these questions can help you create a good profile of the company and their practices to base you trust decision on.

3 – Be careful what you put there. A cloud desktop can hold a lot of information on you. For example, if you use it for gaming, then the cloud desktop has your Steam and EA account info on there in all likelihood. It also might have billing information stored in memory when you buy things while you’re on the cloud desktop (like new games and software). That’s a bit of a problem, since you don’t have physical possession of the desktop itself, and won’t know if – for example – it’s stolen.

You can limit this liability by only logging into sites and applications you absolutely have to. Your Steam account is pretty much required, but you can turn on SteamGuard (two-factor login) to make sure no one can log in just by stealing the cloud desktop. You can also only update Steam and other payment information on your own desktop, rather than doing it via the interface on the cloud desktop. You can purchase games and other software on your own computer, get the access/registration keys via your own desktop email, then download the software and put in the key without having to put your credit card info into forms on the cloud desktop. For game apps like Steam and EA Origin, you can even make your purchases at their websites on your own desktop, then let the apps in the cloud desktop download the games next time you open the app there.

It’s also not necessary to even install or set up email apps/accounts on the cloud desktop at all – you can do that on your desktop or laptop and just cut and paste as required. Browsers don’t need to be synced to your Google/Apple/Firefox account, and therefore you don’t need to log into those services on the cloud desktop. Small steps like these don’t have a large impact on your cloud desktop experience and limiting what data is actually typed into or uploaded to the cloud desktop also limits what an attacker can get if they break in.

Cloud desktops can make life easier and open up the ability to do things you can’t do on your own desktop. As prices come down, they’ll become an option for more and more people – and a target for more and more attackers. Using them safely is very much possible, with a little strategy and forethought you can compute in the cloud with no problems at all.

Newbie2Security: Is the Cloud Safe, Part II

IoT Security 1520897A reader asked a particularly complex question recently: “Is the cloud safe to use?”

In my continuing answer to that complicated question, let’s look at the Internet of Things and what you can do to keep your own things safe.

The Internet of Things (IoT) is a collective term to describe all the connected boxes, devices, and widgets that don’t fall into the category of desktops, laptops, and phones/tablets. In some cases, even those devices are considered IoT technology; but generally this refers to home automation, home assistants, set-top boxes, and other such gear that is steadily but surely sneaking its way into our homes and hearts.

The security of IoT devices depends a lot on both you and the cloud vendor that manages the online components of those devices. Let’s take a look at things to watch out for.

1 – The trust factor. While the very latest gizmo to automate your home might sound cool, remember that these devices are only as secure as the companies that make them. Millions of IoT devices became infected with malware that turned them into distributed denial-of-service (DDoS) attackers due to a back-door that vendors put into the devices to make them easier to manage remotely.

DDoS (Distributed Denial-of-Service) is a type of attack where thousands or even millions of devices all over the internet start flooding a website with bogus data traffic. Since a website can only handle a fixed amount of traffic at any one time, all these devices suddenly blasting it with data requests causes legitimate users of the site to be unable to reach it. Effectively, the site is offline to real users even though there’s nothing wrong with the site itself – it’s simply overwhelmed with all the requests and cannot talk to anyone else.

Working with vendors that you trust is critical to avoiding this situation. While any vendor can make a mistake or have bugs in their code, those who are well-known and well-reviewed are less likely to let a major flaw end up taking their whole network offline or allowing their devices to be compromised. They also react much faster if they should get attacked, pushing out updates and changes quickly to fix the problem. A fly-by-night vendor, on the other hand, may just stop supporting a product and leaving all their users out in the cold when the next security problem comes up.

2 – Limiting what devices can do. Does your home lighting system need to speak directly to the internet? Probably not, and therefore it should not. While some systems like home thermostats do have a good reason to be accessible to the outside world (so you can remotely change the temperature), it shouldn’t be allowed when it isn’t necessary. Reputable vendors use home hubs and other technology to limit how much of their system needs to talk to the internet at all – and most vendors allow for you to limit that connectivity further. In short, if it doesn’t have to talk to the internet, it shouldn’t – full stop. If a vendor demands that the device be able to connect to their servers when there’s no reason to; choose another vendor. One great example is software updates for smart LED lights. Why should the light-bulb have to talk to the internet when updates can be done via a smartphone app or other method that doesn’t require every bulb have an internet connection individually?

