Categories
Internet Security Uncategorized

Best Encrypted Email Services for Infosec Ops

Add Your Heading Text Here

Share it:

In today’s  world, almost everybody wants some level of privacy. Having a certain level of privacy is deemed as a “good thing” for professionals who spend most of their time online. There are several mail services claiming to be the world’s most secure email services.  Some of these  “encrypted email services” are not secure and reliable as they suggest to privacy practitioners. Fortunately, our infosec team analyzed and gathered some of the best encrypted email services for infosec ops and privacy practitioners.

 ProtonMail:

ProtonMail  is one of the best-encrypted email services that you can use to secure your email communication. The service has various features that make it one of the best services that you can use to keep your communications secure and free from hackers. It uses end to end form of encryption.  This form of encryption means that the messages are encrypted when they are being sent. You can use this email service if you are interested in secured email service. Protonmail is based in Switzerland.

Posteo.de:

Just like Tutanota,  Posteo.de is a German-based encrypted email service. Posteo has good features for its clients. Basically, clients have to pay about 1EURO to use the service for a month. This  includes access to some of the most important features of the service such as POP3 and IMAP support.  When you are signing up, you do not need to provide your personal information. This feature separates Posteo.de from the rest.

Mailfence:

mailfence.com is another alternative for infosec ops and privacy practitioners to consider. Mailfence, based in Belgium is controlled by  a belgian firm known as ContactOffice. Mailfence offers features to users such as Integrated Keystore, Two-factor authentication, and OpenPGP (end-to-end encryption) . Unfortunately, Mailfence is not accepting new registration but you can sign up later this year.

Virtru

Virtru is an email encryption and digital privacy company based in Washington D.C.  The company was established by ex-NSA security analyst John Ackerly in 2012. Virtru provides email encryption service for Google Apps, Microsoft, and Salesforce.You can also use Virtru free extension alongside with Google Chrome, Android and iOS apps.

Tutanota:

Tutanota is an open-source end-to-end encrypted email software and freemium hosted secure email service just like Virtru and Protonmail. It provides encryption services for both premium and freemium users. In addition, it allows users to send and recieve encrypted messages from regular email service users.

There are other companies offering encrypted email services just like Tutanota. Thus, you are not limited to the afore-mentioned.  But bear in mind that security is not 100%. Companies offering email encryption services for clients could also be compromised by sophiscated hacks.  However, it is quite safer to use those above than regular email services.

#ISA_informs

#ISA_ltd

Categories
Uncategorized

Do You Know Spectre Updates can Slow Down PC Performance?

Add Your Heading Text Here

Share it:

In cybersecurity, one sure way of fixing vulnerabilities is to apply patches. In other words, patching simply means to fix and update to a newer version after a vulnerability discovery.  However, recent patches against CPU flaws such as Meltdown and Spectre has rather affected computer’s performance.

Meltdown and Spectre is a complex form of attack where attackers exploit common features of modern microprocessors (such as ARM and AMD) that powers our smartphones, tablets and computers

According to Microsoft, Spectre and Meltdown firmware updates may affect PC performance. It affects computers running Windows 7 or Windows 8 . As for modern computers, there is no significant change in performance.

Haswell processors and older ones will be impacted the most by a series of firmware updates designed to protect against the Spectre CPU security flaw. Intel has proposed working with PC makers to ready firmware updates. But Most machines have yet to install these updates.

In addition, Microsoft has advised firmware updates are only required to protect against what’s being described as Spectre variant 2.

For Meltdown and Spectre variant 1, Microsoft has isolated kernel and user mode page tables and hardened Edge and Internet Explorer 11 to protect against JavaScript exploits. Updates for 41 editions of the operating system are now available, and Microsoft expects the four remaining supported editions will be patched soon.

Since Microsoft has advised IT admins and security engineers not to percieve that updates against Meltdown and Spectre can resolve this threat, how do we ensure our servers are completely secured and performance is not compromised ?

We hope to hear from you!

#ISA_informs

#ISA_ltd 

Categories
Privacy

The EU-GDPR and its Impact on the Ghanaian Businesses

Add Your Heading Text Here

Share it:

image courtesyico.org.uk

GDPR data protection legislation comes into effect in the fifth month of this year; it is set to regulate the collection and use of personal information on people living in the 28 countries that make up the European Union.

