Attacks waged against payments run through the SWIFT interbank messaging system - including the $81 million heist from the Bank of Bangladesh - have raised many questions about back-end security practices, fraudulent transaction liability and authentication. What is less discussed, however, is who is behind the attacks, and whether they could be linked to other cyberattacks against international banking systems beyond SWIFT.

Colin McKinty, vice president of cybersecurity strategy for the Americas at security firm BAE Systems, which was hired by SWIFT to help shore up security, says BAE now believes that the malware used in the SWIFT attacks is not unique. In this interview with Information Security Media Group, McKinty says the malicious code used against Bangladesh Bank shares many similarities to code used in the 2014 attack against Sony Pictures, which the U.S. government attributes to North Korea, as well as code used in an attack waged in December 2015 against an unnamed commercial bank in Vietnam.

"We came across a very interesting piece of malware and one of our researchers, during their analysis, recognized that this malware is likely to have been used in the attack against the Bangladesh Bank," McKinty says. "That's where we got engaged with SWIFT. We were able to provide them some insight, with regard to what had happened at the Bangladesh Bank."

And from there, the tale of the malware got more interesting, he adds.

While attributing any of these attacks to a single entity or group is challenging, McKinty says the code used in the Bangladesh attack is not widely available in the underground. As a result, BAE believes that the code used in the SWIFT-related attacks is a variant of the same code used in the attacks against Sony Pictures and the bank in Vietnam, he says.

"We have a large global team that is out there doing research and looking at malware," McKinty says. "We couldn't find that malware anywhere else."

During this interview, McKinty also discusses:

How BAE, along with security and threat-intelligence firm Fox-IT, is helping SWIFT users enhance information sharing; Why global threat intelligence is becoming increasingly critical; Emerging attacks impacting banks and other sectors.

In addition to being its vice president of cybersecurity, McKinty has held various roles at BAE in both the U.S. and U.K. In 2007 he took the helm of BAE Systems Applied Intelligence's federal business, which led to a new role: cyber lead for the Americas. Since 2013, McKinty has been the driving force behind BAE Applied Intelligence's break into the security market in the Americas.

A report on FBI Director James Comey seeking to reopen the debate over creating for law enforcement a bypass to encryption on mobile devices is among the stories featured in the latest ISMG Security Report.

The Security Report opens with a segment featuring DataBreachToday Executive Editor Mathew J. Schwartz, who explains how four security flaws pose a risk to nearly 900 million Android mobile devices.

In this report, you'll also hear:

ISMG Managing Editor for Security and Technology Jeremy Kirk on how a group of churchgoing family men are driving business email compromise scams; and Why U.S. Marshals will auction off $1.6 million worth of bitcoins.

The ISMG Security Report appears on this and other ISMG websites on Tuesdays and Fridays. Be sure to check out our Aug. 2 and Aug. 5 reports, which respectively analyze why IT security practitioners act more like "witch doctors" than scientists and the United States electoral system should be designated as critical infrastructure. The next ISMG Security Report will be posted Friday, Aug. 12.

Theme music for the ISMG Security Report by Ithaca Audio under the Creative Commons license.

Anti-Malware , Cybersecurity , Technology

London Police Busted For Windows XP Possession Pity the Poor Plod Stuck with Microsoft's Finest, Circa 2001 Mathew J. Schwartz (euroinfosec) • August 10, 2016    

Pity the poor plod - that's Brit-slang for a beat cop - who's stuck using Windows XP.

See Also: How to Illuminate Data Risk to Avoid Financial Shocks

But also spare a thought for anyone who's relying on London's Metropolitan Police Service to keep their personal details secure, in the wake of warnings that the Met is still using 27,000 PCs that run the outdated operating system.

It's not clear where having to use Windows XP fits into that old policing cliché - that police work is 99 percent irritation and boredom and 1 percent sheer terror. But what is clear is that the outdated XP operating system, which debuted in 2001 and which Microsoft stopped supporting in 2014, is no longer - as the Brits would say - "fit for purpose."

