Professional Documents
Culture Documents
Keyloggers: Silent Cyber Security Weapons
Keyloggers: Silent Cyber Security Weapons
net/publication/339371911
CITATIONS READS
0 597
2 authors:
Some of the authors of this publication are also working on these related projects:
Gather details to build a profile about target from Email ID View project
All content following this page was uploaded by Akashdeep Bhardwaj on 08 March 2020.
T he privilege level at which keylog- Pacific, demonstrate how a keylogger Keyloggers are almost impossible to detect and
remove because of the privilege level at which they
gers execute is higher than typical can gather keystrokes and screenshots execute. Dr Akashdeep Bhardwaj of the University of
malware, which makes them almost along with online transactions with- Petroleum & Energy Studies, Dehradun, and Dr Sam
Goundar of the University of South Pacific, propose a
impossible to detect and remove. out a scanner being able to detect it. Visit us @
taxonomy for keyloggers and demonstrate how a key-
logger can gather keystrokes and screenshots along
Dr Akashdeep Bhardwaj of the They also suggest a form of virtual with online transactions without a scanner being able
University of Petroleum & Energy keyboard that could defeat this kind to detect it. They also suggest a form of virtual key-
board that could defeat this kind of malware.
Studies, Dehradun, and Dr Sam of malware.
Goundar of the University of South Full story on page 14… REGULARS
ThreatWatch 3
ISSN 1353-4858/20
1353-4858/10 © 2020 2011 Elsevier Ltd. All rights reserved
This publication
journal and and
the individual
the individual
contributions
contributions
contained
contained
in it in
areit protected
are protected
under
under
copyright
copyright
by Elsevier
by Elsevier
Ltd, Ltd,
and and
the following
the following
terms
terms
and and
conditions
conditions
applyapply
to their
to their
use:use:
Visit us @
Photocopying
Single photocopies of single articles may be made for personal use as allowed by national copyright laws. Permission of the publisher and payment of a fee is required for all other photocopying, including multiple
or systematic copying, copying for advertising or promotional purposes, resale, and all forms of document delivery. Special rates are available for educational institutions that wish to make photocopies for non-profit
educational classroom use. www.sealingtechnology.info
NEWS
...Continued from front page work was breached first and the attackers
Editorial Office: are working under the assumption that used that to pivot to the other systems.
Editorial Office:
Elsevier Ltd
Elsevier Ltd
the entire domain is compromised. The Once the story broke, spokesperson
The Boulevard, Langford Lane, Kidlington,
The Boulevard, Langford Lane, Kidlington,
Oxford, OX5 1GB, United Kingdom
attacker doesn’t show signs of activity Stéphane Dujarric admitted that: “The
Oxford, OX5 1GB, United Kingdom
Fax: +44 (0)1865 843973
Tel: +44 1865 843239
so far, we assume they established their attack resulted in a compromise of core
Web: www.networksecuritynewsletter.com
Web: www.networksecuritynewsletter.com position and are dormant.” infrastructure components,” and “was
Publisher: Greg Valero According to the publication: “Dozens determined to be serious”. However, the
Publishing Director: Sarah Jenkins
E-mail: g.valero@elsevier.com
of UN servers – including systems at its internal report used phrases such as “major
Editor:
Editor: SteveMansfield-Devine
Steve Mansfield-Devine
E-mail:smd@contrarisk.com
smd@contrarisk.com
human rights offices, as well as its human meltdown” and “counting our casualties”.
E-mail:
Senior Editor: Sarah Gordon
resources department – were compro- The report by The New Humanitarian
Columnists: Editoral
International Ian Goslin,Advisory
Karen Renaud,
Board:
mised and some administrator accounts is here: http://bit.ly/2H8CEEe.
Dario Forte, Dave
EdwardSpence, Colin
Amoroso, AT&TTankard
Bell Laboratories; breached.” Although there are no details as Meanwhile, the UN has come in for
Fred Cohen, Fred Cohen
International & Associates;
Editoral Advisory Jon David,
Board:The to what data was compromised, the article a targeted phishing campaign. Malicious
Fortress;
Dario Bill Hancock,
Forte, EdwardExodus Communications;
Amoroso, Ken Lindup,
AT&T Bell Laboratories;
Consultant at Cylink;
Fred Cohen, Dennis&Longley,
Fred Cohen Queensland
Associates; University
Jon David, The
says the internal report “implies that inter- emails were sent to 600 staffers across the
ofFortress;
Technology; Tim Myers,
Bill Hancock, Novell;
Exodus Tom Mulhall; Padget
Communications; Ken nal documents, databases, emails, com- organisation, purporting to come from
Petterson, Martin Marietta; Eugene Schultz, Hightower;
Lindup, Consultant at Cylink; Dennis Longley, Queensland
Eugene Spafford,
University Purdue University;
of Technology; Tim Myers,WinnNovell;
Schwartau, Inter.Pact
Tom Mulhall;
mercial information and personal data may the Permanent Mission of Norway, which
Padget Petterson,
Production Martin Marietta;
Support Manager: EugeneLin Schultz,
Lucas have been available to the intruders”. represents the country at the UN head-
Hightower;E-mail:
Eugenel.lucas@elsevier.com
Spafford, Purdue University; Winn
Schwartau, Inter.Pact
The intrusions affected an estimated quarters in New York. The emails claimed
Subscription
Production Information
Support Manager: Lin Lucas
42 servers in three locations: the UN there was an issue with an attached agree-
An annual subscription
E-mail: to Network Security includes 12
l.lucas@elsevier.com Office in Vienna, the UN Office in ment document. According to security
issues and online access for up to 5 users.
Prices: Geneva, and the UN Office of the firm Cofense, the attachment was a Word
Subscription Information
E1112 for all European countries & Iran High Commissioner for Human Rights document with malicious macros capable
An annual subscription to Network Security includes 12
US$1244 for all countries except Europe and Japan
issues and online access for up to 5 users.
¥147 525 for Japan
Subscriptions run for 12 months, from the date
(OHCHR) headquarters, also in Geneva. of downloading the Emotet malware.
(Prices valid until 31 July 2017)
payment is received.
