Sit back and relax. Let us do the information gathering and give you the channel scoop.
We have 6-business days left in Q1. We have countless folks around the globe ready to help you maximize your Q1 close. If you still need help please email your question/request tonextwave@paloaltonetworks.com.
Need a little extra help getting your customer to upgrade from the PA-2000 Series to PA-3000 Series or from the PA-4000 Series to PA-5000 Series? Don’t forget we recently launched the Customer Care Upgrade Program, designed to provide an incentive to help fuel the conversion of our customer install base. Click here to learn more.
Customer success stories are key to accelerating the sales cycle. What if you could easily take a Palo Alto Networks customer testimonial to your next customer meeting? Now you can with our new prevention e-story, which allows you to see and hear from Palo Alto Networks customers. Click here to access the web version of our e-story or to be able to download the e-story to your smartphone or tablet via the Android or Apple App stores.
Looking for that key data point or research fact to help move your customer to close. Our2015Application Usage and Threat Report has new and compelling data. For example, over 40% of email attachments examined by WildFire were found to be malicious. Click hereto access the report and to learn more, including a quick 90 second summary video.
Need help convincing your customer that security is a top priority for today’s executive leadership? Click here to access the Governance of Cybersecurity Report for 2015infographic, which you can quickly share with your customers.
What topics you’d like the scoop on next? Let us know by commenting on this blog.
We modeled the Cybersecurity Canon after the Baseball or Rock & Roll Hall-of-Fame, except for cybersecurity books. We have more than 25 books on the initial candidate list, but we are soliciting help from the cybersecurity community to increase the number to be much more than that. Please write a review and nominate your favorite.
The Cybersecurity Canon is a real thing for our community. We have designed it so that you can directly participate in the process. Please do so!
Book Review by Canon Committee Member, Christina Ayiotis: Locked Down: Information Security for Lawyers (2013) by Sharon D. Nelson, David G. Ries, and John W. Simek
FULL DISCLOSURE: I have known Sharon and John personally and professionally for more than a decade and consider them good friends. We have participated together on panels, spoken at the same conferences, and served on committees and boards of directors together. We have similar areas of expertise and civic commitment.
EXECUTIVE SUMMARY
Sharon, David and John published an important book on information security for lawyers and law firms three years ago. Given the number of law firm breaches since, it appears that few lawyers read or heeded their advice. Locked Down is an easy-to-read overview of why lawyers need to implement good information security, not just cybersecurity, and how. It is even more relevant today than when first published. This book belongs in the Cybersecurity Canonbecause it provides cybersecurity professionals context regarding the legal profession’s requirements and strategies for dealing with cyber and information risk and obligations.
Introduction
Cybersecurity is such an important topic in the legal field that lawyers are starting to pay actual money to be a part of a brand-new Legal Services Information Sharing & Analysis Organization (sold to them by the FS-ISAC) [1]. While my fellow Cybersecurity Canon Committee member Ben Rothke wrote an Amazon review of this book in May 2013 [2], he did so from a Cybersecurity/IT professional’s perspective. My review will primarily be from the perspective of a Cyber Attorney, former Deputy General Counsel of a technology services multinational, Privacy Expert, Certified Records Manager and active member in good standing of the Virginia State Bar for 24 years.
REVIEW
When Locked Down was published, the American Bar Association (a private sector voluntary professional association with no lawmaking power or regulatory authority that relies on the
State Bars as an independent enforcement organization ) was still considering updates to its Model Rules of Professional Conduct that would bring them into the 21st Century. While those updates are now in effect, and they include being competent regarding the “benefits and risks associated with relevant technology,” there is little evidence that the more than one million lawyers in the U.S. have sufficiently educated themselves to be considered competent. Reading this book would be a good start. Then, taking it to their IT colleagues (or consultants, if they are solo or a small firm) and working together to understand how the various strategies are (or could be) implemented would be the next logical step.
While the book starts with “data breach nightmares,” it’s probably no longer necessary to start with fear. Information security is now a business imperative for clients, and they drive the requirements (most of which are conveniently explained). While it is 319 pages in total, the text runs only 170 pages; the rest of the book contains helpful Appendices and an Index.
