Tag Archive for: behavior

Android’s Design Leaks Some VPN Traffic Data, Google Calls It “Intended Behavior”

/in


Android devices with a VPN purposefully leak some traffic, including IP addresses and DNS/HTTP(S) requests, when connecting to a wireless network. According to a security audit by Mullvad VPN, leaking a small amount of data is inherent to the mobile operating system, something that third-party VPNs cannot prevent or control.

The Europe-based VPN service provider said that enabling Always-on VPN and Block connections without VPN doesn’t help either. Mullvad VPN noted that the bug (Google argues it is a feature) is built into Android.

“We have looked into the feature request you have reported and would like to inform you that this is working as intended,” a Google engineer told Mullvad VPN on the search giant’s issue tracker page. “ We do not think such an option would be understandable by most users, so we don’t think there is a strong case for offering this.”

Let us see how VPNs on Android function.

When an Android device connects to a public network, it performs certain checks before successfully establishing a connection. To perform these checks, Mullvad VPN discovered that Android sends data outside the secure tunnel that shields users from the internet.

Block connections without VPN is an Android setting designed to prevent this, which may happen during connectivity checks. Split tunneling can also leak a part of the traffic over the underlying network, Google pointed out.

“We understand why the Android system wants to send this traffic by default. If for instance there is a captive portal [a webpage usually displayed after a device connects to a new public network] on the network, the connection will be unusable until the user has logged in to it,” Mullvad VPN wrote.

See More: Built-in iOS VPNs Leaking Traffic Data From Over Two Years Ago

“So most users will want the captive portal check to happen and allow them to display and use the portal. However, this can be a privacy concern for some users with certain threat models,” the company added.

Indeed, because the small amount of data that the OS leaks includes DNS lookups, HTTP(S) and possibly NTP traffic, and the user IP address (as metadata), precisely what users intend to…

Source…

Observations on Resolver Behavior During DNS Outages

/in


When an outage affects a component of the internet infrastructure, there can often be downstream ripple effects affecting other components or services, either directly or indirectly. We would like to share our observations of this impact in the case of two recent such outages, measured at various levels of the DNS hierarchy, and discuss the resultant increase in query volume due to the behavior of recursive resolvers.

During the beginning of October 2021, the internet saw two significant outages, affecting Facebook’s services and the .club top level domain, both of which did not properly resolve for a period of time. Throughout these outages, Verisign and other DNS operators reported significant increases in query volume. We provided consistent responses throughout, with the correct delegation data pointing to the correct nameservers.

While these higher query rates do not impact Verisign’s ability to respond, they raise a broader operational question—whether the repeated nature of these queries, indicative of a lack of negative caching, might potentially be mistaken for a denial-of-service attack.

Facebook

On Oct. 4, 2021, Facebook experienced a widespread outage, lasting nearly six hours. During this time most of its systems were unreachable, including those that provide Facebook’s DNS service. The outage impacted facebook.com, instagram.com, whatsapp.net and other domain names.

Under normal conditions, the .com and .net authoritative name servers answer about 7,000 queries per second in total for the three domain names previously mentioned. During this particular outage, however, query rates for these domain names reached upwards of 900,000 queries per second (an increase of more than 100x), as shown in Figure 1 below.

Figure 1: Rate of DNS queries for Facebook’s domain names during the 10/4/21 outage.

During this outage, recursive name servers received no response from Facebook’s name servers—instead, those queries timed out. In situations such as this, recursive name servers generally return a SERVFAIL or “server failure” response, presented to end users as a “this site can’t be reached” error.

Figure 1 shows an increasing query…

Source…

Why Understanding Cyber Criminals Behavior and Tools is Vital

/in


The attack landscape continues to grow rapidly, and with that growth comes the complex challenge of tracking the Tactics, Techniques, and Procedures (TTPs) used by different threat actors. The National Institute of Standards and Technology’s (NIST) Computer Security Resource Center describes TTPs as the behavior of a threat actor; tracking that behavior has become an essential concept for Cyber Threat Intelligence (CTI) Analysts. By profiling and documenting criminal TTPs network defenders can better understand criminal behavior and how specific attacks are orchestrated, allowing them the ability to prepare, respond and mitigate current and future threats.

Defining Tactics, Techniques, and Procedures

To further break down TTP, Tactics refer to the high-level descriptions of the behavior or action the threat actor is trying to accomplish. For example, Initial Access is a tactic a threat actor would leverage to gain a foothold into your network.

Techniques are detailed descriptions of the behavior or actions that are expected from a specific Tactic. For example, a Technique to gain Initial Access to a network could include a phishing attack.

Procedures are technical details or directions about how a threat actor will leverage the Technique to accomplish their objective. For example, the Procedures for a phishing attack would include the order of operation or phases of the campaign. This would include details about the infrastructure leveraged to send the malicious email, whom they plan to target and how they plan on compromising their machine.

Unfortunately, tracking the behaviors of threat actors has been a complex challenge for our industry, mainly because we did not have a single and universally adopted, standardized framework to adhere to. As mentioned in part 1 of our Hackers Almanac series, depending on the security organization who is attributing a digital attack, a threat group known as APT10 by Mandiant also goes by: menuPass by Fireeye, Stone Panda by Crowdstrike, or Red Apollo, Cloud Hopper and POTASSIUM by Microsoft. Making documenting, reporting, and speaking about threat actors extremely difficult.

Fortunately, over the last few years, the industry has begun to…

Source…

Balancing Security and User Behavior in Remote Work

/in


Just when security was finally being recognized as a priority within business operations, remote work hit what amounted to a giant reset button. As work from home (WFH) became necessary, productivity was prioritized over everything else. Getting employees online, making sure everyone had the necessary equipment and access, even setting up cloud options where there was only on-premises access in the past, came first. Security went back to being an afterthought for a lot of companies.

The result was a rise in malware incidents and other poor security behaviors. A new Cloud Security Report 2021 from Wandera found 52% of organizations dealt with a malware incident in 2020, up from 37% in 2019. Phishing attacks were more frequent on weekends than on weekdays. And when compared to pre-pandemic times, connections to inappropriate content during office hours have increased 100%.

WFH Reduced Security Oversight

This change is due in part to WFH and reduced security oversight, and in part to changes in employee behaviors, according to Michael Covington, vice president at Wandera.

“There were definitely some cases where we observed attackers taking advantage of the insatiable demand for information related to the pandemic; the many fake COVID-19 tracing apps that appeared in Q2 are just one example of how one global incident drove users around the world to download malicious software en masse,” Covington explained in an email interview.

When it comes to behavior changes, the move to use of a single device for the bulk of online activities blurred the lines between personal and work more than ever. With security policies relaxed at work, this resulted in a newfound personal freedom to install the apps employees want. Often, those include malware.

The impact of widespread SaaS adoption also has security implications, according to Covington. “With more applications that are available to users, without IT vetting and security review, the greater the likelihood malicious software will appear on work devices, whether mobile or not,” said Covington.

Malicious Appeals to Remote Workers

Wandera customers most frequently encountered spyware in 2020, according to the report. There were also a…

Source…