With the United States of America making good progress on minimum Internet-of-Things security, we hoped the European Union was willing to listen to our ideas to fast track existing EU plans and programs. On Monday the 6th of November, we were very pleased to get the opportunity to speak to a Member of the European Parliament, who understands the issues of digitalisation in general, and cybersecurity in particular.
With Thanksgiving, a lot of smart products have found their way from vendor to consumer. Most people buying smart products do understand that these products are ‘connected’. Most buyers assume those smart products are tested and safe to use. But there is a huge problem with smart technology: the technology is evolving faster than the legislation protecting people using those smart devices. There is no legislation to force vendors to test and certify that their smart devices are really safe to use.
Not every smart device is called smart (like your smartphone or smart-TV). The top 5 smart product categories are according to a Mozilla survey:
- Smartphones (malicious Apps spy on you/steal passwords)
- Smart-TV’s (auto-sleep camera can be used to spy on you)
- Activity trackers (smart-watch reveals location)
- Home safety (smart-locks and camera’s used by burglars)
- Smart energy (low energy usage reveals you are on holiday)
In our August blog we already mentioned some facts about Android App fraud (a 300 million dollar business). To proof we are talking about real products and real security issues, let’s just list November’s disclosures of smart consumer products with unsafe security.
At AV-Comparatives we follow around 50 security related news sources for the selection of the malware of the month. Often the blog post headers of the news feeds show a variety of security issues and news items addressed. To Determine which malware(s) got substantial media attention normally requires further reading of the blog posts. This month it was an easy choice. Bad Rabbit and the Wifi-Krack dominated the media.
To illustrate how unanimous the (security) media were, we summarized the blog posts of the antivirus solutions participating in our Real-World Protection Tests.
|Company||Bad rabbit ransomware||Wifi Krack vulnerability|
|Avast||Its rabbit season||Securing Wifi networks|
|AVIRA||Bad rabbit ransomware||WPA2 Wifi Krack|
|Bitdefender||Ransomware strikes again||Wifi networks at risk|
|BullGuard||Bad rabbit on the prowl||Wifi flaw exposed|
|eScan||Another ransomware||Krack attack|
|ESET||Not Petya back as rabbit||Serious Wifi issue
Most routers vulnerable
|F-Secure||Following the bad rabbit
Big difference with Petya
|Fortinet||Tracking the bad rabbit||WPA has been broken|
|Kaspersky Lab||Bad rabbit ransomware||Krack attack|
|McAfee||Rabbit burrows Ukraine||Krack not the end of world|
|Panda||Not Petya bad rabbit||Krack public Wifi|
|Seqrite/Quick Heal||Bad Rabbit outbreak
Ransomware stay safe
|Symantec/Norton||New strain ransomware||What you need to know|
|Trend Micro||Protect yourself against rabbit||WPA exposed by krack|
Above table reflects the media attention of this month. Bad rabbit got a little more attention than the Wifi Krack. The Bad rabbit outbreak proofs that ransomware remains a nuisance and threat in 2017. When you are a victim of ransomware check the website of your favourite antivirus. Many vendors provide additional malware removal tools for free.
A complete list of free additional ransomware removal tools, can be found on www.nomoreransom.org. “No More Ransom” is an excellent initiative of the Dutch police and Europol’s Cybercrime Centre together with McAfee and Kaspersky. Many cybersecurity companies have joined this collective: Avast, Barracuda, Bitdefender, CheckPoint, CrowdStrike, ElevenPaths, Emsisoft, ESET, Fortinet, G DATA, Heimdal and Trend Micro.
With ransomware continuously threatening home and business users, you might get depressed. To counter Seasonal Affective Disorder (SAD) we advise you to read Emsisoft’s “The 10 most ridiculous ransomware we have ever seen”. This will certainly put a smile on your face :).
On Tuesday the 17th October, Microsoft started to rollout the ‘Fall Creators Update’ of Windows 10. This second major update in 2017 has some interesting new security features. Microsoft was so generous to give Windows 10 Home users also the added protection of the new Exploit Guard and Controlled folder access. The only catch is that they are built into Windows Defender.
Before commenting on the go-to-market strategy of Microsoft, lets first unwrap this present. The Exploit Guard is re-incarnation of Microsoft’s EMET which could be optionally installed as extra exploit mitigation. The new feature is enabled by default. So, average users now benefit of this extra exploit protection feature while power uses still have the option to add programs and extra protections.