"The Met should have stopped using Windows XP in 2014 when extended support ended, and to hear that 27,000 computers are still using it is worrying," says London Assembly Member Andrew Boff, Conservative, in a statement. Boff is one of 25 elected London Assembly Members who are responsible for holding the London mayor to account. Some of those members also participate in the Metropolitan Police Authority, which oversees the Met. The police service is responsible for policing greater London, with the exception of the city's financial district.

"My major concern is the security of Londoners' information on this dangerously out-of-date system, but I would also like to know how much money the Met have wasted on bespoke security updates," Boff says.

Met spokeswoman Chioma Dijeh tells me that the migration plan has been complicated by older software on which the police force continues to rely. "The MPS is undergoing a complete refresh of its information technology processes, infrastructure, and equipment - including its desktop computers. However, the upgrade program is not as simple as it would be for many other organizations due to the amount of specialist legacy software upon which parts of the MPS still rely," she says. "Replacements or remediation for this software, which are compatible with a more modern operating system, have to be ready before the rollout is completed to ensure continued operational effectiveness."

Continued XP Use Costs

Since Microsoft pulled the plug on XP support, some organizations have been paying for pricey extended support contracts. That included the U.K. government, which reportedly paid £5.5 million ($7.2 million) for a one-year support contract. But the U.K. government in April 2015 said it chose to not renew the contract, even though some government departments were still running PCs with Windows XP.

"All departments have had seven years warning of the 2014 end of normal support and this one year agreement was put together with the support of technology leaders to give everyone a chance to get off XP," the government's technology team said in a blog post.

The Met, meanwhile, "has an extended support agreement running until April 2017 with Microsoft for all XP components," Dijeh says. "This has cost £1.65 million ($2.15 million) and means we have no security concerns as a result of our continued use of XP."

The Met didn't respond to my question about whether budgetary concerns had slowed its move away from XP.

Extended Patching is No Panacea

Despite the "no security concerns" claim, however, there's one very good reason to use a more modern Windows operating system: it's safer. Microsoft continues to add new security controls that make it harder for attackers to exploit and take control of Windows devices.

By contrast, paying for security patches isn't a foolproof way to keep Windows XP systems secure. For starters, Microsoft has stopped supporting older versions of Internet Explorer, and ceased issuing updates and signatures for XP's built-in anti-virus tool, Security Essentials. Although alternatives are available, many users no doubt continue to use those tools, including IE6, on which some older applications rely.

What's also worrying are the flurry of critical flaws that continue to be found in all versions of Windows operating systems - including XP - that attackers can exploit to gain full control of a system. Some of these flaws have been mitigated, via patches, in new versions of Windows. But the U.S. Computer Emergency Response Team has warned that other flaws - for example, affecting Windows XP, 2000, and 2003 - simply cannot be mitigated.

Met: First Outed in 2015

The Met's continuing XP reliance was first revealed last year by tech site Motherboard, which found via a Freedom of Information Act request that the police force was still using 35,640 PCs running Windows XP.

Motherboard asked for a detailed breakdown of which departments still used the outdated operating system, but the Met said it couldn't provide such an answer. "This is because many systems are shared and do not necessarily belong to an individual. MPS colleagues are able to hot desk between buildings. Therefore this information you seek is not held," read the response it received.

Move to Windows 8.1 Questioned

Since then, the Met says that it has migrated 8,000 of the PCs running XP to a newer version, and says it plans to update another 6,000 by next month, leaving 21,000 XP systems outstanding. "Further plans are being developed to address the remaining XP desktops including reducing the overall number used by the organization, replacing with laptops, tablets and disposing of equipment that cannot support Windows 8.1 and beyond," Dijeh says.

But Assembly Member Boff has also criticized the police force for only moving to Windows 8.1, which Microsoft will stop supporting - except for organizations that pony up for pricey extended-support contracts - in January 2018.