3 – Segregate your networks. Most home internet routers have an easy-to-use method for creating a guest network. Guest networks are great for IoT devices that have no need to speak to your computers and tablets, but still do need internet access. Basically a guest network is a WiFi network on your home router that can talk to the internet, but cannot talk to anything else that’s using the same router. This means that if someone does manage to compromise your IoT devices, they cannot use that as a way to access your home computer or other systems. The one exception here is for devices that indeed to have to talk to the rest of the things on your home network – like home assistants and other tools. They’ll have to go on your main WiFi network; so keep the trust factor high in your mind.

4 – Use basic security precautions at all times. Alexa, Google Home, and Apple HomePod all listen all the time, and can’t figure out your voice from anyone else’s except for some tricks they do. They can’t stop someone else from voice ordering products or changing settings since their voice identification systems aren’t sharp enough to figure out it’s not you talking. This means you should set up purchase passcodes, and limit their ability to access sensitive stuff via their configuration apps. You should also think twice about letting them communicate to outside devices (such as Alexa’s ability to call other people who own and Alexa). It might be convenient, but the phone still works for that purpose (or email, or text messaging, etc.). One recent case of Alexa accidentally sending a voice message with mildly embarrassing info to a contact in its address book is a great example of why you have to be very careful. Amazon did note that it was because of an incredibly rare set of circumstances, but it’s still possible and should be taken into account before you set up “drop in” or similar features.

Finally, as these services are attached to online accounts with various vendors, you should keep your account secured with two-factor logins and password hygiene at all times. Just like any other website you access, your username and password can be easily stolen or compromised if you’re not careful, and you have to take that into consideration.

IoT devices can be incredibly useful, or just downright fun, or both. But always remember that these are devices that can open dangerous doors into your home and office. Take precautions to make sure they don’t and you can use them safely to make your life better and more enjoyable.

Newbie2Security: Is the Cloud Safe, Part I

Cloud Security 1725060A reader asked a particularly complex question recently: “Is the cloud safe to use?”

That’s one incredibly complex question. I’m going to to my best to answer it, but keep in mind that “the cloud” isn’t a single thing – it’s an interwoven set of services, platforms, and applications from multiple vendors and companies. The short answer to the question would be “Yes, so long as you’re secure when you use it,” but that’s hardly a good answer to give to someone looking for information. So, let’s break this down over the next few articles to give some advise on cloud security for the average user on the most common consumer cloud services: Cloud Backup, Syncing, and Storage, Cloud Software, The Internet of Things, and Cloud Desktops.

Part I: Cloud Storage, Syncing and Backup

Anyone with an Android or iOS phone, tablet, or other device knows about cloud storage, syncing, and backup. Your photos, application data, and other info are synced between your devices by means of cloud services provided by Google and Apple. Your data is backed up with automated backup tools from those companies, and you may even store data up in their cloud systems for sharing or use elsewhere. These same services can be used by other types of computers and devices with tools provided by DropBox, Carbonite, SpiderOak and more for your PC, Mac, and Linux desktops and laptops.

Security for these types of systems revolves around three concepts: Device security, platform security, and account security.

Device security is how you protect the devices that you control. That can be desktops, laptops, phones, tablets, set-top TV boxes (or SmartTV’s), etc. You do need to do your part to make sure the system as a whole remains secure – it’s not all the responsibility of the cloud provider in this case. The good news is that providing for device security isn’t overly complicated, and most devices walk you through the process automatically when you set them up.

Core concepts in device security are:
1 – Keep the device in your possession, and immediately notify the cloud provider if it’s lost or stolen. We all keep track of our – rather expensive – laptops, tablets, and phones, but this also extends to any device that holds personal or confidential information that can be stolen from you. If you lose any mobile device, or have a mobile or non-mobile device stolen, you must immediately notify the cloud provider to let them know it happened. This allows the cloud provider (Microsoft, Apple, Roku, Google, etc.) time to lock down your account to make sure whoever comes into possession of that device cannot get any of your information off of it.

