Millions of Android users should delete the 11 apps after Google kicks them out of the Play Store
Malicious software, AKA malware, is a huge problem for anyone who ends up saddled with it. It’s not just the bad guys who are hiding software that can harm us, though. Some seemingly legitimate companies are doing things like collecting personal information without the user’s knowledge or consent. It’s far from the first case of malware slipping into the Play Store, but it looks like Google, at least, is doing something about this privacy violation after learning about a number of problematic Android apps in the Play Store.
The search giant has taken measures to boot apps with hidden data-harvesting software out of the store, according to a recent Wall Street Journal report. Measurement Systems S. de R.L, a Panamanian company that works with US security agencies, wrote the code. Measurement Systems also has links to a Virginia defense contractor that specializes in cyberdefense. According to the WSJ report, the behavior was found by researchers auditing Android apps while looking for vulnerabilities. The data-harvesting code reportedly ran on millions of Android devices and has been detected in well-known consumer apps, Muslim prayer apps, an app for detecting highway speed traps, and a QR code reader. The researchers shared their findings with federal privacy officials, the WSJ, and Google.
The Panamanian firm reportedly paid developers to include its software development kit (SDK) code in their applications, and the kit handled data collection. The WSJ reports that it was able to look at data from a third-party company that showed the geographic distribution of users whose phones were running the Measurement Systems SDK, and it learned from the researchers that the buried code could obtain information down to location in addition to extracting info like email and phone numbers. The SDK could also view hashed data from WhatsApp image folders and even pull data about nearby computers and mobile devices, potentially mapping out who people meet with on a regular basis.
According to the Journal, Measurement Systems also used a subsidiary called Packet Forensics LLC to do business with the US government. While national security agencies and the Defense Department have admitted they buy commercial provider data like this to help with threat analysis, the finer details of what they get and how they use it remain secret. Governments have been collecting location-analytics information logged by mobile software for some time, sometimes asking firms to turn over bulk loads of user data to law enforcement agencies. The thing is, it can pay off for developers. According to documents seen by the paper, Measurement Systems claimed devs could rake in anywhere from $100 to $10,000 per month as long as they delivered enough users with apps accessing location data.
Serge Egelman, who with his colleague Joel Reardon discovered the hidden software, said there’s an old-fashioned lesson for developers who popped Measurement Systems code in their apps looking to make some money. It’s about “the importance of not accepting candy from strangers.” After all, it might be poisoned with code that wants to tell the government everything it can find out about you and your users. Still, there is some hope for those who have lost income streams from Google‘s ban. The company may allow some apps to return — as long as they delete the Measurement Systems code. The first few are in fact already back.
Cooperation is the key to success. Working with third parties helps businesses increase their productivity and efficiency, produce better products and services, employ highly qualified experts, and cut costs. But all these benefits come at the price of increased cybersecurity risks.
Minor flaws in your third-party vendor’s security and privacy routines may turn into cybersecurity weaknesses for your company. In this article, we analyze the particular cybersecurity risks related to third parties and how you can mitigate them.
Third-party-related attacks are on the rise
Cybercriminals always look for your weak spots.
Third parties may not take their network security as seriously as you want them to. Knowing this, hackers may choose not to attack your company directly. Instead, they may look for an easier target among your third-party vendors. A compromised subcontractor can easily be turned into an entry point for cybercriminals. This is how a supply chain attackworks.
Meanwhile, the number of third parties organizations work with as well as the amount of sensitive data disclosed to them is increasing every year. The same goes for data breaches caused by third parties. From 2017 to 2019, the number of data breaches caused by third-party vendors increased by 35%. The results of annual studies by the Ponemon Institute from 2016 to 2018 also show a disturbing dynamic:
Here are only a few recent examples of cybersecurity incidents involving third parties:
Magecart attacks — Since 2015, a group of cyber criminals called Magecart has executed several attacks on major retailers all over the globe. The group is believed to be responsible for the recent attacks on Ticketmaster, British Airways, Newegg, Feedify, and Magento 1 stores. Magecart hackers usually infect third-party web services used by their victims to steal valuable information, particularly credit card data.
Atrium Health data breach — In 2018, Atrium Health suffered a data breach that resulted in the exposure of personal information of over 2.65 million patients. The breach was caused by a compromise of servers used by Atrium Health’s billing vendor, AccuDoc Solutions.