This EU privacy legislation is a global law regarding data protection, as it covers any organization that has data on individuals living in the EU. In January last year the consultancy firm PwC issued a press release, stating that 92% of companies in the United States said complying to GDPR is their top data protection priority, this is enough proof that the GDPR is set to impact global business.

In the GDPR, the organization that defines what and how data is collected is called the Data Controller, this is no different from what is provided for under the Data Protection Act 2012, Act 843 of Ghana.

Data Controllers are ultimately responsible for all data protection, no matter where the data travels and who else accesses it. The Data Controller must therefore ensure that all subcontractors, outsourcers and cloud service providers have the necessary processes, procedures, technologies and have trained their teams to ensure data is controlled.

The GDPR has 99 articles and covers many forms of data risk. Being compliant takes a mix of knowledge, processes, policies and training, as well as data tracking, controlling, and user and device management, all coming from a “privacy first” IT philosophy.

It is noteworthy to reiterate that no technology on its own can deliver compliance as GDPR requires a whole-company approach including policies, procedures, training, legal agreements with partner companies and should be led by governance, risk and compliance groups.

Notwithstanding for all intents and purposes an European statute, the new General Data Protection Regulation (GDPR), which is applicable come May, 25th of this year, is expected to have copious impact in African countries, as its span will also cover many data controllers and processors established outside of the European Union – namely, all those who process data of individuals located within the EU as part of the selling of goods and services to such individuals.

Those, which especially include e-commerce websites or targeted advertising providers and/or their Africa-based processors, will be directly subject to the new provisions under the GDPR.

The free flow of data between European and African countries will therefore be conditional upon proactive lawmaking and good practices in the latter, oriented towards the offering of an “adequate level” of data protection – that is, a level equivalent to the one set by GDPR.

In July 6, 2017 the International Association of Privacy Professionals stated on its website, that;

Bird & Bird reports on the state of data protection in Africa less than a year before the EU General Data Protection Regulation goes into effect. Some African countries are ahead of the curve in terms of having sufficient data protection authorities in place, with Morocco standing out, having requested an adequacy recognition decision from the European Commission in 2009. 

Other countries in Africa lack comprehensive GDPR-compliant data protection legislation or have no legislation in place at all. Legal frameworks in Cameroon, Rwanda and Congo only focus on certain aspects of electronic communication data, leaving them far short of European data protection authorities’ expectations and little chance of receiving adequacy status, the report states.

It has been further noted that Morocco had made efforts to integrate into the EU Data Protection framework by requesting for this adequacy recognition from the EU; which is basically a mutual recognition procedure set up in order to speed up the EU procedure of recognition for data protection authorities.

Bird & Bird LLP captured this position in a publication by Merav Griguer in 05 July 2017 titled “Data protection in Africa: where do we stand one year before GDPR”, as follows;

Morocco is remarkable for having requested an adequacy recognition decision from the European Commission, as early of 2009. This request is still pending to this day, mostly due to the simultaneous changing of the European framework; Moroccan officials have yet reaffirmed their will to reach compliance as soon as possible.

The [Moroccan case however sheds light on the European Commission’s rationale for the scrutiny of adequacy recognition applications, and thus might serve as an example] for other concerned countries: adequacy, in the views of the Commission, is primarily a matter of effectiveness; African data protection authorities should therefore be provided with the necessary means to enforce relevant legal provisions, so that compliance be thoroughly ensured by companies and public bodies under their jurisdiction. [Emphasis added]

The view is expressed here that such adequacy recognition will be highly successful where the country seeking the recognition has an equivalent high-standard domestic provisions that might very well be the best incentive to ensure compliance with the new GDPR regulation and Ghana finds itself in a better position has its laws are comprehensive and world-class enough to meet GDPR requirements where need be.

However the laws per se do not provide compliance and there is presently a mistaken believe that the Data Protection Act 2012, Act 843 by itself protects personal data, this is erroneous to the extent that Act 843 only guarantees the rights of data subjects and sets obligations for the data controller and/or processor.