Yes, lawyers have ethical obligations to keep client information confidential, but there are common law duties, as well as regulatory/statutory requirements for certain data types (that affect both lawyers and clients alike) and the authors provide that as background. The book then delves into all aspects of security (physical, information, cyber and personnel) and use real case studies to make their point. For example, the authors recount the horrifying and “amusing” story about Kevin Mitnick taking on a new identity as Eric Weiss, “the real name…of…Harry Houdini (sic)” to get a job as a systems administrator at a Denver law firm. Ironically, there has been an explosion of cybersecurity practices at law firms in the last few years—the shoemaker’s children excuse will definitely not work for them. It would not surprise me to see a day when a law firm is sued by a client because of a data breach and Locked Down is entered into evidence to demonstrate the “reasonable care” law firms should be taking with respect to security.
“Two lawyers and an IT expert” sounds like the beginning of a good joke, but it is the unique blend of perspectives and expertise the authors bring that makes the book so readable. A SANS Institute Glossary of Security Terms is conveniently located in Appendix M, so lawyers unfamiliar with such terms can easily look them up. Topics such as authentication, secure configuration, virtual private networking (VPN) should be part of every lawyer’s lexicon, if for no other reason than their clients have the exact same issues protecting information in their own environments.
Advice regarding securing desktops, laptops, mobile devices, email, voice communications, etc. are all general business issues that all professionals should be aware of. Outsourcing and cloud computing are even more prevalent today and managing that third-party risk is not just an ethical duty but also a business requirement; the authors’ recommendations in that regard are critical. It’s also important for law firms to acknowledge that clients consider them to be third-party vendors that must similarly meet baseline security requirements. Appendix H: “Lockdown: Information Security Program Checklist” is an excellent starting point.
The Certified Records Manager in me applauds the inclusion of Chapter 13: “Secure Disposal” and the authors get extra points for citing a relevant NIST standard. While the book focuses on information security, it is important to recognize that end-to-end information management (for both client and law firm information) is the goal (to mitigate risk and reduce costs). Chapter 15: “Securing Documents” is particularly important for lawyers because legal advice provided within documents and relevant communications channels must be kept secret in order to be protected by the attorney-client privilege (not to mention the requirements for trade secrets). There is also an important discussion regarding metadata (from both operating systems and applications perspectives) – not surprising given Sharon and John (along with Bruce A. Olsen) wrote The Electronic Evidence and Discovery Handbook: Forms, Checklists and Guidelines.
They cover cyberinsurance but caution that policies are confusing and care must be taken to understand what exactly is covered (and what is not). They end the book looking at “The Future of Information Security” and readers should beware that the topics covered (laws and regulations, BYOD, passwords, policies and plans, mobility, cloud computing, social media, and training) are all everyday issues now.
CONCLUSION
Given how quickly technology evolves, in the next edition of Locked Down the authors will likely have to add sections on wearables, biometrics as part of multifactor authentication, quantum encryption, virtual law practices, etc., but lawyers should feel comfortable knowing that mastering what’s in this book puts them in a defensible position. Furthermore, good information security is now a business differentiator. Law firms that implement all of the book’s recommendations can use their superior cybersecurity standing when marketing their services. [3] They can even give clients a copy of Locked Down for their own use (and no, I’m not getting paid a commission on book sales).
SOURCES
[1] “Legal Services Information Sharing & Analysis Organization,” by the FS-ISAC, Last Visited 21 October 2015, http://www.fsisac.com/ls-isao
Frost & Sullivan recently named Palo Alto Networks the recipient for Asia Pacific Technology Innovation Leadership Award for Security.
Held annually in Singapore, the Awards program recognizes best-in-class companies in Asia Pacific. This program has identified many outstanding companies from the automotive, energy, building & environment industries to the healthcare, information communication technologies and logistics sectors in the region.
Palo Alto Networks achievement was evaluated based on market performance indicators and research conducted by Frost & Sullivan’s analysts.