Amazon data leak — In 2020, Amazon, eBay, Shopify, and PayPal fell victim to a massive data leak. A third-party database with approximately eight million UK online shopping transactions was published online. Noticeably, this is not the first time Amazon has suffered from third-party-originated incidents. In 2017, attackers hacked several third-party vendors working with Amazon and used their credentials to post fake deals.
General Electric (GE) data breach — In 2020, GE reported a data breach caused by their service provider Canon Business Process Services. A compromised email account led to the public exposure of personally identifiable information of GE’s beneficiaries and employees, both current and former.
Depending on the nature of third-party vendor compromise, an organization may face different risks. Let’s look at the most common risk categories and the threats you need to be prepared to mitigate.
What are the risks?
A compromise of your subcontractor may affect you too.
The financial and technical capabilities of small service providers and subcontractors don’t always match the capabilities of their clients. Therefore, while aiming for a bigger win, cybercriminals may start small and look for an easy target within your supply chain.
A compromised third-party vendor may lead to multiple risks that can be split into four major categories:
Cybersecurity risks — Subcontractors usually have legitimate access to different environments, systems, and data of their clients. Attackers may use a third-party vendor as an entry point to try to get a hold of your valuable assets.
Operational risks — Cybercriminals may target your internal systems and the services you use instead of just your data. This can lead to partial interruptions of your operations or even halt them altogether.
Compliance risks — International, local, and industry-specific standards and regulations set strict cybersecurity criteria that organizations should meet. Furthermore, third parties working with these organizations also have to comply with these requirements. Non-compliance usually leads to substantial fines and reputational damage.
Reputational risks — Having your valuable data and systems compromised serves as a red flag for your partners and customers, both current and future. Regaining their trust will take a lot of time and effort. And unfortunately, there’s no guarantee that you’ll be able to successfully recover your reputation after a severe cybersecurity incident.
What’s the root cause of all these risks?
The reason why many organizations struggle so much when it comes to securing their work with third parties is the lack of two things: visibility and control.
Companies often don’t see the full picture of what their third-party vendors do with their critical data and systems. For example, if a third-party vendor uses a shared account to access your corporate network, you won’t be able to determine which of their specialists has made a particular change in the system.
Also, organizations often have limited control over their third parties. Yet it’s the organization’s responsibility to make sure their supply chain vendors meet all necessary cybersecurity requirements. According to the Health Insurance Portability and Accountability Act (HIPAA), even when a data breach happens on a third-party vendor’s side, the healthcare provider is held responsible for not ensuring the safety of their patients’ data.
Understanding the particular threats
Let’s get more specific.
In order to make your cooperation with subcontractors more secure, you need to understand what threats they can pose to your company’s cybersecurity. Let’s focus on four common types of threats:
Privilege misuse — Third-party vendors may violate access privileges you grant them in various ways and for various reasons. Your subcontractor’s employees may willingly pass their credentials to others. Or, if access permissions in your network aren’t configured properly, a third-party vendor may get access to data that’s not supposed to be shared with them.
Ensuring a high level of access control is especially important if your third parties have access to your company’s privileged accounts, critical assets, and sensitive information.
Human errors — Inadvertent mistakes by your subcontractor’s employees can cause just as much damage as intentional attacks. Common mistakes include accidentally deleting or sharing files and information, inputting the wrong data, and misconfiguring systems and solutions. While being unintentional, these mistakes can still lead to data leaks, service outages, and significant revenue losses.
Data theft — Alongside unintentional data damage, there’s a high risk of targeted data theft by third parties. Without a proper third-party vendor management policy in place, there’s a risk of third-party employees stealing valuable business information and using it to their advantage.
Fourth-party risks — Fourth parties or second-tier third parties are subcontractors of your subcontractors. Ensuring that your third-party vendors meet your cybersecurity requirements and follow cybersecurity best practices isn’t enough. You also need to understand how they manage their own supply chains.
Luckily, you can effectively manage all these risks and threats by following a set of third-party vendor risk management best practices that will significantly improve your company’s cybersecurity resistance.
Third-party vendor risk management: 7 best practices
Analyze and control risks stemming from your subcontractors.
A systematic approach can help you mitigate potential cybersecurity threats and manage risks coming from your third parties. Third-party risk management (TPRM) is an example of such an approach.
In a nutshell, TPRM is the process of determining, analyzing, and managing third-party risks. This process can cover different aspects of your company’s operations: work with sensitive data and intellectual property, access management, financial operations, and so on.