The protection of the information is vested in the implementation of the 8 data protection principles embedded in the law coupled with the regulators enforcement roles, of which without any shred of doubt includes awareness and training on the requirements of the law.

These principles include accountability, lawfulness of processing, specification of purpose, compatibility of further processing with purpose of collection, quality of information, openness, data security safeguards and data subject participation.

The GDPR however requires a more practical approach to these principles and one can say it’s more granular in its requirements, for example extracts from the legal text of the GDPR provides as follows;

  • Article 5 stipulates principles relating to processing of personal data, where the GDPR requires that the controller shall be able to demonstrate compliance.

  • Article 24: stipulates responsibility of the Controller, and requires that the controller shall implement appropriate technical … measures to ensure and demonstrate that the processing of data is performed in accordance with GDPR.

  • Article 25: stipulates data protection by design and default, requiring …implementation of appropriate technical measures and …necessary safeguards into the processing.

  • Article 28: stipulates obligations of a Processor, GDPR requires the controller shall use only processors providing sufficient guarantees … of this regulation.

  • Article 30: stipulates records of processing activities and provides that each controller … shall maintain a record of processing activities.and provides for transfers of data to a third country or international organisation …identify that organization.and provides that there should be general description of the technical measures [deployed].

  • Article 32: stipulates security of processing which includes; shall implement appropriate measures … confidentiality, integrity, resilience..and appropriate level of security … [against] … accidental, destruction, loss, alteration, unauthorised disclosure of or access to personal data

  •  Article 33: stipulates notification of data breach to authority and provides that the controller shall … not later than 72 hours … notify the … authority.and provides that Describe nature of breach … numbers concerned … consequences.and provides that measures taken to address breach …mitigate breach be stated.

  • Article 34: stipulates communication breach … to data subject and states that shall communicate data breach to subject without delay.and states that shall not be required if … data unintelligible …such as encryption.

  • Article 35: stipulates data protection impact assessment and states that In particular, when using new technologies … carry out risk assessment of the impact … including measures to address the risks.

  • Article 45: stipulates transfers [to a third country] based on adequacy and states that transfers to third country only if commission has decided … ensures an adequate level of protection.

  • Article 46: stipulates transfers subject to appropriate safeguards and states that binding corporate rules, standard data protection clauses or enforceable commitments.

 

In essence the GDPR covers from processing of the data, transfers, security safeguards, impact assessments and breach notifications; all these are provided for under the Data Protection Act 2012, Act 843 of Ghana.

In recent times there has been the argument for safe-harbor rules under the Act 843, its not far-fetched but the it professionally expressed here that as Article 46 provides for under the GDPR, contractual documents, standards and agreements can suffice for this requirements without hurriedly tampering with the current law.

Act 843 is wide in scope and resilient in application; it is a matter of the regulators punch and the corporations/firms due diligence and application that will make it a success and provide companies in Ghana less stress when benchmarked against the GDPR.

Whiles corporations and firms operating in Ghana, from a data protection perspective, should be focused on putting structures in place to ensure compliance with ACT 843, they should not neglect the GDPR when it comes into force on 25 May 2018 with its improved data protection and privacy laws.

What businesses operating in Ghana need to be aware of is that the GDPR applies in EU member states as well as where data is transferred to or from the EU.

This means that businesses operating in Ghana which engage in business with persons in EU member states will fall within the ambit of the GDPR.

Notably, the GDPR will apply where businesses in Ghana, process the data of an EU member state citizen or temporary resident, have employees based in an EU member state, offer goods or services in an EU member state and have a partnership with an EU business.

The obvious is that, businesses in Ghana that have a presence in the EU will therefore need to be aware of the new requirements under the GDPR in order to continue to conduct their businesses in a data protection compliant manner.

Desmond Israel

Privacy/Infosec Practitioner

desmond[at]isa.com.gh 

Categories
Internet Security Mobile Phones Uncategorized

“TROJAN LOAPI” HUNTS PORNOGRAPHIC LOVERS!!!

Add Your Heading Text Here

Share it:

It seems virus writers are yet to give up on developing on different kinds of unpleasantness to frustrate android users who are fond of downloading adult-rated android application and anti-virus application from third-party stores as well as Google playstore onto their devices.