To subscribe send payment to the address above. The intrusions compromised core
Tel: +44 (0)1865 843687/Fax: +44 (0)1865 834971
More information: www.elsevier.com/journals/
Email: commsales@elsevier.com,
institutional/network-security/1353-4858
infrastructure systems, including user Citrix flaw remains
and password management and firewalls.
or via www.networksecuritynewsletter.com
Subscriptions run for 12 months, from the date payment is
Permissions may be sought directly fromatElsevier Global Rights Staff were told to change their passwords critical
received. Periodicals postage is paid Rahway, NJ 07065,
T
Department, PO Box
send800, Oxford OX5 1DX, UK; phone:
to:+44 1865
USA. Postmaster
843830,365
fax: +44 1865
all USA
853333,
address
email:NJ
corrections Network
permissions@elsevier.com. You
but were not informed about the breach, he critical vulnerability affecting
Security, Blair Road, Avenel, 07001, USA
may also contact Global Rights directly through Elsevier’s home page nor that there was the potential that the Citrix Application Delivery
(www.elsevier.com), selecting first ‘Support & contact’, then ‘Copyright
Permissions may be sought directly from Elsevier Global Rights
& permission’. In the USA, users may clear permissions and make personal data had been put at risk. One Controller (ADC) and Gateway (CVE-
Department, PO Box 800, Oxford OX5 1DX, UK; phone: +44 1865
payments through the Copyright Clearance Center, Inc., 222
843830, fax: +44 1865 853333, email: permissions@elsevier.com. You
Rosewood Drive, Danvers, MA 01923, USA; phone: +1 978 750
claim suggested that as much as 400GB 2019-19781) is still a major cause for
may also contact Global Rights directly through Elsevier’s home page
8400, fax: +1 978 750 4744, and in the UK through the Copyright
(www.elsevier.com), selecting first ‘Support & contact’, then ‘Copyright
of data had been exfiltrated from the concern even though the flaw has
Licensing Agency Rapid Clearance Service (CLARCS), 90 Tottenham
& permission’. In the USA, users may clear permissions and make
Court Road, London W1P 0LP, UK; tel: +44 (0)20 7631 5555; fax: servers, possibly including staff records, been patched.
payments through the Copyright Clearance Center, Inc., 222 Rosewood
+44 (0)20 7631 5500. Other countries may have a local repro-
Drive, Danvers, MA 01923, USA; phone: +1 978 750 8400, fax: +1 978 health insurance and commercial con- According to Positive Technologies,
graphic rights agency for payments.
750 4744, and in the UK through the Copyright Licensing Agency Rapid
Clearance Service (CLARCS), 90 Tottenham Court Road, London W1P
tract data, although the UN claimed that the security company that revealed the
Derivative Works
0LP, UK; tel: +44 (0)20 7631 5555; fax: +44 (0)20 7631 5500. Other
Subscribers may reproduce tables of contents or prepare lists
no important data was accessed. issue, more than six weeks after the
countries may have a local reprographic rights agency for payments.
of articles including abstracts for internal circulation within their
Derivative Works “Although hackers accessed a self-con- threat became public knowledge, nearly
institutions. Permission of the Publisher is required for resale or
Subscribers may reproduce tables of contents or prepare lists of arti-
distribution outside the institution. Permission of the Publisher tained part of our system in July 2019, one in five (19%) of organisations has
cles including abstracts for internal circulation within their institutions.
is required for all other derivative works, including compilations
Permission of the Publisher is required for resale or distribution outside
and translations.
the development servers they accessed did yet to implement the patches. That rep-
the institution. Permission of the Publisher is required for all other
derivative works, including compilations and translations.
not hold any sensitive data or confidential resents around 15,000 organisations that
Electronic Storage or Usage
Electronic Storage or Usage
Permission of the Publisher is required to store or use electronically information,” said a UN statement. “The are still at risk. And the flaw is under
Permission of the Publisher is required to store or use electronically
any material contained in this publication, including any article or
any material contained in this journal, including any article or part of hackers did manage to access our Active active attack in the wild.
part of an article. Except as outlined above, no part of this publica-
an article. Except as outlined above, no part of this publication may
tion may be reproduced, stored in a retrieval system or transmitted
be reproduced, stored in a retrieval system or transmitted in any form
User Directory, which contains the user Some system administrators may find
in any form or by any means, electronic, mechanical, photocopying,
or by any means, electronic, mechanical, photocopying, recording or
recording or otherwise, without prior written permission of the
IDs for our staff and devices.” that the flaw has already been patched for
otherwise, without prior written permission of the Publisher. Address
Publisher. Address permissions requests to: Elsevier Science Global
permissions requests to: Elsevier Science Global Rights Department, at The internal report, dated 20 them – by hackers. According to FireEye,
Rights Department, at the mail, fax and email addresses noted above.
the mail, fax and email addresses noted above. September 2019, suggests the breaches a hacking group dubbed NotRobin is
Notice
Notice
No responsibility is assumed by the Publisher for any injury and/or dam-
No responsibility is assumed by the Publisher for any injury and/
occurred two months earlier. The entry bundling mitigation code with its exploits.
age to persons or property as a matter of products liability, negligence
or damage to persons or property as a matter of products liability,
or otherwise, or from any use or operation of any methods, products,
point seems to have been a known vul- This allows them to install malware, such
negligence or otherwise, or from any use or operation of any meth-
instructions or ideas contained in the material herein. Because of
ods, products, instructions or ideas contained in the material herein. nerability in Microsoft SharePoint (CVE- as backdoors, on a vulnerable system, then
rapid advan ces in the medical sciences, in particular, independent
Because of rapid advances in the medical sciences, in particular,
verification of diagnoses and drug dosages should be made. Although 2019-0604). A patch had been available close off the vulnerability so that it can’t be
independent verification of diagnoses and drug dosages should be
all advertising material is expected to conform to ethical (medical)
made. Although all advertising material is expected to conform to
standards, inclusion in this publication does not constitute a guarantee
for months before the breach but the used by other cyber criminals.
ethical (medical) standards, inclusion in this publication does not
or endorsement of the quality or value of such product or of the claims
constitute a guarantee or endorsement of the quality or value of
UN had not applied it to the breached “The mitigation works by delet-
made of it by its manufacturer.
such product or of the claims made of it by its manufacturer. systems. Widely available exploits for this ing staged exploit code found within
vulnerability allow attackers to bypass NetScaler templates before it can be
12987
Pre-press/Printed by
Digitally Produced by
authentication and perform system-level invoked,” the FireEye report explains.