There are several international standards and commonly used frameworks that can serve as a basis for outlining your third-party risk management strategy. The following resources will prove particularly helpful:
By analyzing the recommendations in these resources, we can summarize seven third-party security risk management best practices:
Make an inventory
Start by making an inventory of all your third-party vendors and service providers. Next, classify them according to the level of their impact on your organization: low, medium, or high. The more critical data is exposed to a particular vendor, the higher that vendor’s possible impact on your organization.
Pay the most attention to vendors who have a high impact on your organization’s operations and cybersecurity, as their compromise will affect you the most. Also, consider developing a framework for categorizing vendor impact and use it when starting to work with new subcontractors.
Delineate responsibilities
Use service-level agreements (SLAs) to determine who’s responsible for what in your cooperation with a third party. You need to take everything into account: what kinds of sensitive information your third-party vendor can access and store, what security precautions they should take to protect that data, what compliance requirements they must follow, how often they should perform audits, and so on. Think of every detail relevant to your business and make sure to mention it in your SLA.
Establish cybersecurity policies
Set clear cybersecurity rules for both your third-party vendors and your employees cooperating with them. Develop an internal policy that clarifies responsibilities of each party and outlines standard actions for different procedures and cases. And make sure to familiarize both your employees and your subcontractors with these rules.
Limit access
Consider deploying a privileged access management solution to make sure that only legitimate users can access your company’s sensitive information. Secure your critical assets with two-factor authentication (2FA) to make it harder to compromise your network even if someone’s credentials are stolen. One-time passwords and manual access approval also can help you prevent attackers from entering your network.
Enable continuous user activity monitoring
Continuous monitoring of user activity is a common requirement of many IT regulations, laws, and standards. By monitoring a third-party vendor’s activity within your network, you can see who does what with your critical assets and when they do it.
Look for a solution that can monitor and record user sessions in a comprehensive format suitable for further auditing of your third-party vendors’ activity. Reports based on the results of vendor monitoring will be helpful in passing external audits, evaluating your cybersecurity during internal audits, and investigating cybersecurity incidents.
Plan for third-party incident response
Prepare for responding to a subcontractor-related incident before it happens. Analyze the scope of cybersecurity threats and risks to pick those that are relevant to your company. Then develop formalized procedures for mitigating those risks.
To ensure timely detection of cybersecurity incidents, use a dedicated solution to configure alerts and notifications for possible suspicious actions and events related to your subcontractor’s activity. Choose responsible personnel who will get notified in case of a cybersecurity incident related to third parties and make sure to add their names and contact information to your cybersecurity policy.
Perform regular audits
Perform regular audits and evaluations of your third-party vendors. Use reports from your user activity monitoring solution and incident response system to analyze the way your vendors treat your critical systems and sensitive data.
Additionally, perform regular assessments using vendor risk management questionnaires. You can compose such questionnaires yourself or use templates that match your company’s requirements. Having vendors fill out questionnaires will help you evaluate your vendors’ cybersecurity approaches and identify potential weaknesses in them.
Conclusion
Third-party vendors have legitimate access to clients’ critical systems and sensitive data. Yet many subcontractors can’t match the level of cybersecurity measures and precautions implemented by large enterprises. This is why cybercriminals often focus on third-party vendors and service providers instead of directly attacking their real targets.
A cyberattack on a third-party vendor creates cybersecurity, operational, compliance, and reputational risks for all organizations the vendor works with. Dealing with these risks can also result in substantial financial losses.
The best way to mitigate these risks is by deploying a sophisticated monitoring solution and following third-party vendor risk management security best practices. Ekran System can help organizations manage third-party vendor risks and implement most of the practices that are critical for this process. The platform provides a rich selection of user activity monitoring, access management, and incident response functionalities.
In school, I always loved economics. That is, of course, the absolute opposite sentiment of 97% of people. The reason I have the feelings towards economics that I do is the fact that economic principles drive the world around us, something that I am reminded of frequently. The Laffer curve, supply-side economics and Keynesian philosophies are all over the news, but there are countless additional clues around us of how economic theory drives everyday decisions. Like whether to pay to free yourself of ransomware.
Why? Well, first, you can’t “win.” There is no winning, not unless you possess unlimited resources and patience. But you don’t, and you’re not smart enough to outwit them. I can imagine some folks thinking that their back-up schema is so clever they can just endure the loss of one system or set of systems. Are you sure those data sets are not infected as well?
