Mark as Junk to Fight against Cybercriminals

If you see any suspicious email, you should mark it as SPAM or JUNK or Phishing, instead of deleting it. I have seen many users who just delete suspicious file and unfortunately, there are people in area of security who ask users to delete unknown and suspicious emails. The question is when should we delete email and when mark them as spam? We are deleting emails, when we know it is trustworthy and we could ask sender to stop sending such email or unsubscribe from the email and to free up our mailbox, we will delete them. But if email came from unknown source and we couldn’t trust the email or it has any suspicious behavior, we shouldn’t just delete them and instead we should mark it as spam. This would help our email spamming system to fight against spammer and cybercriminals. It also help legal authorities to have better evidence when fighting against spammers and they could say thousands of our user requesting us to block this guy and we ask them to stop spamming and they refused so we bring them to court. Sometimes, email might come from your trusted friend and it seems suspicious, in this case, you should call your friend and ask them to check basic security steps like check for malwares, change passwords and check with email provider to see whether is there any suspicious behavior with their email or not. If you are using Microsoft Account, there are good description about things you could do here. It is better to contact them by phone or other mean of communication than email, because we are not sure whether your friend’s email have been hacked or not. One interesting feature in Microsoft email is you could mark your friend’s email have been hacked and this would help your friend. It is drop list near the Junk in, where you mark email as Junk or Spam.

We as security professional, should teach our users to mark suspicious emails as Junk or Spam, instead of deleting them. So we will know what emails are trying to harm users and which one are just taking some extra space. In term of Junk or Spam, it is matter of cybercrime and in some cases, they might carry dangerous attachments which might contain new malwares and report as junk or spam, would help us to identify new threats and even unknown or 0-days vulnerability. To make this matter clear for users, I would ask them to consider your home, sometimes, you need to do cleaning and remove dusts and you will see some piece of paper like old receipts which you don’t need them any longer , but they won’t harm you and you just throw them out , to make your home cleaner. But imagine, if someone send you something dangerous. Let say it is a package which might contain bomb or it is a letter convince you to leave your home at specific hour (so may be someone could come into your home during those hours and commit robbery), you won’t just throw it out. You will place it outside your home and call police or other legal authorities. Marking email as Junk or just Delete them is like this. So you should be careful, whether you should delete email or mark it as junk.



Machine Learning Damaging Our Privacy

In order to build any model based in Machine Learning and Artificial Intelligence, it is required to collect a lot of data and to get accurate model, we need accurate data. For this reason, companies force to collect a lot of data from users and they send it to their big model for process and then hand it over to machine learning and AI experts to create model for prediction. The main problem is to satisfy the model, we need a lot of data and these data is being stored somewhere. We might say, it is being processed automatically and no human has access to them, but when researchers want to verify something, then they might force to read those personal information, authorities force to take a look at suspicious content and this collection, would put our privacy at risk. Because models relays on AI and Machine Learning, normally, they won’t delete data. For these reasons, I call Machine Learning and AI, one of the biggest enemy of privacy. It force researchers to collect a lot of data, but there is no sufficient information, about protecting those data. Many people argue, we are doing this to protect users, for example in spamming, we need to collect big set of email (but we won’t read them) and mark which email is spam and which is not and we are leaving this to users to classify it and we only care about text and count of words and structure of text. For those who are expert in security, will know that easily we could bypass any email spam, with our tricks, which I don’t want to explain here, because people might abuse it. Anti-Spam could block known spams and those create with semi-professional security guys, but it is helpless for experts. We are collecting a lot of data, spending so much money on servers to collect and process these data, spend so much money on universities and researchers to play around with complex math formula, just to come up with a system, which is helpless in front of experts. Some people argue, that well we have other methods, other protection ways and not everything is based on AI and Machine Learning which is true. But what, we would like to argue is why we are spending so much on this? We might deal with problem of Spam through criminal intelligence analysis, policy data center and monitoring and response team. These methods are a lot cheaper and more efficient. Of course we need spend some money to enhance them, but once we reach to the right place, we could use them to combat against cybercrimes. When we discuss with those who call themselves security experts in university, they always say, sorry we are only care about Machine Learning (because they only care about publication and not national or international security in cyberspace). When we talk with experts in criminology, they say it is interesting topic, but we are only care about law and legal issues. So we are collecting so much data, spending so much money, for unreliable systems.