Mayfield Press (Oxford) Limited
Mayfield Press (Oxford) Limited commands. It seems that the Vienna net- “However, when the actor provides the
2
Network Security February 2020
NEWS/THREATWATCH
Threatwatch
Emotet wifi attack driver as a vector, anti-malware systems ignore TrickBot UAC evasion
The infamous Emotet trojan now has a new the malware because it appears legitimate. The TrickBot trojan has adopted a new way of
worm-like module that allows the malware The attackers then use this approach to load a bypassing Windows 10 User Account Control
to spread via insecure wifi networks, accord- second, unsigned driver that enables the ran- (UAC) mechanisms so that it can be installed
ing to researchers at Binary Defense. Once somware. The flaw affects Windows 7, 8 and with no user warnings. Now, when the
established on a wifi-enabled computer, this 10 machines. There’s more information here: malware is being installed on a PC, it checks
new strain uses calls to wlanAPI.dll in an http://bit.ly/2UDk3s9. to see if the OS is Windows 7 or Windows 10.
attempt to discover nearby wireless networks. If the former, it uses the existing CMSTPLUA
If these are password protected, it will attempt ICS ransomware UAC bypass method. If Windows 10, it makes
to brute force a connection. Once on the wifi A new strain of ransomware has features use of the fodhelper.exe program – a trusted
network, the malware looks for other Windows designed specifically to attack organisations binary in the Windows system that is used to
machines with non-hidden shares, scans for running industrial control system (ICS) execute code with administrator privileges. The
all users on those devices and tries to brute devices, according to security firm Dragos. ability to exploit this part of the OS to bypass
force its way into administrator accounts. If Although it mostly functions like any other UAC was discovered back in 2017. There’s
successful, it installs a service called ‘Windows ransomware – encrypting files and display- more information here: http://bit.ly/37c2kuo.
Defender System Service’ to achieve persis- ing a ransom message – it also comes with
tence on the system. There’s more information a ‘kill list’ of ICS-specific processes that it Metamorfo targets banks
here: http://bit.ly/2urMdf6. attempts to shut down. These include pro- A new version of the Metamorfo banking
cesses relating to ICS products such as GE’s trojan is casting its net wider. Unlike an ear-
Motherboard flaw Proficy data historian, the GE Fanuc licens- lier version, which focused purely on banks
A long-deprecated driver for old versions of ing server, Honeywell’s HMIWeb application in Brazil, the second strain is targeting the
Gigabyte PC motherboards is being exploited and the ThingWorx Industrial Connectivity customers of financial institutions in multiple
by attackers to hijack Windows systems, dis- Suite, as well as a number of other remote countries, researchers at Fortinet have warned.
able anti-malware defences and install ran- monitoring and licensing server solutions. The firm discovered the trojan being distrib-
somware. Sophos discovered the read-write Dragos describes the malware as primitive, uted as an MSI file hidden in a Zip archive.
flaw – which it has dubbed RobbinHood – in but warns that it still represents “specific and This file is automatically executed by MsiExec.
a driver that Gigabyte stopped shipping and unique risks and cost-imposition scenarios for exe in Windows if a user double-clicks on the
supporting some time ago but which still has industrial environments”. There’s more infor- file. There is a full analysis here: http://bit.
a valid cryptographic signature. By using the mation here: http://bit.ly/31GJ9b4. ly/38lBt0c.
hardcoded key during subsequent exploi- system is free of compromise.” the agency seems to have regarded the
tation, NotRobin does not remove the The tool is available on GitHub here: vulnerability as so serious that it was
payload. This lets the actor regain access https://github.com/citrix/ioc-scanner- critical that Microsoft fixed it. The bug
to the vulnerable device at a later time.” CVE-2019-19781. has been dubbed ‘CurveBall’ and proof-
The FireEye report is here: http://bit. The US Cybersecurity and of-concept exploits were released by
ly/2OI0oDx. Infrastructure Security Agency (CISA), security researchers within 24 hours of
FireEye also said there have been part of the Department of Homeland the announcement.
reports of attackers exploiting the flaw Defense, has also released details on how The vulnerability (CVE-2020-0601)
to install the Ragnarok ransomware and to detect vulnerable systems. The details allows attackers to disguise malware as
cryptomining malware. “Based on our are here: www.us-cert.gov/ncas/alerts/ legitimate, signed software as well as
initial observations, the ultimate intent aa20-031a. spoofing X.509 certificate chains for other
may have been the deployment of ran- forms of attack. This could allow for the
somware, using the Gateway as a central interception and modification of TLS-
pivot point,” the firm said. NSA finds major encrypted communications, such as web
FireEye has worked with Citrix to Windows bug sessions. And, by bypassing authentication,
develop a scanner that can detect com-
promised appliances. This is based on
indicators of compromise gathered dur-
M icrosoft has patched a major flaw
in the CryptoAPI functionality of
Windows 10 and Server 2016. But aside
it could allow for remote code execution.
According to the NSA: “The conse-
quences of not patching the vulnerabil-
ing incident response engagements. from the serious nature of the vulner- ity are severe and widespread. Remote
“The goal of the scanner is to analyse ability, what makes this bug interesting exploitation tools will likely be made
available log sources and system forensic is that the firm was alerted to it by the quickly and widely available. Rapid
artefacts to identify evidence of success- US National Security Agency (NSA). adoption of the patch is the only known
ful exploitation of CVE-2019-19781,” The NSA has gained a certain notorie- mitigation at this time and should be the
Citrix said. “There are limitations in ty for keeping details of exploitable soft- primary focus for all network owners.”
what the tool will be able to accomplish, ware flaws to itself, so that it can exploit There’s more information here: http://
and therefore, executing the tool should them for its own intelligence-gathering bit.ly/2UGlK80 and here: http://bit.
not be considered a guarantee that a operations. In this instance, however, ly/2OF3W9K.
3
February 2020 Network Security
NEWS
Report Analysis
4
Network Security February 2020
NEWS
In brief
US blames China for Equifax hack a permanent foothold on the device. “As a result, tively trivial, further failure to comply with the
The US Department of Justice (DOJ) has now designers of embedded systems (ordinary items law could result in the services being banned in
officially blamed China for the massive breach with an embedded computer) must be prepared the country, as happened to LinkedIn in 2015.
of credit-reporting firm Equifax, which was to deliver firmware and software updates that
publicly revealed in September 2017. The DOJ customers must promptly install to ensure that Pen-test results
has issued indictments against nine people, these connected devices remain secure,” said the The latest version of Bulletproof’s ‘Annual
including four members of China’s People’s organisation. The guidelines are available here: Cyber Security Industry Report’, based on data
Liberation Army, making it clear that the US http://bit.ly/2w8DNtp. from the firm’s penetration testing and security
considers this to have been a nation-state attack. operations centre (SOC) teams, claims that a
The breach exploited flaws in the Apache Struts Cracked software loaded with malware fifth of pen tests revealed a critical risk in need
Framework, which Equifax had failed to patch. Although it’s not news that ‘cracked’ software – of immediate remediation. The results show
Having established a foothold on the system, the illegal copies of commercial packages modified that the most pervasive of critical flaws, offering
attackers ran around 9,000 SQL queries against to evade the need for genuine licences – often hackers an easy opening into an environment,
Equifax’s databases, exfiltrating huge amounts comes with embedded malware, researchers are outdated or unsupported components. And
of data that they split into smaller chunks in from Cybereason have warned that a recent the majority of risks identified are those that
order to avoid triggering alerts. Some 34 serv- campaign is loading the code with “an arsenal of need urgent attention, with medium risks out-
ers in 20 countries were used by the hackers in malware”, including credential stealers, crypto- numbering low-risk issues. There were around
order to make it difficult to pinpoint the origin currency miners, ransomware and crypto-coin 15,000 events per second and billions of logs
of the attack. There’s more information here: stealers. The malware also has the ability to use each month, with more than half being related
http://bit.ly/2UGZ6MY. the cameras on victims’ systems. Worse, the to user activity. The report is available here:
attackers are using Bitbucket repositories to host http://bit.ly/39sXXNg.
