Information Security - A Shared Responsibility

A Connecticut College blog dedicated to education in the cybersecurity landscape

Mobile Device Encryption

In a time when smartphones have become so entrenched in our daily activity, it is important to consider how to protect your data on these  devices.lockedphone

Encryption, a way to protect data at rest, is easier explained in terms of a bank vault. Once an attacker has breached the vault door, the cash is available and unprotected. Think of encryption as a “dye pack” that explodes and renders the cash useless behind the vault. Though less permanent than my example, encryption further protects the data on your hardware by essentially scrambling it to an unreadable form. The good news is that it is fairly easy to enable on your smartphone, as you will read below.

There is certainly no global encryption standard or method for all smartphones, and in this article I will briefly compare and contrast stock encryption methods offered on the two most popular platforms: iOS and Android.

 

iOS 

The iOS platform uses a file-based encryption (FBE) standard, and therefore requires minimal effort for an iPhone user to encrypt their device. As long as the user has a lock screen passcode set (which you absolutely should), content on the device is encrypted. Every file and keychain item is protected to some degree while the screen is locked. On your phone, open Settings, then select “Touch ID & Passcode” to turn this on.

iphone_encryption

Taking a slightly deeper dive for the tech enthusiasts, there are four protection classes that each file on the phone is assigned, and this “class” method allows users to see certain data when the phone is locked. One of the four classes even allows you to create files behind a locked screen, i.e. the camera functionality. Due to the camera application’s encryption class, you can take a photo when the phone is locked, but once you close out of the photo it is encrypted.

To provide another example, notice that when the phone is locked and you receive a phone call, the phone can retrieve data from your contacts to identify and display the information correctly. This is because the class of encryption used here is not tied to the PIN the user enters.

 

Android

In contrast to iOS, Android uses Full-Disk Encryption (FDE), an all-or-nothing approach that encrypts disks at the sector level. A bit more effort is required to set up this encryption, but it is fairly simple. In Android version 7 you can find this under Settings > Lock Screen and Security > Secure Startup

android_encryption

 

Since the release of Android 7, named “Nougat,” File-Based Encryption (similar to that used in iOS) is actually available and automatically turned on with most new phones that are shipped. It is called “Direct Boot,” and contains only two categories (short of Apple’s four classes). One category allows access to files before entering a pin or passcode, and the other allows access only after a successful login. This is not as extensive as Apple’s FBE, and therefore encryption is not provided by default after the user first unlocks their phone. It is, however, a step in a new direction for Google, and an acknowledgement to a balance between functionality and security for their platform.

 

Which platform offers a more secure solution?

The answer depends on how you value and measure security. Only Android offers a sector-level full disk encryption method. This renders your phone a useless “brick” while it is off, until you decrypt by entering the pin or password upon startup. Even with the new file-based encryption however, there is no protection enforced after the first login. The only protection is your lock screen, acting as a “single locked door between the thief and the room of treasure.”

In contrast, iPhone users have some degree of encryption on all of their data when the phone is on and screen-locked. This speaks to Apple’s predetermined focus on addressing the sacrifice of functionality for security. If you’re up against a sophisticated attacker with enough resources and forensic expertise, however, a powered down FDE-enabled Android phone would fare better than an iPhone.

It is also important to discuss the relationship these platforms hold with their app developers. With its class assignment system, Apple has provided developers with a simple and useful tool set to protect what they create. Google has less of a handle on this, but the open-source nature and abundant size of the Android knowledge community provides developers and engineers with solid and expansive security insight.

 

Sources: https://blog.cryptographyengineering.com/2016/11/24/android-n-encryption/, https://security.stackexchange.com/questions/57588/iphone-ios-7-encryption-at-lock-screen

The Rise of Ransomware

ransomware1

A new threat called “ransomware” has become increasingly notorious in recent years. This is computer malware which in its simplest form encrypts all or some of the victim’s data, denying access usually until the victim presents some form of payment. Ransomware is cropping up in many different environments, with education being a new hotspot vector. It can be acquired through email attachments, fake software upgrade downloads, peer-to-peer platforms, propagated via external drives, etc.

Below is an example of the message a user might receive once infected:

 

ransomware2

 

Payment has traditionally been requested through the Bitcoin medium, and full decryption of the files is never guaranteed once payment is received by the attacker. This makes ransomware tough to recover from once affected.