2 – Lock devices down. Make sure you use passwords that aren’t simple 4 or 5 digit numbers (the usual default for these devices). iPhone, Android, and other types of devices will allow you to use fingerprints, facial recognition, and/or a complex password to gain access to their services; and you really should take advantage of these features. An attacker can quickly and easily figure out a 4-digit passcode, but will take much longer to figure out a complex password or passphrase. This means more time for you to realize the device isn’t in your possession anymore and alert the cloud provider that it is lost or stolen. It also means that visitors, kids, and others won’t gain access to things they shouldn’t – even when their intent isn’t malicious. This also counts for home assistants like Google Home, Apple HomePod, and Alexa. Set up purchasing passcodes so that people cannot accidentally or purposely place orders via these devices voice control systems.

3 – Don’t connect devices when you don’t have to – and limit what they can talk to. Not every device needs to talk to the internet 24/7. Make sure that, if you have the option, these devices are only allowed to go online when they need to. If a device must be online all the time, limit what it can do and who it can talk to. For example, most home routers have the ability to allow you to connect to your home network from anywhere. That means they continuously update the router vendor’s cloud services with your home IP address and other information. If you don’t have a need to access your home network from the outside world (and unless you have a specific reason to do that then you probably have no need), shut that feature off. Finally, be aware the convenience is often the enemy of security. I once had a CPAP machine (for sleep apnea) that offered to upload my sleep data to their cloud service so my doctor could get it. My doctor said I could just use the build-in memory card to get him that data – there was no need for the machine to be broadcasting that info – and so I shut it off. It would be more convenient to have the cloud handle that data, but much less secure with my medical details.

Platform security is all about the cloud vendor themselves, and what steps they take to make sure their own systems are secured. Most of this is far outside of your control, so you need to ask the vendors about their security practices and make a judgement call on if you trust them to hold your data or not.

For example, until relatively recently I had avoided using EverNote for note syncing. While they did encrypt data while it was being transmitted from my machine to their storage (known as encryption-in-flight), they did not store the data in an encrypted format when they were holding it (known as encryption-at-rest). That meant that if their systems got breached, all that data would be immediately visible to the attacker with no need to break an encryption algorithm to read it. Basically they had mined the front yard, but left the front door unlocked.

For the most part, cloud vendors will encrypt both in-flight and at-rest these days. As a matter of fact EverNote has indeed started encrypting at-rest over the past year or so in response to users demanding it. Apple, Microsoft, and Google all encrypt at rest for their sync and backup tools in iCloud, Office 365, and Google Apps as well.

You should be aware, however, that not all encryption-at-rest is created equal. Most vendors use shared-knowledge encryption, meaning that no other user of the service can see your data, but the service provider (Apple, Google, etc.) can see it whenever they need to. A famous case in recent history was when the US Government demanded Apple turn over all data from a suspect’s iPhone. While Apple could not read the data on the iPhone itself (as the phone’s encryption didn’t allow Apple to unlock it); Apple was able to – and did – hand over all data stored in iCloud, which uses shared-knowledge and allows Apple to unlock and read it.

While zero-knowledge vendors of cloud sync, backup, and storage exist (such as SpiderOak and CrashPlan Pro); their services are generally much more complex and expensive that shared-knowledge vendors like DropBox and iCloud. The reason is that zero-knowledge systems require dedicated storage and other technologies for each user, making those services cost the vendor more per-customer, which is passed on to the customers themselves. For most data, shared-knowledge is perfectly fine if the company in question – like DropBox or Apple – has a proven track record of securing their own access to your data. Apple has proven they will only turn over data with a valid warrant or other legal instrument; and DropBox did have some hiccups, but has worked very hard to close those security holes and ensure new ones do not crop up.

Account security is the third pillar of safe sync, backup, and storage online. This one is shared between you and the cloud vendor equally. You must use a secure password and only access the service from devices that you trust. They must ensure all employees follow security best-practices and no one gets unauthorized access to their systems. Working together, both of you ensure that your account information (passwords, application authorizations, etc.) stay assigned to you and you alone – keeping prying eyes from getting the chance to access your stuff on their servers.

