It’s that time of the year again. October is upon us, so get ready to spread some cybersecurity wisdom around you and, of course, a few candies here and there for the occasional Halloween visitors.

1. The Dark Side of Cybersecurity
It’s that time of the year again. October is upon us, so get ready to spread some cybersecurity wisdom around
you and, of course, a few candies here and there for the occasional Halloween visitors.
Now, as much as we hate to admit it, there are spookier things out there than a 5-year-old poorly disguised
witch ringing at your door. The current state of the cybersecurity landscape leads us to believe that all sorts of
fictional boogeymen are real. Just last week we saw zombie botnets taking over IoT devices by the millions. A
while back, we even wrote about cybersecurity ghouls and how they haunt businesses all over the globe. If we’re
quiet enough, we might even hear how someone, somewhere, is clicking on a suspicious link and opening the
door to the dark side.
There is no end to this cyber-horror show.
And that’s not all. According to the National Institute of Standards and Technology (NIST), Internet users are
experiencing something that can only be expressed as being cyber-fatigue. Is this something we can blame
solely on the users? Or is it a sign that perhaps we should look in the mirror as well and concentrate our efforts
better? Make it so that cybersecurity comes across as a borderless, non-punitive practice? Whereas an event
such as the International Cybersecurity Awareness Month is a great initiative, one month of constantly repeating
‘you are not doing enough’ or ‘you are not protected enough’ is not the way to go. The issue has been
established a long time ago, there’s nothing new to add. What needs to be done now is for cyber-speakers to
all agree on the same policies and solutions. And this is a process that will require work around the clock, not
just for one month.
Seriously now, even Halloween ads last more than that.
All Malwares’ Eve: APTs strike again
All Hallows’ Eve might last just one day, but for malware, it’s an all-year-long holiday. This week only, Kaspersky
announced it detected another advanced persistent threat that, until now, took on your typical APT costume in
order to go trick-or-treating. Dubbed StrongPity, this particular threat managed to stay under the radar by only
going after 0-day vulnerabilities and employing stealthy modular attacks (read our article on Project Sauron).
Later this summer, though, its creators decided it was time for a make-over and started infecting WinRAR and
TrueCrypt versions on websites hosting these free encryption apps.
Note: For the reader’s information, WinRAR is a Windows data compression tool, encrypting files with AES-256
encryption algorithm. TrueCrypt is a full disk encryption tool that has not been updated since 2014, according
to public records. Even so, both tools are still consciously used by users concerned with security and, even more
so, with privacy. Cybercriminals love secrets, after all.
So what did this change of target mean for StrongPity? First of all, it implied a change of battle strategy: what
used to be a waiting game, now became a baiting one. Just like real trick-or-treaters, this APT now basically
comes knocking on your door, by using a technique called the ‘watering hole’. This method where hackers lace
legitimate apps with malware and then launch the booby trap is not at all an unusual thing for an APT. Remember
the Crouching Yeti that infected ICS and SCADA software in 2014?

2. Trick or treat: the battle for the front seat
Since beating around the bush never helped anyone, there’s one thing that we need to get right straight ahead:
behind these masked monsters are always people. People using machines to target other people using machines.
And in the middle, you have us – the people-as-shields, those that fight the battle for you. But that doesn’t
mean you are completely helpless without us.
This month, to stay safe against StrongPity, your best option is to make sure you’re always downloading apps
from their official website (and not from sourceforge.net, for instance). While this may reduce risks to a minimum,
you’re not out in the clear yet. What’s left to be done is signature verification. We took the liberty of linking here a
useful article on the topic that takes you step-by-step on how to check the integrity of your downloads. While
this is not an easy task for most users, there are awareness campaigns militating for a much simpler approach.
In the US, as in previous years, the main message circulating every October is one that might just save you from
falling in StrongPity’s trap: ‘Stop. Think. Connect’.
This short slogan makes up for some great advice for any type of online activity, whether it’s about clicking on
that suspicious attachment or downloading an encryption app. Sometimes, a few seconds of skepticism can
make a huge difference. After all, you don’t always immediately open the door on Halloween either.
As a bonus, instead of a conclusion, we took the liberty to gather a collection of Halloween-inspired sources to
help you keep cyber-horrors at bay:
1. Protect your goodies, strong passwords are a must:
https://www.reveelium.com/en/yahacking-the-last-straw/
https://www.reveelium.com/en/cyber-hygiene-social-networks/
https://www.reveelium.com/en/fbios-rabbit-hole/
2. Don’t take sweets just from anyone, it might be a bait:
https://www.reveelium.com/en/target-human-behind-machine/
https://www.reveelium.com/en/cybersecurity-during-the-summer/
https://www.reveelium.com/en/apple-and-its-vulnerabilities/
3. Beware of requests from strangers, the Big Bad Wolf also posed as a good guy:
https://www.reveelium.com/en/avoid-data-hostage-situation/
https://www.reveelium.com/en/locky-data-hijackers-strike/
https://www.reveelium.com/en/can-hospitals-stay-cyber-healthy/
https://www.reveelium.com/en/banking-malware-siege/
4. Prevent IoT devices from haunting your website:
https://www.reveelium.com/en/iot-rise-of-the-machines/
https://www.reveelium.com/en/iot-jeopardizes-business-security/
https://www.reveelium.com/en/ddos-attacks-the-cyber-boogeyman-part-i/
https://www.reveelium.com/en/ddos-attacks-the-cyber-boogeyman-part-ii/

3. While we take pride inthe articleswe write,it’sobviouswe cannotalwayscoverall topicsor go as much intodetailsas
we’dlike.Assuch,we’ve listedhere acouple of extra cybersecuritysources,areal treatfor all those interestedingoing
beyond just awareness campaigns and witty metaphors this Halloween:
1. SANS Institute’s CWE Top 25, a list of the easiest to exploit vulnerabilities
As one of the largest international informationsecurity organizations,SANS provides training to thousands of security
professionalsandethical hackers everyyear.AnotherexcellentplatformSANSprovidesisthe ReadingRoom,acollection
of papers in all cybersecurity topics which records over 75,000 unique visitors each months.
2. OWASP’s Secure Coding Practices, the monster-free coding guide for all developers
OWASP stands for Open Web Application Security Project and is a nonprofit organization, running though the will of
security expert volunteers all around the world. Through its ESAPI project, OWASP helpsdevelopers integrate security
into already existing apps, as well as create new ones from scratch, security centered this time.
3. ISACA’s Internet of Things research: infection risk considerations
Previously known as the Information Systems Audit and Control Association, ISACA covers todays many more topics,
counting over 140,000 members at a global level.
4. CERT’s secure coding resources or learning how to be a security ghostbuster
Working closely with the Department of Homeland Security, CERT is a renowned engine of the cybersecurity field.
5. NIST’s SAMATE standards, a business’s survival guide
The National Institute of Standardsand Technologyprovidesstandardsfororganizationstobe able to choose the right
cybersecurity tools for their environment.
Link:
https://www.reveelium.com/en/dark-side-of-cybersecurity-awareness-month/