Following the trend of any thriving tech entity, ransomware has become increasingly sophisticated in its packaging, execution, and its “bargain” requirements for the hostage data to be released. Below is a closer look at just a few of the new flavors that have been observed in the past year:

 

Zcryptor

Zcryptor drops a file labeled autorun.inf on any removable drive (e.g. usb flash) that is mounted on the infected computer. It therefore self-propagates, exhibiting worm characteristics.

“The ransomware targets numerous file types, encrypts them and adds the .zcrypt extension to them, while also creating the zcrypt1.0 mutex on the infected machines, which is meant to denote that an instance of the malware is already running. The ransomware also connects to specific servers to exchange information with them, but researchers say that these servers were inactive during their analysis.”

From <http://www.securityweek.com/zcryptor-ransomware-spreads-removable-drives>

Locky

A close cousin of Zcryptor, Locky is known to also encrypt files on network shares that the infected user has permissions to. This one is initiated when the victim opens a Microsoft Office document and enables macros for that document. This kicks off a script which encrypts most of the files in the user profile in just minutes, along with any attached peripheral drives or network shares they are permitted to access. The malware is fairly good at covering its tracks too, removing any executables it creates under the hidden %AppData% folder, as well as changes and additions to the Windows registry.

“Remember also, that like most ransomware, Locky doesn’t just scramble your C: drive. It scrambles any files in any directory on any mounted drive that it can access, including removable drives that are plugged in at the time, or network shares that are accessible, including servers and other people’s computers, whether they are running Windows, OS X or Linux.”

From <https://nakedsecurity.sophos.com/2016/02/17/locky-ransomware-what-you-need-to-know/>

Doxware

This one takes the traditional ransomware attack a big step further by threatening to release private information (personal or organizational) to the public.  This includes private conversations, photos and other sensitive information, and only increases the pressure on the victim to pay the ransom. Due to the in-depth nature of this attack, DarkReading suggests that attackers would likely use this for more specialized targets.

“Doxware requires strategic end-to-end planning, which means hackers will target their victims more deliberately. Therefore, malicious players will be more intentional in whom they attack, giving corporate leaders, politicians, celebrities, and other public figures cause for concern.”

From <http://www.darkreading.com/attacks-breaches/ransomware-has-evolved-and-its-name-is-doxware/a/d-id/1327767>

Popcorn Time

This is actually considered a mutation of “Doxware,” but the requirements to decrypt become even more interesting. With a cynical twist on the “word-of-mouth” marketing approach, the victim can choose to infect two of their affiliates in lieu of paying the ransom.

 

Database Threats

Folks over at BinaryEdge have seen a surge in ransomware hitting a handful of database technologies, including MongoDB, Redis, ElasticSearch, Hadoop, Cassandra and CouchDB. Click here to access their blog and read more on this.

 

 

How Do I Get This, and What Can I Do To Prevent?

 Be Cautious with Software Updates and Download Prompts: Ransomware and other types of malware have a knack for getting in via fake software updates; Adobe Flash sits at the top of this list. Avoid using these pop-ups and prompts as a medium to acquire downloads. If you feel that you are due for an upgrade, visit the official site of the corresponding product to download. Most software also offers you the ability to see the current version and check for updates from its main menu.

Be Careful with Unsolicited Attachments: Know your email senders. If something looks suspicious, your best bet is to assume that it is. Trust me, it is well worth the time cost of an extra minute or two to verify something that could do some serious damage to you or your organization if infected. Visit or call the IT Service Desk at 860-439-HELP (4357) if you have any questions or would like to further investigate an email message.

Back Up, Back Up, Back Up: The best thing you can do to work against these threats is to back up your data regularly. Many flavors of ransomware actually disable the built-in VSS (Windows Restore) services on the machine during the time of infection, so it is important to back up your critical data frequently to a cloud service or some form of external drive. All users in the conncoll.edu domain have unlimited storage in Google Drive, making this a favorable option.

Do not enable Macros: Microsoft turned off auto-execution of macros by default many years ago, and for good reason. If you or your department needs a particular macro, please call the Service Desk or Information Security office to verify the legitimacy of a particular macro or file type. Also, take a look at the document you just opened before hitting that “enable” button (shown below). The contents of the document can tell you it is not what you were looking for or what you expected, and you should close out and remove the file altogether.

 

ransomware3

 

NOTE: Remember that the biggest vector for all computer-related attacks is you, the human. Hackers of this decade are carefully analyzing social behaviors and engineering their delivery in ways that exploit these behaviors. In a society that heavily favors social media and the immediate public sharing of even the smallest ideas, people have become significantly more trusting. In order to stay protected it is important to think carefully, ask questions and educate yourself.