KP Unnikrishan, Marketing Director, Asia Pacific & Japan for Palo Alto Networks was present at the Award ceremony. Do check out some of the photos from the event below!
(Left) Vivek Vaidya, Vice President, Frost & Sullivan presenting the award to KP Unnikrishnan, Marketing Director, Asia Pacific & Japan for Palo Alto Networks (right).
Mobile app creators are often looking for ways to monetize their software. One of the most common ways to do this is by displaying advertisements to users or by offering in-app purchases (IAPs). Mobile monetization platforms create software libraries that authors can embed into their apps to start earning money quickly. We previously highlighted the dangers of installing apps that enable IAPs using SMS messages, as these apps typically have access to all SMS messages sent to the phone.
While not all SMS-based IAP applications steal user data, we recently identified that the Chinese Taomike SDK has begun capturing copies of all messages received by the phone and sending them to a Taomike controlled server. Since August 1, Palo Alto Networks WildFire has captured over 18,000 Android apps that contain this library. These apps are not hosted inside the Google Play store, but are distributed via third party distribution mechanisms in China.
Background
WildFire captures many samples of mobile malware that intercept and upload SMS messages. Most of these are created by malware authors who set up command and control (C2) servers with third party hosting providers and frequently update their locations to avoid detection.
Among these malware we have found many that are created by “mobile monetization” companies who distribute apps that provide little value but have a high cost to the user. These apps are often installed by tricking users into clicking a pop-up, only to find later that a charge has appeared on their phone bill. Antivirus programs typically identify these apps as malware, the topic of this blog is something different and harder to detect.
Taomike is a Chinese company that aims to become the biggest mobile advertisement solution platform in China. They provide an SDK and services to help developers display rich advertisements with a high pay rate. Taomike has not previously been associated with malicious activity, but a recent update to their software added SMS theft functionality. The apps this library is embedded in may be legitimate and have significant functionality, but their developer’s choice to use this library has put them at risk.
Technical Details: SMS Theft
Not all apps that use the Taomike library steal SMS messages. Our analysis indicates that only samples that contain the embedded URL, hxxp://112.126.69.51/2c.php have this functionality. This is the URL to which the software uploads SMS messages, and the IP address belongs to the Taomike API server used by other Taomike services. We have captured around 63,000 Android apps in WildFire that include the Taomike library but only around 18,000 include the SMS theft functionality.
We believe there are different versions of the Taomike SDK and only some of them include SMS uploading behavior. Based on our data, the version that contains the SMS stealing functions is newer and was released around August 2015. Apps that use earlier versions of the library appear to be safe.
The Taomike library is called “zdtpay” and is a component of Taomike’s IAP system.
Because Android apps are required to list the permissions they need in their manifest file, we can see that this library requires both SMS and network related permissions. The library also registers a receiver named com.zdtpay.Rf2b for both the SMS_RECEIVED and BOOT_COMPLETED actions with highest priority of 2147483647.
Figure 1. Registered receiver for SMS_RECEIVED
The registered receiver Rf2b reads SMS messages whenever they arrive. The message body and sender phone number are collected as shown in Figure 2.
Figure 2. SMS body and sender number read
If the device has just booted, it will start the service MySd2e, which then registers a receiver for Rf2b as shown in Figure 3.
Figure 3. MySd2e Service registers receiver for Rf2b
SMS information collected by the receiver is saved in a hashmap with “other” as the key and sent to a method that uploads the message to 112.126.69.51 as shown in Figure 4.
Figure 4. Information uploaded to IP Address used by api.taomike.com
All SMS messages sent to the phone are uploaded, not just those that are relevant to Taomike’s platform. Figure 5 shows a packet capture of a test message upload. The message content is “hey test msg” as circled with dashed red box.
Figure 5. SMS uploaded via HTTP in pcap
The Taomike library makes contact with the following URLs, but only the “2c.php” path is used to capture SMS messages. The rest appear to be used for other parts of the IAP functionality in the library.