There is no need to collect so much information and even, if there is a need to collect them, there is no need to keep those information forever. These problems with privacy raised, because everyone force themselves into Machine Learning and AI. If they think about something else or they let others to investigate in these areas, we could protect privacy of our users and enhance their security. As it already been mentioned, policy management, is the recommended solution and there is no need to collect so much data and even if we do, we could delete them later or let users to control their data, instead of collecting them. For these reason, I am requesting cybersecurity experts, to move away from Machine Learning and AI (I don’t say everyone should leave it, but we need people to think in different direction). Universities should open doors to young people who love cybersecurity but they prefer methods without mathematic and AI. Professors don’t understand these methods and they force everyone to follow AI direction and this put our privacy at risk. We need to open new doors to develop expertise in policy management, rather than unreliable math formulas and forcing people to use AI.


Why Data is being Collected in Windows 10?

There are many discussions about privacy issue with Windows 10 and people claiming by installing Windows 10, Microsoft steals your data and hand them over to national security agency and the U.S. government. It also gives opportunity to Linux fans and they posting articles saying that if you want privacy, you better use Linux. In this post, these issues will be analyzed. I would like to start with story why companies or governments need to collect data. Let’s go back to the time when computer and internet doesn’t exist. During those time governments still collect data on paper. When new baby born into hospital, his or her parent need to fill up some form including the place of birth, parents, given name, national id number and so on. All of these was inside a piece of paper (before computer and IT come to picture). And our government would have access to these data. So, they will know who are citizens of a country, so they would grand them special benefits which wasn’t available to people who aren’t citizen and if someone born into a country but doesn’t have any national card, then they would ask for one and at some point, of life, people must share some data with governments. Then another scenario come into picture when people would want to travel to travel to other country and stay there for longer time. In this time diplomacy come into picture and passports created. In this case, when you wanted to enter to another country, you should share some details about yourself, like place of birth, date of birth, passport number and so on. If you required to get visa, you need to share more data with the embassy of foreign country. It makes like a bit difficult for many citizens (and still people are suffering because of diplomatic conflicts). Therefore, new systems come into place, where governments could share data easily through fast and secure diplomacy protocols. Consider Schengen system for example, countries under Schengen agreement would get special carts for their citizens and they could use it to travel in other countries borders. No one asking you any question or ask you to submit tons of documents to embassies so they could figure out whether grand you a visa or not. Why? Because, whenever there is problem, they just get your ID Card and insert through IT system, they will know whether you are legal traveler and in case of crime, they could quickly investigate the all your crime activities across Schengen areas. Europol doing great job with providing powerful IT infrastructure. And if you are able to travel across countries without staying in long lines for interview and visa, because your governments doing great job in diplomacy by protecting national security and sharing data when needed and it is all thanks to IT.

When we talk about privacy, it means we are sharing data, so a system give us certain benefits and they are protecting our data and there are certain rules there and if we break those rules, then we are in trouble. For example, when you are communicating through your mobile phone, then your telecommunication company would have ability to trace your location but they never do it unless if you are wanted by police or legal authorities or you are threat to your country. If you are not breaking any law or you are not in watch list, then nobody would trace you. Even if you are living in no digital environment, so you don’t have any phone or communication devices, governments still could collect data through your friends or by sending someone to watch you over. They will do they job but with different methods.

Microsoft like all other companies does collect some data and all these have been discussed in Privacy Statement. And all data there are being collected to help users. For example, consider case of Windows Update, they need to collect data like what version of Windows you are using and what updates has been installed so far. If this mechanism is not in place, then Microsoft need to release all updates for Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016 and so on. And whether you got your PC today and need to install tons of updates and someone who just check for update yesterday both would have get gigs of update and many of those updates would have been failed. Therefore, you need to share these data to automated server and it will offer you updates which you will need. In government agency and when privacy is their main concern, they have local deployment of update, so when new update released, they will test it to make sure it is safe and they IT admin check systems to see what version of Windows are there and what updates do they need and then deploy those updates. So, they won’t share data with Microsoft and these data shared with their internal server. If they need their private email server, they won’t setup Office365 but they create their own email storage and use Exchange Server, OneDrive for Business and other private cloud services.

