Last talk of #enigma2021 by Marcus Botacin: "DOES YOUR THREAT MODEL CONSIDER COUNTRY AND CULTURE? A CASE STUDY OF BRAZILIAN INTERNET BANKING SECURITY TO SHOW THAT IT SHOULD!"
The outcomes I get from my analysis of malware I find in Brazil were quite different than what I saw in analysis of malware from other researchers. Why? Because the malware attacks were different!
The Brazilian banking system:
* let's move banking to computers (80s)to keep up with hyperinflation
* desktop clients for users... and the attackers migrated from physical to fake desktop app attacks -- that would only work in Brazil because that's where the banking was
* these attacks weren't found by global malware detection at the time
* was "just" phishing, not anything that was detected an attack
Then decades later we still have the same attacks, but in SMS
Boletos case: payment instrument only in Brazil
* the banks were computerized but the people were not
* needed some way to mediate between the two
Offline people are safe, right? No!
Attackers made fake boletos
The fake boletos made it so you paid the attacker, not the people you intended.
Does your threat model include offline people? It should!
Let's move banking to the web! So many kinds of malware!
Why are attackers shifting between file formats so quickly?
The banks are reacting to all this malware by requiring everyone to install secure login plugin which searches your computer from malware. [whoa.]
... these secure login plugins were written in Java, so the attackers knew they could use Java, so they shifted attacks into Java
You can see particular attackers moving between technologies as the banks shift [diagram]
So need to shift the incentives for the password-stealing attacks that these folks are engaging in
Let's shift banking to mobile! All the security promises will become true, right? No.
Lots of restrictions e.g. economic constraints, most folks only got access to computers recently with mobile devices
The case of WhatsApp
* Data is *very* expensive in Brazil, so WhatsApp is very popular (people get plans with unlimited WhatsApp)
* Banks have chatbots in WhatsApp
* Attackers: ok, let's attack WhatsApp directly!
* By outsourcing your app, you're outsourcing your security
* Attacker uses accessibility services to install a fake keyboard and bank can't disable it
Does your threat model consider WhatsApp and bank operations over WhatsApp? Users with limited data plans? It should!
Implications:
* Brazilian malware samples behave very differently than US and Japanese samples
* Stop writing malware reports that don't clearly state which countries are covered
* Detection rates are only true if you look at a "balanced" dataset. But people live in the real world and their malware is specific to where they live
* So malware detection rates can be terrible for some people and not reflected in those rates
* It's really bad for Brazil
What happens when you train an ML model on a sample which includes Brazilian malware? It breaks
* Need to update frequently and specifically
Recommendations:
* Develop threat models which consider regional and socio-cultural issues
* Incentivize localized and focused research work with specific datasets
* Promote local security teams
* Share local information with the world
[end of talk]
• • •
Missing some Tweet in this thread? You can try to
force a refresh
Content note: this talk is about online abuse as some of the content may be upsetting
Got pulled into this after a screenshot of a class assignment sending folks to post on 4chan to post about race/gender/etc issues got posted on 4chan without the email address... so the 4chan folks thought it was @gianluca_string. It wasn't, but they doxxed and harassed anyway
Kicking off the last session of #enigma2021, @katestarbird is speaking about an extremely pressing topic: "ONLINE RUMORS, MISINFORMATION AND DISINFORMATION: THE PERFECT STORM OF COVID-19 AND ELECTION2020"
This talk is going to go through the experience pushing the boundaries on sandboxing in the Chrome browser
What is sandboxing?
* breaking something into lower/higher privileged process
* necessary for browers, OSes, VMs etc.
Chromium uses to reduce the amount of privilege of the application: also to reduce the amount of privilege for code that touches websites (renderer)
* split different websites into different processes
* good defense against logic bugs (e.g. same-origin policy)
Next up at #enigma2021, Alex Gaynor from @LazyFishBarrel (satirical security company) will be talking about "QUANTIFYING MEMORY UNSAFETY AND REACTIONS TO IT"
Look for places where there are a lot of security issues being handled one-off rather than fixing the underlying issue
We tried to fix credential phishing mostly by telling people to be smarter, rather than fixing the root cause: people being able to use phished credential.
Zoom's launched end-to-end encryption 5 months after the white paper was published
* prevents eavesdroppers between users who are speaking to each other
* protection against compromised servers