Prevention is key, but after the ransomware has been released, there’s little that can be done. Prevention in this context means all the same tactics and strategies often written about here in SecurityWeek and elsewhere: identity management, password hygiene, employee training (e.g., avoidance), data back-up best practices, etc. It’s all much the same – in this case, all we are dealing with is a different payload on a seemingly infinite list of vulnerabilities.
There are technologies in the area of ‘detection’ / prevention – but I’m not going to mention them here because they are currently either (1) generally ineffective (yes, despite vendor promises), (2) are so performance-intensive that they are virtually unusable, or (3) from a small number of vendors you probably you don’t do business with. I have seen some hardware-level assisted technologies in experimental stages that take actions at the lowest level of the stack – but despite their true promise, they’re not quite ready.
Second, paying the ransom is not prohibitively expensive, especially compared to the damage / costs associated with having the payload of the ransomware detonate. Criminals have embraced the art and science of pricing – finding the point where marginal cost equals marginal return. As an economist at heart, that is a beautiful thing. The criminals behind ransomware are also amateur economists.
A side note on “just pay”: you must actually have money on hand in the format of the day in order to be capable of paying. Think of this like the “petty cash drawer” – quick currency on hand to take care of urgent issues. The bottom line is you can’t pay if you don’t have the right currency. I’m not going to, in this static column, prescribe a currency to have on hand because the currency frequently changes. So, your advisors will have to stay on top of this. Sometimes it’s gift cards, but often it’s cryptocurrencies. If your organization is a hospital, you must have a robust amount of varied payment methods ready to go in my opinion. If your organization is of a less time-sensitive nature, you can be less aggressive here. Think through this though because the key advice here is this: get back to work as quickly as possible.
You have to think about this as a speeding ticket. You did something wrong (and you probably did), received a fine, and should just pay it. Fighting it is too expensive, too time-consuming, too much of downside risk. The cost and embarrassment stings a bit, but the alternative is much worse. The important thing is to understand your mistake – and that’s exactly what this is when it happens, a ‘self-inflicted injury’ – and make sure it doesn’t happen again.
At the end of the day, I encourage businesses and organizations of all sizes to leave the moral judgments regarding ransomware to the government. Leave the “fight” to the companies that are paid to fight, that are equipped to fight. Just pay. Just pay and go on with your life. And in the future focus your energy on that ounce of prevention as frequently described by SecurityWeek.
IT sabotage and insider threats can put an organization at great risk. Guest expert Peter Sullivan details preventative measures to take and employee training techniques.
The CERT/CC defines insider fraud as “an insider’s use of IT for the unauthorized modification, addition or deletion of an organization’s data (not programs or systems) for personal gain or the theft of information that leads to an identity crime.” The U.S. Secret Service defines identity crime as “the misuse of personal or financial identifiers in order to gain something of value and/or facilitate some other criminal activity.”
Information targeted for fraud covers a wide range of personal data, including personal identification data, such as driver’s licenses, medical identities, criminal histories and immigration applications; personal financial data, such as credit cards, credit histories, utility bills and food stamp applications; and personal medical data, such as medical records and disability claims.
Understanding the insider threat requires understanding what motivates people to behave, whether that behavior is positive or negative. Personal financial gain is a common reason for committing insider fraud.
Insiders who commit fraud are generally employees with good access to data as part of their jobs. Similar to insider theft of intellectual property (IP), insider fraud is usually committed by employees doing the same kinds of activities that they do as part of their day-to-day jobs. Most insider fraud occurs during normal working hours, while the insider is on-site and able to use their access. Given these factors, it can be difficult to detect malicious insider behavior. In contrast to IT sabotage and IP theft, insider fraud is often carried out by employees in lower-level, nonprofessional, nontechnical jobs who have access to customer records and billing data.
In any discussion of patterns and behavioral characteristics, it is important to remind ourselves of why we are looking to discover the characteristics of insider fraud. Detecting one or more patterns of fraud does not mean that a malicious insider has been detected. Rather, understanding these risk indicators can be used to protect the organization and its employees against insider attacks, not to trap employees. Risk indicators should be used as input into a risk-based analysis of job positions at risk for insider fraud, to understand the organizational elements that influence insiders to carry out fraud and, most importantly, to develop and implement protection and mitigation strategies to protect an organization and its employees from malicious insider attacks of any kind.