In higher level governments also get involve, so for example in European Union, data from citizen of these countries will be kept inside a server inside the EU, so even if U.S. government want to access data of any European citizen, they need to ask permission from EU government and those governments protect privacy of people. Same scenario is applicable for Linux, it also collects data for example to check for update and there are several things which it won’t collect, because it doesn’t private services where Microsoft provide to users. For example, when error detect in Windows, it asks users to send more data anonymously, so people in Windows team investigate the problem and release a fix for it. And you could disable this feature. In Linux, you need to share your error to public forum and keep share them to everyone and maybe you find some fix or you force to reinstall it. I addition, if U.S. government want to access your Linux PC, do you think, is that difficult task for them? Several security features in Windows are not available in Linux and someone with basic hacking knowledge could break into Linux system easily and collect all data. Even if you are not connecting to internet, they could send someone to steal your device. You just make things harder for them and yourself but you won’t stop them.

When it comes to privacy, governments must build powerful regulation to collect and protect data and build trust between people and government. People should have right to complain when their privacy broken and get response from government. It is job of government to create law so data protection and privacy is in place for their people like Privacy Shield in EU which did a great job. Switching to different operating system and spreading groundless rumor about companies stealing data won’t solve problem with privacy. We need to come up with some evidence and propose solutions to protect our people’s privacy. If you have knowledge of using Windows, you could take complete control of your privacy and create your own private cloud where no date being shared with Microsoft but for this you need to purchase your own data center and tools and spend more time on it. You actually, should do a job which Microsoft is doing for you as part of Windows warranty.


Hacking Cars !

Computer technology came to car manufacturer and makes our life better. A central computer could play video, monitor activities in fuel system and so on. Then communication comes to place, when we could connect our mobile device to a car and then view SMS, play music and even answer calls. As we go forward, these technologies are getting smarter, for example HERE propose a way to have a better life with cars, by monitoring traffic, see which places are prone to damage your car, find place to park cars. I strongly recommend you visit demos in HERE website. Going forward are cars getting smarter, thanks to IoT. It is actually good thing, because soon we will have cars to drive us, our government would have a better data to create rules and monitor situation. So next time, when your car break down, you just need to press a button and it automatically log the problem and request for service to your location. So you don’t need to call a number, share several information, send your location and explain what happens. As we are moving our cars into internet, it promote new risks too. What if someone hacked into our cars and perform some malicious actions and intentionally break down our cars, even damage the breaking system and cause injury and even in worse case, cause dead. There are proof-of-concept about hacking cars out there and it is challenge for car manufacturers to keep their consumers safe on the internet-connected-cars. Why this problem started in first place, we could classify the cause of car-hacking in the following categories:

Lack of expertise: Just if someone could connect to internet and write a bit of python codes, doesn’t make him or her, expert in field of cybersecurity. The problem raised, when people from other backgrounds like mechanical engineering, physics, electronics, design a system which required expertise in software engineering and computer security. Building a safe car which safe passengers against accident is not same as building a car to protect them against hackers.

Requirement Changed but Design Method Doesn’t: When they design cars, they care about safety of cars and protecting passengers against accident, they calculate possibilities to protect passengers against failure of break system. But when they connect cars to other devices and even internet, they just perform a basic security test and create a system which could just work. There is no regular update or emergency response to cyber-threats in internet-connected-cars yet.

Lack of Threat Modeling: They will investigate and create a system which is safe by design, but no model has been proposed to simulate attack scenario to cars. The closer model, would be Microsoft Threat Modeling, but they are not even use it.

To overcome these problems and build a safe internet-connected-cars, car makers, should hire people with expertise in cybersecurity and work with car manufacturer’s designers. They should create a new test cases to evaluate safety of the car from physical security and cybersecurity perspective. Special team should be there to continually evaluate and response to threat, targeting cars which are connected to internet. In new design, risks related to cyberattacks, must be identified and prioritize and method to mitigate and defend them, should be defined. New model should be created to define attacks and propose defense and also create a cycle to identify new threats and combat them regularly. Updates also should be patch to cars without harming the user experience. Update also could be installed during regular PC maintenance.