"I also question the choice to upgrade to Windows 8.1; this is neither the newest version of Windows nor the most used version of the software," he says. "Staff are likely to be more familiar with Windows 10, but most importantly it will be supported further into the future."

The Met, however, says that its only option was a move to Windows 8.1. "Upgrading our legacy systems to Windows 8.1 was the only approach recommended by Microsoft, as there was no direct upgrade path to Windows 10," Dijeh says. "Once completed it will be more straightforward to make the next upgrade to Windows 10 as they share a common kernel - we are starting to work with Microsoft on the upgrade to Windows 10."

If the Met continues at its current migration pace, however, it will just about have finished its migrating from Windows XP to Windows 8.1 by January 2018. At that point, this whole extended-Windows-support rigmarole may begin again.

Application Security , Mobility , Technology

How to Win Pokémon Go (By Cheating) What RASP Can Do For Your App Will LaSala • August 9, 2016    

The hottest game in the market today is the new release Pokémon Go, developed by Niantic. The game forces you to go outside and interact with the real world (in a safe manner, hopefully). As you walk around, Pokémon appear and allow you to toss Pokéballs at them in an attempt to catch them all. The more you walk the more you can attempt to catch and the stronger your Pokémon become. The key mechanic in the game is to be able to use GPS to track your movement and combine that with mobile data points.

See Also: The Inconvenient Truth About API Security

Only 3 days after the release, reports of hacks started to roll in. This is common for the gaming industry. In the world of PC games, the most popular games usually are hacked the same day they release. In the mobile world, there is a false sense of security. The PC platform has been around for years, and developers and consumers are well aware of all the attacks out there. On the mobile platform, people still are not fully aware of what attackers can do, but they are learning quickly.

On a mobile platform, the most damaging attack is Jailbreaking or Rooting. This is the holy grail of attacking a mobile phone. Once the attacker has access to this, they control your device. This means that they can view any applications secret inner workings and have access to all your encrypted data. This also means they can modify how any application works and perform hacks that are even more nefarious.

With Pokémon Go, the attackers did just that, they Jailbroke their phones and analyzed the Pokémon Go application. If the key mechanism is to use GPS to track your location, then this is the first thing the attackers were aiming for. The attackers built a special library that injected itself into the Pokémon Go app that manipulated the GPS data that the Pokémon Go app tracked. This allowed the hacker (now cheater) to appear to be in places that they never were, and walk to areas they had never been.

The developers at Niantic tried to remediate this problem. They patched their code and added checks for jailbreak detection. Unfortunately, the damage had already occurred, and the hackers were able to quickly apply their own patches that disabled the applications jailbreak detection.

When it comes to Jailbreaking and Root detection, it is always better to start early and not share what you are doing. In the case of Pokémon Go, it was obvious that the application now included a jailbreak detection mechanism because the data that was being used stopped being allowed. In most applications, it is better to use a Runtime Application Self Protection (RASP) that checks for Jailbreaking and Rooting every time the application launches or becomes the front running application on the phone. When RASP checks for this, then it is best to simply exit the application gracefully and not let on to the hacker that something was found.

Even if jailbreak and root detection is compromised, and the attacker is able to patch the application, RASP can offer further technologies to help prevent the types of attacks that Pokémon Go experienced. The next attack used on the Pokémon Go application is a Library Injection attack. This is where the hacker was able to manipulate the GPS library and inject his own. By leveraging a RASP solution, the application will be able to detect these rouge libraries and will be able to prevent the application from loading them.

No solution is ever failsafe and no platform is ever free from attack. Every day new attacks are being rolled out, and every day a new solution is being developed. Technology like RASP will help the new mobile application ecosystem protect itself and make things easier in the life of an application developer.

Will LaSala is a Director of Services at VASCO, and a security industry veteran with a passion for gaming and ethical hacking.

For more information on Mobile Application Security solutions including RASP, visit https://www.vasco.com/products/application-security/digipass-for-apps.html.