 A Trojan horse or Trojan is another kind of malware usually disguised as legitimate software. Hackers use trojans to gain access to users’ systems.

Unlike other trojans, this particular one is programmed to overheat your device as a result of the prolonged operation of the processor at maximum load. In addition, it can turn your phone into a zombie and hijack it to use in DDoS attacks against Web resources as well as sign up users to paid services secretly.

HOW TROJAN LOAPI OPERATES:

Users attract the Loapi Trojan by clicking on an ad banner or by downloading a fake AV or adult-content app . As stated earlier,  fake av or adult-content app are common vehicles used by Loapi to gain access to user’s devices.

After installation of fake apps, Loapi asks for administrator rights . Notification to grant Loapi administrator right appears on the user’s device screen until the user finally accepts Loapi administrator demands.

If the user later tries to deny Loapi of administrator rights, it locks the screen and closes the settings frame.

Furthermore, if the user tries to download apps to protect his device against malware and trojan, Loapi declares them to be malware and orders their removal.

Loapi heavily relies on frustrating users in order to prevent them from downloading legitimate anti-virus apps to wipe out other similar trojans.

HOW TO AVOID TROJANS:

  •     Deactivate installation of apps from unknown sources. In Settings go to Security and ensure that the Unknown sources checkbox is not selected.
  • Get a reliable and proven AV for Android and regularly scan your device with it because Google playstore is safe too. Doing so adds another layer of security.

#ISA_informs

#ISA_ltd

Categories
Uncategorized

What Do You Know About “Janus” Vulnerability?

Add Your Heading Text Here

Share it:

Janus vulnerability is the latest technique in town used by attackers to modify android apps without affecting android application signatures.

This vulnerability is caused by the way android handles apk installation for application leaving

You need basic knowledge in android application development in order to understand Janus vulnerability very well.

          Janus vulnerability does not affect apk signature scheme v2. It only affects apk signature signing scheme v1. Also it does not affect Android Oreo and Nougat but affects Android Marshmallow and beneath.

Due to the lack of file integrity checking during apk installation, attackers utilize this opportunity to include

SUGGESTED SOLUTIONS AGAINST JANUS:

  •    Android developers should always
  •    Upgrade your device OS(if possible)
  •    Be extra careful when downloading application as well as updating apps.

#ISA_informs

#ISA_ltd 

Categories
Uncategorized

Predictions for 2018: Cyberthreats in the banking sector

Add Your Heading Text Here

Share it:

Knowing what the future holds for you or your organisation allows you to make specific preparations for challenges ahead. In cybersecurity, threats seem to evolve every year. For instance, the year 2017 witnessed a series of ransomware such as wannacry and NotPetya.

The most devastating among them is wannacry. Wannacry relied on EternalBlue to affect thousands of corporate servers with vulnerable Microsoft’s Server Message Block (SMB) protocol.

As we gradually usher ourselves into a new year, companies have strong ambitions to improve and secure data infrastucture from automated ransomware and the likes. On the flip side, cybercriminals are in the business of developing advance and subtle forms of attacks to overcome your firewalls, DNSSEC, and other security perimeters on your network.

Our security engineers researched and analyzed two major potential threats companies and even start-ups might encounter in 2018. Some of these threats might  come to pass due to certain changes developers and security engineers aim to implement to minimize cybercrime.

  • Fraud – as a – Service Model:    Similar to how your organisation purchase third-party software for specific task, cybercriminals  such as script kiddies and those in need of quick cash-outs also purchase trojans, customized ransomware from the deep web.  Thus, don’t expect cybercriminals to waste hours searching for flaws in your systems via scanners. Fraud-as-a-Service model is an advance way of phishing attacks likely to populate in 2017
  •   Malicious Web Mining:    Hackers have recently discovered a new way of benefiting from a vulnerable website or a web portal. Have you heard of crypto mining? Crypto mining simply means reaping new cryptocoins by means of lengthy and complex calculations. Malicious miners do not encrypt user data or other related essentials but consumes victims’ computing power and electricity.  Apart from consuming victim’s computing power and electricity, hackers do not need to infect websites or web portals with malware. Instead hackers upload scripts to vulnerable website that forces victims’ computers to mine money straight into their cryptowallet.