As conclusion, internet-connected-cars are new opportunity and if they design well, they could even prevent death and accident. Just imagine, in your city, if majority of cars are internet connected, when you are too close to other car, it will automatically detect and press the break. But, if risks of cyberattacks targeting these cars, wouldn’t be identify and mitigate properly, it would create greater risk. Therefore, we need to identify them and prepare ways to protect ourselves against them.


What is Cyberterrorism?

If we want to define Cyberterrorism in one sentence, it is when someone sit behind his/her PC and use internet to conduct terrorism incidents. In other terrorism, they need to gain access certain location and place some bomb or hijack airplane, take some hostage and they should be physically there. But in case of Cyberterrorism, no physical present required. It is not simple that everyone could do it and public information as today, didn’t explain the real case of cyberterrorism , but as internet become global and by adaption of new technologies which are dependence to cyberspace, we will face cyberterrorism in future, if we don’t take right action today. Let discuss about some possible example of cyberterrorism, to show the risk of it. There are nuclear reactors which relays on connection to a device running operating system, they might not be connected to internet, but Stuxnet proof that they could get infected. Attacker could just infect a PC of a company which is collaborator to nuclear facility and if their PC get infected, then one infected USB drive could get there and stop operation there. But in worse case, a virus might blow up the nuclear reactor and kill people. Many of people are relay on GPS to navigate between cities and the GPS usually relays on internet to detect areas with terrific in real-time, so could recommend user a way with less traffic. What if someone hack this system and fake traffic data , so force the driver to go to the direction that they want and there , they perform terrorist attack. What if they hack into terrain system and modify the system so cause accident between trains. Same for aviation system, so they force airplane to crash by providing them the wrong direction. In the more advance case, they might create some virus to change breaking system in your car and let say when you are in high speed, the break doesn’t work. Or maybe they hack a drone (drone-jacking) and while you are driving in highway, jump directly into your car and cause crash. Cyber-terrorism could use cyberspace and internet to perform their crime easier from far location and sometimes, they just create a malicious code and send it over the net and just wait to see what happens. In such situation, we need to understand the risk of cyberterrorism and fight against it. Some people might say, when let stop all internet and all about IoT, so we are safe. Well, this is not a wise solution, because terrorists just use other means. For example, let say if we didn’t invent airplane or at least we didn’t put it to public access 9/11 would never occurred. But certainly 9/11 would have happened in other form or using other tools and we couldn’t blame all in airplane. In addition, airplane did a lot of great thing for us. Also consider electricity, some people are dying because of electricity. But, if electricity and cyberspace wasn’t there, I was unable to share the risk of cyberterrorism and ask you to prepare to defend against it.

How could we defend against cyberterrorism? Well, we need to understand and analysis it and create resources to defend against it (this is something that all governments must do today), we shouldn’t wait for another terrorist attack, so we could wake up and say , hey lets defend it, we should prepare before such attack occur. In other side, we need to create our tools (software, hardware, network, etc.) in a way that it is ready to defend and mitigate such attack. To get ready to combat against cyberterrorism, we need knowledge of criminology and IT and we need special taskforces to prepare and train people so make sure our devices are protected against known and unknown cyberterrorism attack. I request researchers, government, IT professionals and other stakeholders, get ready with all forces before it is too late. Looking forward to safer internet.

Why Shouldn’t We Trust Linux on Security?