Iran attack additional payloads for the malware. By using
According to NetBlocks, which monitors a legitimate service like this, they are able to Gallery under fire
Internet access globally, Iran suffered a major bypass many enterprise defences. There’s more London’s National Portrait Gallery blocked
outage on 8 February 2020, with as much as a information here: http://bit.ly/2vooPim. 347,602 emails containing spam, phishing and
quarter of the country losing access. This was malware attacks in the final quarter of 2019,
most likely due to the country’s authorities Likud leak according to official figures. The data, obtained
activating the DZHAFA defence mechanism A flaw in an app produced by Israel’s Likud under the Freedom of Information Act by the
– sometimes described as a ‘digital fortress’ – party, headed by Prime Minister Benjamin Parliament Street think tank, underlines the
which was invoked to counter a distributed Netanyahu, has leaked the personal information threat posed to the capital’s museums by mali-
denial of service (DDoS) attack on the country’s of all of the country’s registered voters – more cious hackers who are intent on stealing mem-
infrastructure. There’s more information here: than six million citizens. The app, Haaretz bership data from tourist hotspots. Just over half
http://bit.ly/2SzGgVf. (Elector), is used by the party on voting days. (56%) of the blocked emails were identified as
Likud incorporated the voter register database directory harvest attacks (DHAs) in which attack-
Cisco flaw into the app, but failed to secure the data, ers attempt to determine the validity of email
Five critical flaws have been discovered in the making it available to anyone. The information addresses of employees or individuals associated
Cisco Discovery Protocol (CDP) that poten- included full names, identity card numbers, with an organisation’s server so that they can be
tially threatens millions of devices – including addresses, genders, phone numbers, and other added to a spam database. Additionally, 61,710
switches, routers, IP phones and cameras – and personal details. Likud said it has now secured emails were blocked as the sender belonged to
the networks to which they are connected. the information, but there’s no way of knowing a ‘threat intelligence blacklist’. The National
Security firm Armis discovered the threat, which how many people might have downloaded it. Portrait Gallery receives up to two million visi-
it has dubbed ‘CDPwn’, which, it said, could be tors a year, and some of their private information,
used as an entry point to enterprise networks Russia blocks Proton such as payment details and email addresses, is
running a wide variety of Cisco products. CDP ProtonMail, the end-to-end encrypted email stored on its servers.
is used to find and manage these products on service, and its sister service ProtonVPN, have
the network, but the flaws allow the devices to been blocked in Russia. This is in response to Twitter API abused
be controlled by an attacker with no authentica- the company, which is based in Switzerland, A flaw in Twitter’s API has been exploited to
tion required. In particular, the vulnerabilities refusing to comply with new requirements that patch telephone numbers against usernames.
could override network segmentation and pro- it register its services with state authorities – Security researcher Ibrahim Balic said he had
vide a route for data exfiltration. There’s more now mandatory for all VPN providers – and managed to make 17 million such matches
information here: www.armis.com/cdpwn/. provide access to user information. Proton has by automatically generating two billion phone
advised its users in the Russian Federation to numbers and then attempting to match them to
TCG IoT guidelines use the Tor browser to access its services. users. This was possible because Twitter provides
The Trusted Computing Group (TCG) has Meanwhile, the Russian Government is a feature through which users can upload their
issued new guidelines and best practices for how threatening Facebook and Twitter with fines address books in order to find friends on the
vendors should handle software and firmware following their refusal to abide by a Russian service. But Twitter failed to limit requests in its
updates in Internet of Things (IoT) products law that dictates that databases providing API. In addition to Balic’s research, Twitter said
and other embedded devices. According to the services to people in Russia must be based on it witnessed a high volume of requests coming
TCG, attackers constantly target the firmware servers in the country. The law also requires from IP addresses in Iran, Israel, and Malaysia
and software in embedded systems, such as that the companies provide user information and said that, “it is possible that some of these
appliances and connected door locks, searching to the authorities on demand. Although the IP addresses may have ties to state-sponsored
for vulnerabilities to exploit in order to establish threatened fines, of up to $94,000, are rela- actors”. The flaw has now been fixed.
5
February 2020 Network Security
FEATURE
No one wants to be ‘that guy’ – the one that got the company hacked. The
one who made a simple but stupid mistake when developing a new software to identify vulnerabilities. In his key-
application, such as including a password in the code.
note at the 2019 RSA Conference,
Except for nefarious insiders, IT people technology and processes. Furthermore, VMWare’s CISO Alex Tosheff said:
don’t wake up and say: ‘Hmm, I think the tools and the processes must go hand “Your most important security product
I’ll create a software vulnerability today, in hand, and in the case of applications, won’t be a security product.” He is
or misconfigure a cloud or container set- that means crossing the organisation’s absolutely right. If we rethink security
ting, leaving a gaping hole for attackers’. key functional silos of development, as more of an outcome and less as a
Yet it happens every day. Usually it’s a security and operations. Siloed tools tool or a department, we can achieve a
case of poor hygiene – like not applying mean the teams lack the means to col- state where security is integrated direct-
a security patch or ignoring a critical laborate. ly into the SDLC and where compli-
software vulnerability. Sometimes it’s Modern software development com- ance and its auditability are byproducts
due to ignorance or misinformation, pounds these challenges. Security teams are of comprehensive automation.
such as believing that applications run- challenged to meet the scale and velocity of End-to-end application security needs
ning in containers or on cloud services agile development methods. Code changes to automate these four elements:
are inherently more secure. faster and faster, with more open source,
The best way to reduce application more APIs and more microservices. The • Application security testing and reme-
security risk from ignorance and neglect enterprise’s development costs can explode diation.
is through automation. By automating unpredictably when application security • Application infrastructure security.
application security scanning, vulner- testing charges by each application and • Policy compliance and auditability.
ability remediation and monitoring the when single applications are broken into • SDLC platform security.