Stay alert and fix any vulnerable spots before the year 2018 arrives!!!

#ISA_informs

#ISA_ltd 

Categories
Uncategorized

Application Threat Model: Proxy Attacks and Prevention

Add Your Heading Text Here

Share it:

Now it’s time to fix our attention on proxy attacks. However, before we delve into proxy attacks and prevention methods, let’s resolve the difference between Reverse Proxy and Forward Proxy.

Reverse Proxy:  is usually placed between a client and a web server. It receives initial HTTP connection requests, acting like the actual endpoint(web server). The reverse proxy serves as a gateway between users and  application web server.

Forward Proxy: usually sits between a client and a web server.Unlike reverse proxy, it regulates outbound traffic according to preset policies. In addition, it disguises a client’s IP address and blocks malicious traffic

For this article, we are going to look at how attackers can attack reverse proxy and how developers and application security engineers could make it difficult for attackers to achieve their malicious aims. The following are common types of attacks against reverse proxy:

  •      Cache Poisoning
  •     HTTP Response Splitting
  •    Cross-User Defacement 

Let’s briefly examine how cache poisoning works.

Cache Poisoning: Cache poisoning is quite possible because of web content caching.

 Caching web content improves web content on performance on the server-side and client-side(i.e user-side) . However, the HTTP protocol used in caching mechanism performs integrity check on the server-side only.  This specific flaw allows cache poisoning.

  •  Attackers search for and exploits flaws in the code, allowing them to place illegitimate headers in the HTTP header field
  • Attackers deletes out legitimate cached content from the cache server.
  • The attacker sends a specially crafted request to the cached server.
  • Users requesting for commonly retrieved content receives malicious content until the cache entry is flushed.

 Preventing Cache Poisoning:

  •           Make use of DNSSEC : DNS Security Extensions (DNS Security Extensions (DNSSEC) are a set of Internet Engineering Task Force standards created to address vulnerabilities in the Domain Name System (DNS) and protect it from online threats.
  •         Limit the number of recursive queries to the DNS

#ISA_informs

#ISA_ltd

Categories
Uncategorized

FIVE LESSONS GLEANED FROM ONEPLUS DEVICE ROOT EXPLOIT

Add Your Heading Text Here

Share it:

Many mobile devices manufactured under the OnePlus brand by China’s BBK Electronics are vulnerable to compromise via a factory-installed app called EngineerMode that acts as a backdoor providing root access to affected devices.

      A factory app is an app that is developed and pre-installed by mobile carriers and OEMS.

At this time, the exploit is beneficial to an attacker with physical access to a OnePlus device or an owner who intends to by-pass security limitation set by OnePlus in order to have  privilege access.

OnePlus develops its own customized version of the Android operating system, called OxygenOS, for their branded devices.  OnePlus mistakenly left a diagnostic app, EngineerMode to test the production build of the OxygenOS operating system.

Unfortunately, OnePlus left behind  system-signed .apk and a native library with a SHA256 hash of the password that was easily reversed.

Since the incident of OnePlus Root Exploit,  our security engineers came together and outlined five practical lessons mobile users could take heed from in order to protect themselves from mobile vulnerabilites and root exploits.

  •     Don’t trust OEM’s or Mobile Device Carriers. Hire android security researcher to assess your device if you can afford.

Original Equipment Manufacturer is abbreviated as OEM. An Original Equipment Manufacturer is a company that produces parts and equipment that may be marketed by another manufacturer. A mobile carrier is a service provider that supplies connectivity services to mobile phone and tablet subscribers.

  •      Avoid side-loading mobile applications and be extra careful when download apps on Google playstore.
  •       Always have effective mobile anti-virus solution installed on your mobile device . 

Effective mobile anti-virus solution make it difficult for hidden malware apps to escalate their malicious motives. However, mobile anti-virus solution is not a complete solution to malware eradication

  •         For android users, uncheck “install from other or unknown sources”. via device administration settings.
  •     Finally, hope that none of these pre-installed applications on your devices do not have backdoor embedded.