Patterns in insider fraud
Any discussion of fraud needs to include American criminologist Donald Cressey’s theory of the “fraud triangle” developed in the mid-20th century. Cressey studied why people violate trust and came up with three factors that must be present for a person to commit fraud:
Pressure to commit fraud may come from a financial problem, drug addiction, gambling losses, significant medical bills, collusion with outsiders or simple greed. Cressey observed that the problem or need that drove fraud was often “nonsharable,” meaning that the problem must be resolved in secret due to extreme embarrassment or that sharing it might expose illegal or illicit activity that the insider wishes to conceal.
Opportunity refers to the ability to commit fraud or a set of conditions that allows fraud and a violation of trust to occur. For insider fraud, “opportunity” means that the insider has access to information that can be used fraudulently. The access required to commit the fraud may have been granted to the insider as part of their job, or access may be made possible by a lack of effective access controls. Another element of opportunity is the perceived probability of getting caught. A low perceived probability enhances the opportunity for fraud, while a high perceived probability of being caught diminishes the opportunity in the eyes of the insider.
Rationalization refers to the insider’s justification for committing fraud and the process of making the insider’s dishonest behavior somehow fit within the insider’s personal ethical code. Low personal integrity or a flexible ethical code aids in rationalization.
According to the fraud triangle theory, all three elements must exist to drive an individual to commit fraud. Having these elements present, however, does not mean that everyone will commit fraud given the same pressures and opportunity. An insider’s predisposition, and perhaps history, of committing theft and fraud is a critical element. Given the same pressures and opportunities, there are some insiders who, due to high personal integrity, will not commit fraud where other insiders will give in.
Ongoing crime
There are significant differences among insider fraud, insider sabotage of IT and theft of IP. Unlike other kinds of insider threat activity, insider fraud is usually a long and ongoing kind of crime. Insider IT sabotage and IP theft tend to be one-time events: explosive in nature and, often, occurring when the malicious insider leaves the organization.
In contrast, insider fraud activity typically continues for more than a year. During that time, the insider steals or modifies small pieces of information, such as credit card numbers, Social Security numbers and credit history information, where each fraudulent act brings some financial benefit and each act has a relatively small chance of being caught — making it is easy to rationalize continuing the fraud. Due to the ease of committing fraud, some insiders continue their fraudulent activity even after the initial motivation or pressure to commit it disappears. In almost half of insider fraud cases studied by CERT/CC, fraud was able to be carried out for an extended period of time due to nonexistent or ineffective monitoring of business processes.
Institutionalized fraud: Fraud that benefits the organization
There is another type of insider fraud that may actually benefit the organization, at least for a while. Sometimes, the pressure, rationalization and opportunity to commit insider fraud are provided by the organization itself to its employees.
In 2016, a fraudulent account scandal erupted when Wells Fargo employees were discovered to have opened as many as 3.5 million fraudulent customer accounts. The scandal came to light when the Consumer Financial Protection Bureau assessed Wells Fargo a fine of $185 million as a result of illegal activity.
The drivers for this massive fraud were supplied by Wells Fargo itself. Former Wells Fargo sales employees reported that they all faced a company-mandated quota to sign up new accounts as salespeople who met the quotas received bonuses and those who did not meet quotas were fired — the penalty for not meeting quotas provided the rationalization sales reps needed for committing fraud. This activity eventually became institutionalized as Wells Fargo provided employees with the ongoing opportunity to commit fraud.
It appears that Wells Fargo provided all elements of the fraud triangle from as early as 2002 to late 2016, affecting millions of customers.
What to do: Insider fraud
Insider fraud can be difficult to detect, especially since it is committed by employees doing the same activities they do as part of their day-to-day jobs. Given the difficulty of detection, a reasonable approach may be to reduce or eliminate opportunities to commit fraud — or to anticipate the pressures to commit fraud.
Combating insider fraud starts with the identification of the types of information that may be — or have been — fraudulently used and the users who have access to it. An employee population may be at risk for fraud, deserving additional awareness, such as enrollment of employees into an employee reliability program, increased monitoring of information access and checks on how information is used.
Other steps organizations can take to protect against insider fraud include the creation or improvement of the auditing of critical business processes and verification modification of critical data, customer financial information and employee records. Organizations should also conduct background checks for potential employees, contractors and subcontractors that look for undisclosed criminal history or any history of financial difficulties that may provide the motive for fraud. To further help, employees should be provided with assistance programs if they are experiencing financial problems in order to head off fraud as a method of solving financial problems. Access privileges should be reviewed to prevent the accumulation of excess privileges and role-based access control should be used. Duties dealing with automatic enforcement should be separated, and organizations should consider temporarily disabling access when insiders travel outside the country, take a leave of absence or go on vacation.
