PUPs evolving into malware
The main security threat for 2015 will be the evolution of PUPs (short for Potentially Unwanted Programs) towards malware. Even though these programmes often claim to be from legitimate ad-funded companies, they are becoming increasingly aggressive and less customer-friendly. Here are some specific issues that Malwarebytes has already seen beginning to occur, and I predict will continue growing throughout next year:
- The End User Licence Agreement (EULA) will only be shown by installers downloaded from official channels. If the software is bundled, you won’t get to read the EULA at all. When you do, it is often no more than a link to a document that is so long, nobody has the time to read it. And if you do, it often states they will sell and abuse all your personal data as they see fit.
- The number of programmes offering opt-out options when bundled will diminish.
- Randomised file-names, obfuscated registry-keys and misleading entries will all be included in the list of installed software.
- Multiple entry points that make sure the software is run when the computer boots will be named things that are seemingly unrelated to the software. You will be left wondering where they came from and if you actually might need them.
- Adware automatically updating itself.
I would also not be surprised to see adware spreading across home or corporate networks, or one PUP downloading another to come and join the party. This is more akin to how malware behaves.
To counter this progression, vendors should adopt an aggressive anti-PUP policy. PUPS should always be treated as malware, unless the customer chooses otherwise. To avoid these unwanted programmes in the first place, always get your software through the official channels, opt out when you can and, if you can’t, ask yourself “is it worth the trouble?” Remember: if it sounds too good to be true, it probably is.
Cloud related breaches
The recent leak of celebrity pictures from their iCloud accounts has drawn attention to the security issues associated with virtual storage facilities. In fact, these types of leaks have happened frequently over the last year and will only grow throughout 2015.
There are many ways of gathering data from the cloud. These include social engineering, vulnerabilities in commonly used cloud storage services, or even finding a way to download the raw data from a hard-drive.
Social engineering can be used to acquire consumer login data. Emails leading to fake login sites can result in people divulging this information, as can online surveys that ask way too many details or offers of a “free, must-have” tool that help you to track and organise your uploads. This will continue to increase throughout 2015.
Given that finding vulnerabilities in popular cloud applications is a lucrative business, you can bet that a lot of cybercriminals are working on these kinds of projects. Of course, the developers of named applications are working just as hard in an effort to stop them from succeeding.
Having access to the hardware used for the Cloud can provide attackers with another way of gathering data. Hypothetically, if an attacker were able to execute a programme he has uploaded to the Cloud on the server where the file is stored, he could order that programme to send him the raw data from the server’s drive. Although this would result in a lot of reading, a relatively simple routine could quickly sift through the data to find personal information: for example, bitcoin wallet keys and email addresses can easily be found by looking for certain parameters.
These types of Cloud breach may seem rather unlikely to happen to you, but one should also consider the "inside job". Studies have shown that around 70% of security breaches, intentional or not, result from employees and can mean that the described breaches are a lot more likely to succeed.
[caption id="" align="alignnone" width="1212"]
Just like this, but imagine the beauty pouring out is actually your financial records[/caption]
What can we do about it?
The user and the provider can - and should work - together to improve data security in the Cloud:
What can home consumers do to protect their private data?
- Consider the impact of lost or stolen data before you put them in the Cloud.
- Treat your passwords with care. Making regular changes and using strong passwords go a long way.
- Ignore unexpected mails asking you to login somewhere and, even when you trust the mail to be legitimate, do not follow the link in the mail, but go the site directly.
- Check out the company or application you are trusting with your data. Are they worthy of your trust? (also see further below)
- Do not fill out data in surveys from unknown sources that can be used to identify you.
- Use the Cloud for backup. If it is important, don't use the Cloud as the sole storage facility.
What should you look for in a company storing your data?
- Do they store your data encrypted or not?
- How is their track record? E.g. did they suffer from 1 incident and take immediate measures? Or have they had lots of problems and tried to keep them quiet?
- Do they monitor user activity and program activity and analyze it for unexpected behavior?
- Do they have backups in case of disasters?
We can only hope the above are the worst new developments for 2015, but I’m sure the future will never cease to amaze us. Have a safe 2015.
By Pieter Arntz, Security Blogger from Malwarebytes