#ISA_informs

#ISA_ltd 

Categories
Uncategorized

Application Threat Model: Protecting User’s Account

Add Your Heading Text Here

Share it:

Last week, we begun with the first major part of Application Threat Model series for both web/mobile developers, security engineers as well as other stakeholders interested in securing data and protecting sensitive resources from hackers.

We emphasized briefly on how web/mobile developers can secure login page as well as make it difficult for attackers to by-pass authentication. Securing login page is the first and most important step for every company interested in creating effective and practical application threat model.

Eventually, we outlined common attacks such as sql injection attackers may rely on to by-pass authentication put in place by application security engineers and web/mobile developers.

Furthermore we suggested limited solutions for developers just to make it difficult for attackers to by-pass authentication.

This week we are going to throw light on how developers, security engineers and CIO’s could create effective and practical threat model template for web/mobile application. This is just a continuation of application threat model series.

                                                       

                                                      Importance of Protecting User’s Account 

Developers and Security Engineers need to attach a great deal of importance to user’s account on web/mobile portals. When user’s account is compromised, it affects business reputation.

How then can developers and security engineers secure user’s account? Below is an example of a less common attacks hackers can use to compromise users account’s on the client-side.

  • IDOR attacks

There many other attacks apart from IDOR. However, we will focus briefly only on Insecure Direct Object Reference for now.

IDOR Attacks:

Insecure Direct Object Reference allows attackers to manipulate references to gain access to unauthorized data.It is impossible to say what the potential impact of IDOR is, as it varies. Depending on what kind of data or file the attacker may get hold of, attacker can manipulate user’s balance sheet, transfer money from user’s account and so on.

Solution:

We strongly recommend  developers to check the access before using a direct object reference from an untrusted source.The user needs to be authorized for the requested information before the server provides it.

This is just a brief solution of how developers and security engineers could rely on application threat model template to predict type of attacks attackers can use to attack web/mobile applications and how developers/Security Engineers can use secure applications against these attacks.

You can research ahead to find out about other attacks against user’s accounts.

Next week,  we shall move onto the next part of our application threat model series focusing on proxy and code logic attacks. Thanks!

#ISA_informs 

#ISA_ltd 

Categories
Uncategorized

Application Threat Model Series [Part 1] : Securing the Main Entry

Add Your Heading Text Here

Share it:

This week we are going to focus on how companies could generate effective application threat model  to secure web applications facing the internet or on the public domain. Threat Model simply means how a web application could be attacked from an attacker’s perspective. For the first part of this series, we will start from the client side by placing emphasis on the main entry to web application which is the login page.

In real-world scenario, anybody seeking to protect his resources focuses on the main entrance. Likewise web developers interested in securing users’ data from attackers focuses on the login page primarily. Attackers attack login page of web application via the following attacks:

  • Sql Injection
  • Brute Force(or Password Guessing Attacks)
  • Default Password
  • Phishing
  • User-name Enumeration

Five Steps to Secure Your Login Page

  • To prevent sql injection, advise your developers to use prepared statements with parameterized queries.
  • To prevent brute forcing, lock out accounts after defined number of incorrect password attempts. Recover locked accounts after a specified duration. In addition, include a complex CAPTCHA to make it difficult for attackers using computerized means to brute force login page.
  • Don’t dare use default passwords. It is basic wisdom not to do so.
  • To prevent phishing, create a daily or monthly awareness program on dangers of web phishing attacks. It is difficult and tricky to escape from phishing attacks. Thus,  we have program purposely for phishing attacks and prevention. You can contact us on our website for further details.
  • To prevent user-name enumeration, prevent attackers from probing your site whether a user-name exists or not. You can  prevent user-name enumeration by allowing users to sign or log in with email addresses instead of usernames. Allowing user-name enumeration makes it easy attackers to implement bruteforcing attacks.

Although these steps could help secure web application from the above-mentioned attacks, there are other ways attackers could by-pass web authentication. Thus, we suggest that developers should put in place detection measures to capture or log malicious attempts.

Logging malicious attempts helps you to know which technique attackers  tried to by-pass your login page and how you can secure your  web application against such attacks.

In our next series, we shall focus on attacks against user’s accounts and how developers and application security engineers could make it difficult for malicious users to access user’s account.

#ISA_info

#ISA_ltd