There are people who think Unix-like operating systems like Linux is safer and more secure compare to Linux. They claim because Linux is open source we could see the source code of it and because it is community driven, then everyone would see and find error and bugs especially security bugs and fix them. Here you will see all these arguments are wrong and Linux is just like scarecrow, where normal people see it like scary and secure from far but security experts will get near and touch it and then it fell down and they will see there is actually nothing there. Firstly, being open source pose more risks, because we don’t have any control about who has access to the source code. Opposite to close-source operating system where people has full control over who has access and why they want to access the source code , in addition, media and external security experts more interested in finding security issues in closed-source operating systems , because they could find story and tarnish reputation of the company, while in open source like Linux, even if hackers take over everything they just write a simple story and no one taking blame and they just say it is community and open to everyone. Support in Linux is also nightmare, the only company who actually doing some support about Linux security is RedHat and in most of the time you should go over forums for hours and hours to figure out which script would solve your issue. It is dangerous especially when your systems are under attacks and immediately you need to close ports, enhance firewall security level, perform some malware scan and while in Windows you could do it with few clicks and very fast, in Linux, you need spend hours to figure out what script you have to write and while you are looking for solution hacker did what they supposed to do. In addition, company like Microsoft, they have full time engineers and team to develop code and fix issues, they are getting paid and they went through security screening and they full time job is to protect Windows and consumers. While in Linux, they never get paid and they just get some money through donation, so they don’t have any duty to fix problems and if they do, they do it for favor and there are many times, when we came across security vulnerabilities and they just say, fix it yourself and share with us. In addition, several attack scenarios which has been fixed in Windows, already exist in Linux. Because it is free, they don’t care much about getting their codes sign and you will face with an OS with several unsigned and unverified codes which bad guys could just replace then whenever they want. There are many cases where an attacker fool users to get a script to fix some issues and inside it hides some malicious activities which result on hacking the server. We could secure Linux, if we pay a lot and develop several applications or enhance already existing security products for Linux, but still it won’t become as secure as Windows. Therefore, if you are wise administrator, instead of putting scarecrow to scare some hackers away, think about a platform which is fundamentally strong like Windows and invest on enhance security on it. You just need to do threat modeling and look into scenario of attacks and then you will know why we need Windows instead of Linux, so do not trust Linux.

How to Bypass AI-Based Security Systems

It is not very difficult to bypass security systems which are based on Machine Learning and AI. Here attack-based scenario of how it could be done will be explained. Due to security reason and since the objective of this blog is only to show you risk and not teach hacking, we won’t explain everything in details but we just show you blueprint of attack to understand the risk. Firstly, let see how AI and Machine Learning based system are working. Basically, you need to send them very big amount of data and classify which one is safe and which one is harmful. Then keep doing this so the system get smarter (what they say) and it could figure out how classify the future and possible unknown data based on previous decisions and it is automated. This is simple to say but in background it required huge amount of data and required complex mathematical equation and large database to store and large processors to analyze them. Let say, we have a large sample of network package send to our Instruction Prevention System (IPS) and in this sample we classify these behaviors are harmful so it will block them and others which are safe and should be pass, then we send other samples and based on previous decisions, it will classify them. So the system will say I see this file in the past, so from its behavior, it seems to be harmful so block it and others consider safe and pass it. In this way, some safe packages incorrectly being blocked and we call them false positive and some harmful package will pass through it and we call them false negative. All experts in AI and Machine Learning just say these are false positive and they might either try define exception or get some bigger data or improve their algorithm to improve classification but still they are agreed, they are unable to stop false (positive or negative) and to improve their algorithm , they need to spend a lot of resources. But just imagine one and only one of package which is malicious manage to bypass the IPS and then this package could damage a system in a way to open backdoor for other malwares and take complete control of the system. Same issue will happen for Anti-Malware products which they incorrectly allow a harmful program to run and take a complete control of the system. Improving algorithm to stop such issue is so hard and time consuming and required heavy resources. But bypassing such systems is very easy, you just need to send some files (e.g. malware or malicious package) and based on block or not block figure out the algorithm and then design you malware or malicious package in a way so it classify it as a safe. You may also turn the security protection (IPS or Anti-Malware) into your friend, for example just send some safe package so it won’t be blocked by IPS and try change it a bit and send it so the system will learn about the package and then while you are sending this, add your malicious command inside it slowly, you may also send it encrypted so IPS won’t notice anything, just send some encrypt file along with safe package so IPS identify it as safe and bypass it and then once you did for a while and IPS detect it as safe , then send your malicious one. You may do the same for Anti-Malware software, send some safe file and once user get it just send some files and update it and when Anti-Virus trust it, then send malicious update in a way which Anti-Malware learned to classify as safe. Similar scenario is applicable in all other security products, you don’t need to be a great mathematician or have much knowledge or resource to bypass Machine Learning or Artificial Intelligence based security system but to build such system or change your existing algorithm you need to do a lot. This is why we keep calling security experts around the world to move from AI and ML to new ways which we could easily deal with cybercriminals. We don’t need AI or ML, we just need to see how to build weapon using our technology and analysis cyber-attacks and build strong counter-measure.