It’s that time of the year again. October is upon us, so get ready to spread some cybersecurity wisdom around you and, of course, a few candies here and there for the occasional Halloween visitors.

Cybersecurity Halloween

Now, as much as we hate to admit it, there are spookier things out there than a 5-year-old poorly disguised witch ringing at your door. The current state of the cybersecurity landscape leads us to believe that all sorts of fictional boogeymen are real. Just last week we saw zombie botnets taking over IoT devices by the millions. A while back, we even wrote about cybersecurity ghouls and how they haunt businesses all over the globe. If we’re quiet enough, we might even hear how someone, somewhere, is clicking on a suspicious link and opening the door to the dark side.

And that’s not all. According to the National Institute of Standards and Technology (NIST), Internet users are experiencing something that can only be expressed as being cyber-fatigue. Is this something we can blame solely on the users? Or is it a sign that perhaps we should look in the mirror as well and concentrate our efforts better? Make it so that cybersecurity comes across as a borderless, non-punitive practice? Whereas an event such as the International Cybersecurity Awareness Month is a great initiative, one month of constantly repeating ‘you are not doing enough’ or ‘you are not protected enough’ is not the way to go. The issue has been established a long time ago, there’s nothing new to add. What needs to be done now is for cyber-speakers to all agree on the same policies and solutions. And this is a process that will require work around the clock, not just for one month.

All Malwares’ Eve: APTs strike again

All Hallows’ Eve might last just one day, but for malware, it’s an all-year-long holiday. This week only, Kaspersky announced it detected another advanced persistent threat that, until now, took on your typical APT costume in order to go trick-or-treating. Dubbed StrongPity, this particular threat managed to stay under the radar by only going after 0-day vulnerabilities and employing stealthy modular attacks (read our article on Project Sauron). Later this summer, though, its creators decided it was time for a make-over and started infecting WinRAR and TrueCrypt versions on websites hosting these free encryption apps.

Note: For the reader’s information, WinRAR is a Windows data compression tool, encrypting files with AES-256 encryption algorithm. TrueCrypt is a full disk encryption tool that has not been updated since 2014, according to public records. Even so, both tools are still consciously used by users concerned with security and, even more so, with privacy. Cybercriminals love secrets, after all.

So what did this change of target mean for StrongPity? First of all, it implied a change of battle strategy: what used to be a waiting game, now became a baiting one. Just like real trick-or-treaters, this APT now basically comes knocking on your door, by using a technique called the ‘watering hole’. This method where hackers lace legitimate apps with malware and then launch the booby trap is not at all an unusual thing for an APT. Remember the Crouching Yeti that infected ICS and SCADA software in 2014?

What the StrongPity tricksters are hoping for this Fall is to swap WinRAR and TrueCrypt authentic versions with Trojanized ones, enabling them to catch a glimpse at the data before it is actually encrypted. To do so, they set up domains very similar to the legitimate distribution sites and even dropped links on the official distribution sites that would redirect victims to download the fake versions. All in the good spirit of Halloween disguise, we might even say.

Trick or treat: the battle for the front seat

Since beating around the bush never helped anyone, there’s one thing that we need to get right straight ahead: behind these masked monsters are always people. People using machines to target other people using machines. And in the middle, you have us – the people-as-shields, those that fight the battle for you. But that doesn’t mean you are completely helpless without us.

This month, to stay safe against StrongPity, your best option is to make sure you’re always downloading apps from their official website (and not from sourceforge.net, for instance). While this may reduce risks to a minimum, you’re not out in the clear yet. What’s left to be done is signature verification. We took the liberty of linking here a useful article on the topic that takes you step-by-step on how to check the integrity of your downloads. While this is not an easy task for most users, there are awareness campaigns militating for a much simpler approach. In the US, as in previous years, the main message circulating every October is one that might just save you from falling in StrongPity’s trap: ‘Stop. Think. Connect’.

This short slogan makes up for some great advice for any type of online activity, whether it’s about clicking on that suspicious attachment or downloading an encryption app. Sometimes, a few seconds of skepticism can make a huge difference. After all, you don’t always immediately open the door on Halloween either.

As a bonus, instead of a conclusion, we took the liberty to gather a collection of Halloween-inspired sources to help you keep cyber-horrors at bay:

Protect your goodies, strong passwords are a must: https://www.reveelium.com/en/yahacking-the-last-straw/

https://www.reveelium.com/en/cyber-hygiene-social-networks/

https://www.reveelium.com/en/fbios-rabbit-hole/

Don’t take sweets just from anyone, it might be a bait: https://www.reveelium.com/en/target-human-behind-machine/

https://www.reveelium.com/en/cybersecurity-during-the-summer/

https://www.reveelium.com/en/apple-and-its-vulnerabilities/

Beware of requests from strangers, the Big Bad Wolf also posed as a good guy: https://www.reveelium.com/en/avoid-data-hostage-situation/

https://www.reveelium.com/en/locky-data-hijackers-strike/

https://www.reveelium.com/en/can-hospitals-stay-cyber-healthy/

https://www.reveelium.com/en/banking-malware-siege/

Prevent IoT devices from haunting your website: https://www.reveelium.com/en/iot-rise-of-the-machines/

https://www.reveelium.com/en/iot-jeopardizes-business-security/

https://www.reveelium.com/en/ddos-attacks-the-cyber-boogeyman-part-i/

https://www.reveelium.com/en/ddos-attacks-the-cyber-boogeyman-part-ii/

Know your monsters before they get to know you: https://www.reveelium.com/en/the-malware-revolution/

https://www.reveelium.com/en/apts-can-you-catchem-all/

https://www.reveelium.com/en/cybersecurity-ghouls/

https://www.reveelium.com/en/sauron-one-apt-to-rule-them-all/

Pick out a good costume for your sensitive data: https://www.reveelium.com/en/call-for-multilayer-cybersecurity/

https://www.reveelium.com/en/big-question-in-cybersecurity/

https://www.reveelium.com/en/harry-potter-defend-against-apts/

https://www.reveelium.com/en/reveelium-innovates-threat-analysis/

While we take pride in the articles we write, it’s obvious we cannot always cover all topics or go as much into details as we’d like. As such, we’ve listed here a couple of extra cybersecurity sources, a real treat for all those interested in going beyond just awareness campaigns and witty metaphors this Halloween:

SANS Institute’s CWE Top 25, a list of the easiest to exploit vulnerabilities As one of the largest international information security organizations, SANS provides training to thousands of security professionals and ethical hackers every year. Another excellent platform SANS provides is the Reading Room, a collection of papers in all cybersecurity topics which records over 75,000 unique visitors each months.

OWASP’s Secure Coding Practices, the monster-free coding guide for all developers OWASP stands for Open Web Application Security Project and is a nonprofit organization, running though the will of security expert volunteers all around the world. Through its ESAPI project, OWASP helps developers integrate security into already existing apps, as well as create new ones from scratch, security centered this time.

ISACA’s Internet of Things research: infection risk considerations Previously known as the Information Systems Audit and Control Association, ISACA covers todays many more topics, counting over 140,000 members at a global level.

CERT’s secure coding resources or learning how to be a security ghostbuster Working closely with the Department of Homeland Security, CERT is a renowned engine of the cybersecurity field.

NIST’s SAMATE standards, a business’s survival guide The National Institute of Standards and Technology provides standards for organizations to be able to choose the right cybersecurity tools for their environment.

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access