To access the Exploit Guard, open Windows Defender Security Center, click on the ‘App and browser control’ icon, scroll downward and you find the settings link of the Exploit Guard. Before we tell something about tweaking this exploit protection: we first have to explicitly mention our disclaimer: don’t try this at home. A new feature which we found interesting is the option to block start of child programs by the program monitored by Exploit Guard.
The other interesting new feature ‘Controlled folder access’ is off by default. Microsoft probably wants to collect more telemetry data, before they enable it. This new feature is developed to help protect Windows 10 users against ransomware. You can enable this new feature by opening the Windows Defender Security Center, click on the Virus and threat protection icon and look for the click on the Virus and threat protection settings. Scroll down until you see the ‘Controlled folder access’ and enable it.
By default, the standard user folders like Documents, Pictures, and Movies are protected against ransomware attacks. Most power users have their data on separate partitions, so for this protection to be effective these folders have to be added to the ‘Controlled folder access’. Don’t try this at home when you are not a power user with sufficient knowledge about security.
Advanced features like exploit and ransomware protection are often part of the paid version of antivirus products. By offering this as part of the free Windows Defender, it will be interesting to see how other antivirus software vendors will react on these new features. In the past free antivirus products have pushed innovation of their paid siblings.
The DerbyCon security conference reminded us of an important AV-Comparatives advantage. In his keynote speech John Strand stated that “researchers are terrified that they are going to get sued”. At AV-Comparatives we have some experience with security firms threatening to go to court to prevent publish our (independent) test report. One vendor for example tried to prevent us publishing our Next Gen endpoint protection test results by publicly announcing to sue one of our partners.
Maybe other researchers are terrified, but at AV-Comparatives we take these threats with a big spoon of salt, because we have the advantage of being protected by Austrian Law. So terrified is somewhat exaggerated after the lost lawsuit against NSS Labs and the Consumer Review Fairness Act. Some ‘review bullies’ apply a new tactic to control and ban product reviews.
Some security software vendors now claim the publishing rights of product tests in their EULA’s. Publishing those test without their consent, deems the content “unlawful”. This content could be removed under the Digital Millennium Copyright Act (DMCA). Instead of going to court, they can use copyrights protection tools to remove the content. We have not seen vendors using this tactic yet, but the Electronic Frontier Foundation (EFF) fears this might be a loophole in US law.
This possible loophole in US-law brings us back to our advantage: we are an Austrian based company. In Europe consumer interest is generally better protected than in the US. Austria has one of the best consumer protection legislation within Europe.
As long as we serve the interest of the consumers we can test products and publish reports, no matter what the EULA states. It is our mission to check whether security software, lives up to its promises. Consumers have the right to get unbiased results from professional testing laboratories. As long as we exist we will be publishing these tests.
The theme of the DerbyCon security conference was heritage. AV-Comparatives has been testing and evaluating security software for years. Independent security software testing is our heritage. As long as there is malware, we will be testing security software and will be publishing the results. We won’t let vendors get away with bad testing results by threatening with law suits or court action. AV-Comparatives Antivirus product testing is our heritage and our future.
Did you watch the Apple event? The first ever announcement in the Steve Jobs Theater showed that they miss Steve Jobs. I remember Steve Jobs introducing the NeXTcube. That was a jaw dropping event. The NeXTcube had display depth while the rest of the world used monochrome. It marked the birth of the dock. Combining an application launcher, desktop explorer, and task manager into one single application. So simple straightforward, yet so brilliant and beautiful.
The unforgettable NeXTcube introduction was literary art for geeks. The cube played a duet with a violinist from the San Francisco Symphony. A feat in the mid-eighties, but a near miracle when combining it with other complex tasks. Like navigating through Shakespeare’s plays and sending and receiving emails.
Compare this with the embarrassing demo fail of Face ID and the lengthy introduction of the new Apple Head Quarter. Since when are bricks more interesting than clicks? I bought a Volvo because it has many active security features. Not because the Swedes who build the Volvo, open a new head office. This comparison brings me back on topic: security.
The new iPhones have two interesting new security features. Facial recognition (FaceID) replaces fingerprint recognition (TouchID) on flagship smartphones. Enough has been said about the FaceID not recognizing Craig Federighi. Another less discussed feature is the improved SOS-call feature. It is triggered by repeatedly (5 times) pressing the power button. A preset personal or national (e.g. 911) alarm number will be called. Also, TouchID and/or FaceID will be disabled, so anyone knowing the passcode can use the phone in case of emergency.