application’s infrastructure, the element multiple microservices (essentially in the
of human error is removed and con- case of mini apps). Application testing and
sistency is applied. Auditors love the In addition, iterative development
approach because it enforces security is incongruent with full application remediation
policies and exceptions can be easily security scans. Typically, applications So often development teams get so
identified and documented. are scanned during testing, especially focused on one aspect of security or one
Similarly, the best way to reduce the dynamic application security testing set of mission-critical applications that
risk of non-compliance with regulatory (DAST), which requires a fully function- we go very deep on those protections
controls is by automating the controls ing application in order to perform the and leave many other, sometimes obvi-
and having traceability along the way to test. Any security tests that must by defi- ous, aspects completely exposed. It’s like
capture who changed what, when and nition wait to be run until code changes putting multiple locks on your door and
why. Building this approach into the are merged into the larger code base will leaving your window wide open. For
company’s software development lifecy- inherently become a bottleneck. Once instance, are you using a very powerful
cle (SDLC) ensures that policies are con- in production, cloud native applications scanner for your mission-critical apps but
sistently applied to every project. that use containers and orchestrators not scanning others? Or not scanning
present entirely new attack surfaces as your third-party code because you expect
Crossing the silos well. Agile development and the holy it’s in widespread use so has already been
grail of DevSecOps doesn’t scale without checked out (think Apache Struts 2)?
So why do more enterprises not embrace developer enablement, automation, and The key recommendations here are:
this approach? Application security is exception-based security.1 • Go broad, not deep, when testing
hard. The required products are expen- It’s no longer a matter of simply applications. What good is it to find
sive and demand integration of both throwing tools or services at an app 10,000 vulnerabilities if you lack the
6
Network Security February 2020
FEATURE
challenge of: How do you swallow an risks proactively. Auditors focus on com-
How application elephant? One bite at a time. mon controls and they love automation
scanning makes • Test every code change, at least for and the consistency it provides; they
most common security vulnerabili- can inspect the automation rules and do
auditors happy
ties, rather than narrowly focusing not need to see a large sample of results
Often an enterprise will stitch together on ‘critical’ apps. to prove efficacy like they have to do
a variety of tools to create an end-to- for manual controls. In addition, trace-
end DevOps tool chain. Then they try Application infrastructure ability and accountability become even
to integrate application security tools. more important capabilities to track who
It gets ugly. This was the challenge for security changed what and when.
a software company whose technology As serverless applications become Key recommendations here include
provides real-time location tracking for abstracted away from the hardware on automating common controls in your
retailers and home service providers. which they run, and cloud native intro- SDLC to improve compliance and sim-
It had a complex developer tech stack duces new attack surfaces via containers plify audits. Consider:
with over 20 distinct tools that was and orchestrators, think about hardening
hard to maintain and manage. Teams the application and monitoring these • Segregation of incompatible duties.
spent several hours a week keeping new architectural elements. • Identity and access approval controls.
tools running, rather than shipping The most effective steps you can take • Configuration management and
innovation to their app. The firm took here include: change control.
a different path and moved to one tool • Hardening your apps by applying zero- • Access restrictions for changes to
for the entire software development trust principles. Multi-factor authen- configurations and pipelines.
life cycle (SDLC). tication (MFA) is one of your best • Protections on branches and
By using application security scanning defences, so use it! Employ role-based environments.
embedded within continuous integration access controls (RBAC) to control how • Audit logs.
(CI), the organisation can automatically files can be changed. And encrypt data • Licensed code usage.
test new and revised code and developers from inception to deletion. • Security testing, including
can see the scan results within their pipe- • Applying principles of network secu- dependencies and containers.
lines. This innovation allowed them to rity within containers. Monitor east-
quickly respond to auditors’ feedback on west traffic among applications inside SDLC platform security
the compliances of over 50 repositories containers. And monitor application
and build a complete security package and container behaviour for malicious Your code is only as secure as the soft-
for integrating code changes into their activity. ware used to develop and deploy it.
environment. • Misconfigurations are probably the Ensure that the tools your enterprise
One of the senior auditors com- greatest source of risk when you relies on are tested and compliant them-
mented in passing that having the consider the countless dials available selves. Be wary of fragmented toolchains
code quality, the static application from cloud service providers, con- that often rely on credentials stored in
security testing (SAST) and container tainers and orchestrators. Carefully scripts in order to reduce process friction
scanning and the pipeline all auto- determine what your policies (and across functions, because these integra-
mated is almost better than a manual related settings) should be and auto- tions create vulnerabilities themselves.
review. At the same time, the firm’s mate their use wherever possible.
deployments went from four hours to The best advice in this area includes:
less than 30 minutes, and teams were Policy compliance and • Encourage use of a single platform for
more than twice as efficient via the the end-to-end SDLC to reduce vul-
streamlined code-review-test-deploy auditability nerable integrations (while at the same
process through pipelines. The GDPR (General Data Protection time improving process efficiencies).
Regulation) has heightened the focus • Good hygiene is key (apply security
resources to prioritise and remediate on application security. While it centres patches, update access controls, etc).
them all? Now they just represent a around protecting customer data pri- Use automation to enforce it.
liability. vacy, applications are often the primary As software evolves toward a next
• Assume everything is a weak link now. attack path through which sensitive data generation characterised by rapid itera-
Start from where you are and begin is leaked: for example, British Airways tion and new architectures even more
using iterative, incremental security is facing a record GDPR fine ($230m) dependent upon cloud providers, the
testing, at the point of code commit, from a breach in 2018 that leaked way in which application security is
to break down the work into smaller, 500,000 customer records.2 applied will need to evolve simultane-
actionable scanning and remediation With such high stakes, auditing ously. These recommendations can serve
cycles. It’s a bit like the proverbial becomes a way to identify compliance as a guide post to your efforts.
7
February 2020 Network Security
FEATURE
About the author she led early third-party research on the 2. Lunden, Ingrid. ‘UK’s ICO
intersection of development, security and fines British Airways a record
Cindy Blake is the senior security evangelist operations. £183m over GDPR breach that
at GitLab, which provides a single appli- leaked data from 500,000 users’.
cation approach for the entire software References TechCrunch, 8 Jul 2019. Accessed
development lifecycle. She collaborates with 1. Lietz, Shannon. ‘What is Jan 2020. https://techcrunch.
major enterprises around best practices for DevSecOps?’. DevSecOps, 1 Jun com/2019/07/08/uks-ico-fines-brit-
integrated DevSecOps application security 2015. Accessed Jan 2020. www. ish-airways-a-record-183m-over-
solutions. Previously, as part of the Hewlett devsecops.org/blog/2015/2/15/ gdpr-breach-that-leaked-data-from-
Packard Enterprise (HPE) Fortify team, what-is-devsecops. 500000-users/.