We have captured over 18,000 samples that contain the SMS stealing library since August 2015, meaning the number of affected users is considerable. We expect the number of affected apps and users to increase as more developers incorporate the newer version of Taomike library.
The infected apps are not limited to a single developer or third party store as many developers appear use the Taomike library. Some of the infected apps purport to contain or display adult content.
We do not know how Taomike is using the stolen SMS messages, but no library should capture all messages and send them to a system outside the phone. In version 4.4 of Android (KitKat) Google began preventing apps from capturing SMS messages unless they were defined as the “default” SMS app.
Users outside of China and those that only download apps from the official Google Play store are not at risk from this threat.
To protect Palo Alto Networks customers from the Taomike SMS stealer, we’ve made the following protections available:
Palo Alto Networks WildFire will automatically identify and block malicious APK samples containing the SMS stealing Library
Threat Prevention signature 14798 will detect and block the malicious C2 communication, including the SMS upload traffic from Taomike library
Palo Alto Networks AutoFocus users can identify and investigate this threat using theTaomike tag
Conclusion
Even popular third party monetization platforms are not always trustworthy. When developers incorporate the libraries into their apps they need to carefully test them and monitor for any abnormal activities. Identifying monetization and advertising platforms that behave poorly and abuse their users is something that our industry must to do ensure the safety of all mobile devices and their users.
Acknowledgement:
We greatly appreciate the help from Rongbo Shao from Palo Alto Networks in working on the Threat Prevention signature. We would also like to thank Ryan Olson, Benjamin Small, Richar Wartell, and Chris Clark from Palo Alto networks in publishing the discovery.
Today is Back to the Future day, and the date above, as all fans of the iconic movie know, is what was programmed into the DeLorean time machine. The concept of time travel has long fascinated me, and thinking about this special day got me also thinking about how we deal with cyber threats.The approach to endpoint security still relied upon by most organizations has been largely unchanged for decades. That’s right, signature based malware detection is very old technology. It relies on prior knowledge of a threat in order to detect and eradicate it. Even newer approaches require prior knowledge in the form of indicators of compromise (IOCs) or behavioral patterns to look for. This approach poses significant challenges when it comes to preventing security breaches. If your approach is based on detecting the fact that something bad has occurred, then how can you prevent that bad thing from happening? Do you need a time machine for that?
It turns out our researchers here at Palo Alto Networks have solved that problem. We launched Traps about 12 months ago with the goal to redefine endpoint security by providing the much-needed ability to prevent advanced threats on the endpoint. Traps has been performing amazingly well when it comes to preventing previously unknown threats, without the need for any product updates. The reason for this is because it focuses on preventing the core techniques that are used by all exploits. And we didn’t need a time machine to get there.
Let’s examine the evidence
Exhibit A:
A Traps customer in the banking industry recently reported to us that Traps successfully prevented an Adobe Flash exploit from April 2015. This, in and of itself, is not unusual because we know that Traps prevents exploitation of unpatched vulnerabilities all the time. The interesting part of this story is the version of Traps the customer was running. An early Traps customer, they still had a system running Traps v2.3.6, which was released about a year before this vulnerability and the associated exploits became known. So a version of Traps from March 2014, never updated, prevented a zero day exploit in April 2015.
Exhibit B:
In July 2015 a series of Adobe Flash zero day vulnerabilities were disclosed as the result of an unfortunate data breach. The public was left waiting for patches while attackers began exploiting those vulnerabilities. Even organizations that deployed every security patch immediately upon release were left vulnerable for weeks. However, those organizations running Traps were never vulnerable, regardless of whether patches were deployed. Traps simply prevented the exploit techniques leveraged by all of these exploits.
Figure 1. Adobe Flash zero day timeline, July 2015
I’ll leave it to you to examine the evidence and make your own conclusions. Is the technology that underlies Traps fundamentally powerful and innovative? Or does someone on our R&D team have a DeLorean in the garage? Either way, Traps is redefining the endpoint protection market by enabling organizations to truly prevent unknown exploits and malware.