Apple’s iOS is based on the NeXTstep operating system. Together with Apple’s closed shop, still gives iOS a security edge. iOS by itself is probably safer than Linux, Android and Windows. Android and Windows are making up ground and have the advantage of third party security. When the OS itself becomes safer, third party software has to innovate to keep their added value. The hype on using Artificial Intelligence is an example of this innovation push.
Luckily for Mac users many of those vendors also offer antivirus solutions for Apple devices. Read our report on Mac security software. Unluckily for Apple, the footsteps of Steve Jobs are huge and very hard to fill in. At AV-Comparatives we have not forgotten this inspiring innovator.
On August the 21st people in the USA could witness a total solar eclipse. People from Oregon to South Carolina could see the moon totally covering the sun. A total eclipse is a unique event. The last total eclipse of the sun happened 38 years ago and the next one will be in 2024. Google smartly used this event to introduce the next Android OS version. Version 8 is named Oreo, a popular chocolate cookie filled with butter milk cream.
Google modestly markets their new Android operating system as an “open wonder” and promises us that Android 8 will be “safer, smarter and sweeter”. The new Android OS has many interesting features and security improvements. Truth needs to be told that August also marked another record: over 1800 apps were found in Google Play and blacklisted.
Forbes reported on 10th of August that a developer managed to “spawn 1000 Android Spyware Apps”. Some of these apps were not detected by Google’s automated Google Play app analysis. Two weeks later Fortune posted that “Google Kicks 500 Apps Off Online Store Over Spyware Concerns”. All these apps used a software module that helps companies to target people with ads based on people’s preferences. In the last week of August CSO Online published that “experts from Akamai, Cloudflare, Flashpoint, Google, Oracle (Dyn), RiskIQ, Team Cymru united” to take down the WireX botnet and “removed another 300 apps from the Play Store” according to Techspot.
According to Bitdefender “App install fraud is a 300 million business”. This high profit potential explains why the mobile market will keep on attracting malware. eScan even calls it an “alarming rise of mobile security threats”. This rise will also impact corporate users, since employees are allowed to bring their own (mobile) devices to work. With this in mind we applaud the ongoing efforts of Google to improve the security of the Android ecosystem. The three most important security improvements on Android device and Google server side ecosystem are:
- No more install from unknown sources
- Improved Google Play protect
- Android instant apps
At AV-Comparatives we will keep testing mobile security software against real world mobile malware. Read our 2017 mobile security review, when you consider adding Antivirus on your Mobile phone.
In 2007 Google promised to change the world with Android and the Open Handset Alliance: “A new computing environment that will change the way people access and share information in the future. The Android platform will be available under one of the most progressive, developer-friendly open-source licenses to bring to market new innovative products faster and at a much lower cost.”
A decade after the announcement we did some fact checking to see whether Google lives up the promises made in the original press release?
The price of the average Android phone has dropped 50 percent in the last 10 years. This graph also shows that the price of Apple phones has remained the same. Android flagship phones usually have the same price as flagship iPhones. The price promise is true for the average phone, but the price for flagship phones remained the same. The price promise is half true!
Open source is often mentioned in one sentence with free. Google earns money with advertisements in browsers. Smartphone’s with browsers would double Google’s earning potential. So many people expected Android to be completely free. Android is free, but the Google services running on it are not free. Manufacturers have to pay to install Gmail, Google Maps and the Google Play Store. Again the verdict is half true.
Android is build on Linux. Linux-based systems (like Apple’s iOS) claim they are a lot safer than Windows. When counting platform vulnerabilities this might be true, but how does this relate to real-world usage?
In March 2017 Google published its ‘Android Security 2016 Year In Review’ report. This report reveals interesting facts about Google’s efforts to improve security. According to Google, less than 0.71 percent of two billion Android devices had Potentially Harmful Applications installed. Google qualified these numbers as small.
Are these numbers really small? How does this 0.71 percent compares to the Windows platform? Every month most Windows PC’s are checked with the Malicious Software Removal Tool. These metrics are reported in Microsoft’s Security Intelligence Report. The Computers Cleaned per Mille (1000 PC’s) worldwide average was 0.88 percent in 2016.
So yes, Android is safer, but not as much people tend to believe. According to FBI data the risk of being victim of a violent crime in the US is only half of this risk. So again, we value this promise as half true. Read our ‘2017 Mobile Security Report‘, when you consider adding Antivirus on your Android device.