Dissecting .NET
ransomware: key
generation, encryption Pranshu Bajpai Richard Enbody
and operation
Pranshu Bajpai and Richard Enbody, Michigan State University
The threat of ransomware is ever growing. Not all ransomware types are created
equal and the cryptosystems in some forms are more virulent than others. This the decompilation of select .NET ran-
article dissects eight real-world variants belonging to different families of .NET somware samples detailed in this article.
ransomware and provides insights into key generation, encryption and other
aspects of the ransomware kill chain. We also summarise ransomware execution
flow and dynamic library calls based on the collected evidence. While this analy- Cryptosystems and
sis was carried out using .NET ransomware samples, the lessons learned from the constraints
empirical evidence apply to all modern forms of ransomware and can be used for Ransomware poses a severe threat due to
building more effective ransomware solutions.
two main reasons – it is relatively easy
Ransomware has established its reputa- ransomware is a crucial part of creating to develop and it is highly effective in
tion as the top threat to security due effective solutions against this formidable delivering a denial of control (a variant
to its impartial attack on users and threat. of denial of service) attack when properly
organisations. The older ‘spray and pray’ As with most malware, analysts study- implemented.1 The development of ran-
infection tactics are still observed today, ing ransomware do not have the luxury somware involves a design strategy that
but of primary concern are the targeted of reading plain source code. However, is bound by a series of constraints. These
ransomware attacks where the adversaries interpreted languages such as .NET offer constraints formulate the ransomware
carefully select their victims to maximise the next best alternative in that ransom- kill chain and must be followed if the
impact. This targeted approach permits ware written in these languages can be ransomware is to succeed in its nefarious
the perpetrators to perform manual decompiled. The result of the decompi- objective. The constraints are defined as
reconnaissance of the victim’s networks lation is significantly closer to the actual follows:
and systems before affecting mass data source code in the case of interpreted • C1. Infiltrating the host system.
encryption. Accordingly, a larger subset of languages. Thus, while it is possible • C2. Gaining execution privileges.
hosts within the organisation is impacted for these types of ransomware to still • C3. Establishing a unique crypto-
with this effective, manual reconnaissance carry some level of obfuscation, analysis graphic secret.
that leads to a higher ransom demand. becomes easier when the malware is • C4. Enumerating files on the file
Unfortunately, ransom demands today written with an interpreted language. system.
frequently reach magnitudes of hun- Consequently, we break down opera- • C5. Modifying files in view of the
dreds of thousands of dollars. Studying tional characteristics common to most encryption scheme.
the underlying cryptosystem in modern ransomware and show empirical proof in • C6. Removing access to original files.
8
Network Security February 2020
FEATURE
9
February 2020 Network Security
FEATURE
10
Network Security February 2020
FEATURE
11
February 2020 Network Security
FEATURE
12
Network Security February 2020
FEATURE
Resources
• ‘System.Security.Cryptography
Namespace’. Microsoft. Accessed Jan
2020. https://docs.microsoft.com/
en-us/dotnet/api/system.security.cryp
tography?view=netframework-4.8.
• dnSpy, home page. GitHub.
Accessed Jan 2020. https://github.
com/0xd4d/dnSpy.
• ‘Random Constructors’. Microsoft.
Accessed Jan 2020. https://
docs.microsoft.com/en-us/
dotnet/api/system.random.-
ctor?view=netframework-4.8.
• Malpedia, home page. Fraunhofer.
Figure 12: Generalised flow of execution in .NET ransomware.
Accessed Jan 2020. https://malpedia.
caad.fkie.fraunhofer.de/
13
February 2020 Network Security
FEATURE
Keyloggers:
silent cyber
security weapons Dr Akashdeep
Bhardwaj
Dr Sam Goundar
Cyber attackers are always seeking to design and push malicious software programs
to unsuspecting users, to intentionally steal or cause damage and exploit data on end
user systems. Malware types include spyware, keyloggers, rootkits and adware. In the tions of keyloggers.16-27 We propose that
past, script kiddies hacked computers to show off their skills and have fun. Today, the taxonomy needs to be defined accord-
hacking computers has become a huge cybercrime industry. Even as systems have ing to two criteria. The first is based on
improved in terms of both hardware and software, cyber attacks continue unabated. the location of execution and the second
is based on the functionalities offered.
The attacks have increased in complexity with legitimate programs, living as silent Depending on within which area inside
as well as impact. In May 2019, version 9 residents inside the user systems, perform- the user system the keylogger is set up and
of the Hawk Eye malware surfaced, target- ing actions in a covert manner without executed, we can define it as software- or
ing business users.1 The modus operandi attracting the attention of users.5 hardware-based. Software keyloggers are
of this malicious program has become Keyloggers, in common with many tro- installed as hidden applications by an
a cybercrime standard. IBM’s X-Force jans, are designed to mimic legitimate soft- attacker using social engineering methods.
reported the IP address origin of Hawk ware and bypass anti-virus or anti-malware These entice users to click on email attach-
Eye as being from Estonia, but it affected scanners.6 To make matters worse, the ments or open links and download appli-
global users.2 In March 2018, two hacker privilege level at which keyloggers execute cations. These are primarily trojans, which
groups compromised Cathay Pacific is higher than typical malware. This fea- in turn deploy the keylogger. Most keylog-
Airlines.3 One group installed a keylogger ture makes keyloggers almost impossible gers have predefined instructions while the
on Cathay’s server console port and the to detect and remove.7 Keylogger trojans command & control (C&C) servers may
other exploited the vulnerability. This led track keystrokes typed on the keyboard, supply further instructions.