Taken together; device security, platform security, and account security work to make sure that neither you or the cloud vendor do anything that could compromise either your data or their services. Controlling your devices allows you to make sure they don’t leak information or allow others to access it. By sticking with well-regarded and well-secured vendors who have a commitment to platform security you can make sure the platform itself will keep attackers out. Account security makes sure that it is as difficult as possible for an attacker to impersonate you or an employee of the cloud vendor and gain unauthorized access.

So, as you can see; using sync, backup, and storage in the cloud can be secure if both you and the cloud vendor take security seriously. Stay tuned for parts II and III for more information!

Newbie2Security: Are Macs Safer Than PC?

Image courtesy of The Noun ProjectA reader recently asked: “I’ve heard that Macs are safer than PC’s. Is that true, and why or why not?”

Well, unfortunately the answer to “Is that true?” is a complete “No.” Macs are not safer than PC’s at all, read on to find out more.

Macs *do* have fewer pieces of malware written specifically to attack them, that is indeed true.

Malware is a security industry catch-all term for any software specifically written to attack and/or damage a digital system or steal information from such a digital system. That can be a virus, trojan, or worm – but it can also be software that encrypts your data and holds the unlock key hostage (ransomeware) or software designed to steal your usernames, passwords, etc.

That being said, there are several things to keep in mind that make Macs as exposed as PC’s (Windows-based machines) these days:

1 – Malware is less about how many different kinds of it exist and much more about how often the ones that do exist succeed in attacking your computer, phone, etc. Mac malware absolutely exists, and though there is less of it; it tends to be very widespread in a very short amount of time. That means while there are fewer kinds of Mac malware, they’re more likely to find their way onto your devices. It only takes one piece of malware to wreak havoc, so the numbers don’t matter and Macs are not inherently safer because there’s fewer pieces of it out there.

2 – Modern attackers are moving away from machine-specific or Operating System-specific attacks. While before the methods used to infect a machine were loaded email attachments and network-based attacks; these days they’re more likely to take advantage of tools and platforms that work on both Windows and Mac. Google Apps, Microsoft Office Online, Adobe Flash Player, Java, and many others work nearly identically on both Windows and Mac since these software packages run in the browser or are just modified versions of each other for each platform. Chrome on Windows and Chrome on Mac are not identical, but they are close enough to each other that an attack that works on one will work equally well on the other. Recent ransomware attacks that were spawned through an infected Flash app are a great example of that. The attacker wrote slightly different payloads for Windows and Mac, but the actual attack worked the same on both platforms; making it much easier for the whole attack to happen – and just as likely to happen on Mac as it was to happen on PC.

3 – Attacks may not need to talk to your computer to impact you at all. Attackers are working hard to compromise websites and online applications directly. That means they can steal personal information and data without ever having to actually compromise your machine at all – PC or Mac. Since these attacks happen at the Service Provider side (such as your bank website or online shopping vendor); you don’t have to fall victim to anything on your own computer to fall victim to the attacker.

So, as you can see, no matter if you’re on a PC or a Mac, you’re no safer on one vs. the other. You need to take reasonable precautions to make sure you’re not getting attacked just as much on your MacOS-based devices as you do on your Windows devices. Oh, and for those who say Linux is the answer; just remember that anything that doesn’t attack your machine directly (see point 3 above) will still hit you – even on Ubuntu or RedHat.

Stay safe, no matter what Operating System you use.

Where the hell have you been?

Well, it’s been some time since I posted, and I think an explanation is in order.

As many of those who follow me on Twitter already know, I moved about a year ago into a whole new career path. I’m still working as a technology pro helping out sales teams; but now I’m doing it in the Identity Security world. That’s meant a lot of ramp up and learning time for me, limiting how much time I can spend on this blog.

I’ve also been helping out by contributing blog postings to their company blog. Search the SecureAuth+Core Security blog for “Security in Plain English” and you’ll find a bunch of stuff I’ve been typing away on.

However, I don’t want to leave my independent writing behind! So, I’m glad to introduce a whole new column here on MikeTalon.com: Newbie2Security. The first several articles are already written and ready to go, and I’ll be posting more as we move forward. Please feel free to tweet or DM me if you have questions you’d like answered, and I’ll keep finding interesting stories to explain out in everyday language for those just learning about security and technology.

Enjoy the new column, and thanks for sticking around! First post in the new column is coming in just a few hours.