to the exposure of the personally identifi- record screen activities and scan systems The deployed application has the abil-
able information of 9.4 million Cathay for specific documents and send the infor- ity to hide itself from anti-malware scan-
passengers, including names, addresses, mation back to the hacker. Although the ners. These applications are designed to
phone numbers, flight numbers, data, application of keyloggers per se is not ille- capture user keystrokes, monitor screen-
email addresses and membership num- gal, their use is mostly related to malicious shots and transfer specific user documents
bers.4 New malware is evolving at an activities, as mentioned in Table 1. based on commands issued by the attack-
incredible rate with seemingly endless er. Some keyloggers utilise API-based
malicious threats in the form of trojans Proposed taxonomy logging. In Microsoft Windows operating
detected every day. In this research, the systems, kernel-based keyloggers execute
authors focus specifically on keylogger tro- The authors surveyed several research hidden dynamic link libraries (DLLs)
jans. Such trojans share system resources publications and industry implementa- using hooking mechanisms. User actions,
14
Network Security February 2020
FEATURE
such as pressing keys, are translated into Sentiment Keylogger use Description
Windows messages and pushed into the Parental monitoring Checking on the Internet browsing habits
system message queue. These apps reside and activities of children and students to
in the operating system kernel and inter- ensure cyber awareness and prevent them
cept data directly from the keyboard con- from being engaged in harmful activities.8
troller interface. In case users employ an Improve employee The monitoring concept extends to check-
on-screen keyboard to type and submit productivity ing on time spent by employees on social
data on web portals, screen recorder log- media or non-productive sites. This should,
ging is utilised. Form-grabbing keyloggers Positive however, be done with the employees’ con-
capture form data instead of keystrokes sent and with proper policies in place for
when the user clicks the submit button. privacy and confidentiality.9
This data can typically include full name, Investigate writing Research has established keyloggers as an
email, address, phone numbers, mobile efficient tool for studies on cognitive writ-
numbers, login credentials and payment ing processes (fluency and flow) as well as
card info. learning second languages.10
Hardware keyloggers are small physical Ethical hacking Performing vulnerability assessment and
devices connected to the user system to penetration testing by deliberately exploit-
capture data using a hardware device. These ing user systems, then patching them to
devices are installed on the system USB mitigate future threats.11
port, embedded in the system BIOS, con- Forensic investigations Corporate, government and military espio-
nected between the I/O port and the key- nage to perform intrusion detection and digi-
board or use acoustics. They have built-in tal forensics for cybercrime investigations.12
memory storage to store keystrokes. Usually Gather information Logging and recording each and every
these devices are undetectable by any keystroke from a target system keyboard
is a simple process by which attackers can
known malware scanners, nor do they use
steal sensitive information such as payment
the system disk to store the captured logs.
card data, Social Security numbers and
Compared to software keyloggers, hard-
driver licence details, as well as two-factor
ware keyloggers have one major disadvan- Negative authentication codes, passwords, email and
tage – these devices require physical access bank credentials.13
and installation on the user’s system. Record screen Performing visual surveillance and track file
With the advent of touch screens, acous- creation, updating or copy-paste operations
tic keyloggers transmit keystrokes using on a target system by clicking and sending
enhanced encoding schemes. This is per- snapshots at regular periods.14
formed by analysing the timing between Identity theft After gathering personally identifiable
various keystrokes and the frequency of information (PII), carrying out economic and
repetition for similar acoustic signatures. financial fraud. This has occurred on a large
However, this consumes system resources scale in recent times.15
during data transmission. Table 1: Keylogger usage examples.
Functional groups include intercepting system logon cre- The third aspect relates to monitor-
dentials, as well as keys pressed, including ing the user’s online activities. This
The authors grouped keylogger func- alphanumeric and special characters. File includes gathering lists and screenshots
tionalities into five categories. The secu- operations (create, copy, rename, update of URLs and web portals accessed in
rity functionality relates to how keylog- or delete) are logged. Copying from various Internet browsers, generating
gers become invisible to evade detection, system memory or clipboard content is lists of incoming and outgoing emails
hiding from Task Manager in order to yet another advanced feature of many via the browser as well as email client
perform their execution. This aspect keyloggers. In fact, some keyloggers have applications, and capturing details of
also relates to protection of the logged been known to start and stop applica- the user’s messenger chats on Skype,
files using encryption, automatically tions, including web cams, or even log off Twitter, Facebook, ICQ and other
uninstalling and removing files at a pre- and shut down systems. Monitoring the social media clients.
defined date or duration, hiding any reg- print queue and the names of applications Another critical feature is the reporting
istry entries or timestamps in system logs clicked via the mouse are some note- and filtering of logs sent to the attacker.
and sending log files to public SMTP worthy monitoring features in high-end This can be to a predefined set of C&C
servers, making them invisible to users. keyloggers. Some keyloggers even record systems or an individual attacker. The
The second aspect relates to monitoring on-mouse-clicks as well as webcam and reports typically contain the events, their
options present in the keylogger. These microphone audio recordings. duration for predefined applications as
15
February 2020 Network Security
FEATURE
16
Network Security February 2020
FEATURE
17
February 2020 Network Security
FEATURE
References
1. Arghire, I. ‘Business users targeted
keylogger trojans. The authors measured any scanner being able to detect the by HawkEye keylogger malware’.
the typing time for each message for a activities. The proposed layout for virtual Security Week, 28 May 2019.
set of 15 different users. Five messages keyboards involves randomly exchanging Accessed Jan 2020. www.security-
with different lengths were selected, and vertically adjacent keys from the existing week.com/business-users-targeted-
Figure 8 illustrates the time taken for QWERTY layout, using random spacing. hawkeye-keylogger-malware.
typing which depends on the message This can provide high accessibility and 2. Cook, J. ‘Cathay Pacific says data
length for different keyboards. high security simultaneously. of 9.4 million passengers stolen in
From the above research and tests, the hack’. The Telegraph, 24 Oct 2018.
results reveal that the virtual layout takes About the authors Accessed Jan 2020. www.telegraph.
about 50% longer as compared to the Dr Akashdeep Bhardwaj is currently pro- co.uk/technology/2018/10/24/
QWERTY keyboard with random spac- fessor of cyber security and digital forensics cathay-pacific-says-data-94-million-
ing. However, the time is around 75% less at University of Petroleum and Energy passengers-stolen-hack.
when compared to the random layout. Studies (UPES), Dehradun, India. He 3. Mok, D. ‘Personal data of 9.4 mil-
has over 25 years of IT industry experience lion Cathay Pacific passengers
Conclusion working for various US and UK organisa- leaked’. South China Morning Post,
tions in cyber security, information security 24 Oct 2018. Accessed Jan 2020.
Like most cyber security threats, the only and IT management operation roles. www.scmp.com/news/hong-kong/
possible way to stay safe from keyloggers Dr Sam Goundar has been teaching transport/article/2170076/personal-
is regular scanning for any anomalies information systems, information technol- data-some-94-million-passengers-
from outbound or inbound traffic, the ogy, management information systems and cathay-pacific-and.
use of anti-virus and anti-spyware scan- computer science over the past 25 years at 4. Wajahat, A; Imran, A; Latif, J;
ners and, most importantly, user aware- several universities in a number of coun- Nazir, A; Bilal, A. ‘A novel approach
ness. In this research, the authors demon- tries. He is a senior member of IEEE, a of unprivileged keyloggers detec-
strated a successful keylogger technique, member of ACS, a member of the IITP, tion’. Second IEEE International
gathering keystrokes and screenshots New Zealand, Certification Administrator Conference on Computing,
along with online transactions, without of ETA-I, US and past president of the Mathematics and Engineering
Technologies (iCoMET), Sukkur,
Pakistan, Pakistan, 2019. DOI:
10.1109/ICOMET.2019.8673404.
5. Kuncoro, P; Kusuma, B. ‘Keyloggers
is a hacking technique that
allows threatening information
on mobile banking user’. Third
IEEE International Conference
on Information Technology,
Information System and Electrical
Engineering (ICITISEE),
Yogyakarta, Indonesia, 2018. DOI:
10.1109/ICITISEE.2018.8721028.
6. Javaheri, D; Hosseinzadeh, M;
Rahmani, M. ‘Detection and
elimination of spyware and ran-
somware by intercepting kernel-
Figure 8: Comparing the proposed virtual keyboard with QWERTY and ABC keyboards.
level system routines’. IEEE Access,
18
Network Security February 2020
FEATURE
Volume 6, 2018. DOI: 10.1109/ mechanism and QR code’. Fourth 19. Kumar, S; Sehgal, R; Bhatia, J.
ACCESS.2018.2884964. IEEE International Conference on ‘Hybrid honeypot framework for
7. Albabtain, Y; Yang, B. ‘The process Computing Communication Control malware collection and analy-
of reverse engineering GPU malware and Automation (ICCUBEA), sis’. Seventh IEEE International
and provide protection to GPUs’. Pune, India, 2018. Doi: 10.1109/ Conference on Industrial and
17th IEEE International Conference ICCUBEA.2018.8697420. Information Systems (ICIIS), 2012.
On Trust, Security and Privacy in 13. Taekwang, J; Kim, G; Kempke, B; 20. Murugan, S; Kuppusamy, K.
Computing and Communications, and Henry, M; Chiotellis, N; Pfeiffer, ‘System and methodology for
12th IEEE International Conference C. ‘Circuit and system designs of unknown malware attack’. Second
on Big Data Science and Engineering ultra-low power sensor nodes with IEEE International Conference on
(TrustCom/BigDataSE), New York, illustration in a miniaturized GNSS Sustainable Energy and Intelligent
NY, US, 2018. DOI: 10.1109/ logger for position tracking: Part System (SEISCON 2011).
TrustCom/BigDataSE.2018.00248. I – analog circuit techniques’. IEEE 21. Rosyid, N; Ohrui, M; Kikuchi,
8. Sukhram, D; Hayajneh, T. Transactions on Circuits and Systems H; Sooraksat, P; Terada, P. ‘A
‘Keystroke logs: are strong pass- I: Regular Papers, vol.64, 2017. Doi: discovery of sequential attack pat-
words enough?’. 8th IEEE Annual 10.1109/TCSI.2017.2730600. terns of malware in botnets’. IEEE
Ubiquitous Computing, Electronics 14. Wooguil, P; Youngrok, C; Sunki, International Conference on Systems
and Mobile Communication Y. ‘High accessible virtual key- Man and Cybernetics (SMC), 2010.
Conference (UEMCON), New boards for preventing key-log- 22. Nassar, M; State, R; Festor, O. ‘VoIP
York, NY, US, 2017. DOI: 10.1109/ ging’. Eighth IEEE International malware: attack tool & attack sce-
UEMCON.2017.8249051. Conference on Ubiquitous and narios’. IEEE ICC 2009.
9. Yewale, A; Singh, M. ‘Malware Future Networks (ICUFN), Vienna, 23. Li, S; Schmitz, R; ‘A novel anti-
detection based on opcode fre- Austria, 2016. Doi: 10.1109/ phishing framework based on hon-
quency’. IEEE International ICUFN.2016.7537017. eypots’. IEEE eCrime Researchers
Conference on Advanced 15. Tyagi, G; Ahmad, K; Doja, M. ‘A Summit (eCRIME 2009).
Communication Control and novel framework for password secur- 24. Hirano, M; Umeda, T; Okuda, T;
Computing Technologies ing system from keylogger spyware’. Kawai, E; Yamaguchi, S. ‘T-PIM:
(ICACCCT), Ramanathapuram, IEEE International Conference on Trusted password input method
India, 2016. DOI: 10.1109/ Issues and Challenges in Intelligent against data stealing malware’. Sixth
ICACCCT.2016.7831719. Computing Techniques (ICICT), ACM International Conference on
10. Solairaj, A; Prabanand, C; Mathalairaj, Ghaziabad, India, 2014. Doi: Information Technology (ITNG 2009).
J; Prathap, C; Vignesh, L. ‘Keyloggers 10.1109/ICICICT.2014.6781255. 25. O’Donnell, A. ‘When malware attacks
software detection techniques’. 10th 16. Roland, M; Langer, J; Scharinger, J. (anything but Windows)’. IEEE
IEEE International Conference on ‘Practical attack scenarios on secure ele- Security and Privacy Magazine. 2008.
Intelligent Systems and Control ment enabled mobile devices’. Fourth 26. Thonnard, O; Dacier, M. ‘A
(ISCO), Coimbatore, India, 2016. International Workshop on Near Field framework for attack patterns dis-
DOI: 10.1109/ISCO.2016.7726880. Communication, 2012, pp.19-24. covery in honeynet data’. Digital
11. Tasabeeh, A; Omer, A; Eldewahi A. 17. Yunho, L. ‘An analysis on the vulner- Investigation, 2008, vol.5, pp.128-
‘Random multiple layouts: keyloggers ability of secure keypads for mobile 139. Accessed Jan 2020. www.
prevention technique’. Conference devices’. Journal of Korean Society sciencedirect.com/science/article/pii/
of Basic Sciences and Engineering for Internet Information, 2013, S1742287608000431.
Studies (SGCAC), Khartoum, vol.14, no.3, pp.15-21. 27. Doja, M; Kumar, N. ‘Image authen-
Sudan, 2016. DOI: 10.1109/ 18. Marpaung, J; Sain, M; Lee, HJ. tication schemes against keylog-
SGCAC.2016.7457997. ‘Survey on malware evasion tech- ger spyware’. Ninth ACM ACIS
12. Tekawade, N; Kshirsagar, S; Sukate, niques: state of the art and challenges’, International Conference on Software
S; Raut, L; Vairagar, S. ‘Social 14th IEEE International Conference Engineering, Artificial Intelligence,
engineering solutions for document on Advanced Communication Networking, and Parallel/Distributed
generation using key-logger security Technology (ICACT), 2012. Computing (SNPD 2008).
A SUBSCRIPTION INCLUDES:
Online access for 5 users
An archive of back issues
www.networksecuritynewsletter.com
19
February 2020 Network Security
NEWS/CALENDAR
20
Network Security February 2020