If a website's massive data breach compromises your privacy, there's not much you can do. It's out of your hands. But that doesn't mean you're completely helpless. There's plenty you can do to protect your own privacy, things like encrypting your files, and protecting your passwords. Steganos Privacy Suite 18 brings together a variety of useful privacy-related tools. However, the quality of the tools varies, and the suite lacks some useful features found in competing products.
With most antivirus tools, security suites, and password managers, you pay a yearly subscription fee. That's not the case with Steganos. For $59.95 you can install it on up to five PCs and use it for as long as you like. The only thing you don't get is a free update to the next version.
Earlier editions of this product included VPN protection, but the current product lineup makes Steganos Online Shield VPN a separate product. As I write this, Steganos is running a promotion that gives you the VPN for free when you purchase the suite. Note, though, that PCMag's Max Eddy gave this VP service just two out of five stars.
Getting Started with Steganos
After the quick, simple installation Steganos displays its main window. At the left is a three-by-three matrix of icons representing the suite's features: Safe, Portable Safe, Crypt & Hide, Password Manager, Private Favorites, E-Mail Encryption. Shredder, Trace Destructor, and Privacy. The suite is effectively a launch pad for these utilities.
The right-hand portion of the main window is a kind of security progress report. Just by installing the suite, you start with a 20 percent security level. Creating an encrypted safe for storing sensitive files gets you another 20 percent, and setting up the password manager raises it by another 20. Using the password manager's bonus ability to store private favorites adds 20 percent more. Configuring the Privacy components takes you to 100 percent. I like the way this simple report encourages full use of the product's features.
Several components of the Steganos Privacy Suite are available as standalone products. I'll summarize my findings regarding those products. To get full details, please click the links to read my reviews.
Steganos Safe 18 lets you create any number of safes, which are encrypted storage containers for your sensitive files. You can create safes on your PC, on portable devices, or in your cloud storage accounts. When a safe is open, you use it exactly like any disk drive. When it's shut, its contents are completely inaccessible.
Steganos Safe is extremely easy to use, more so than most container-based encryption products. In addition, it offers some seriously sneaky techniques for hiding the very existence of your safes from prying eyes. For example, you can hide a fairly small safe inside an audio, video, or executable file. And the Safe in a Safe feature lets you dedicate a percentage of a visible safe for use as a discrete, invisible storage location, with its own separate password.
Along with the encryption tool, you also get Steganos Shredder, a secure deletion shredder utility. You can securely delete any file or folder by selecting Destroy from the right-click menu. With this tool you can also shred all of the free space on disk, effectively applying secure deletion to already-deleted files. It can also wipe any disk drive (except the active Windows drive) so thoroughly that a format is required when it's done.
Steganos Password Manager 18 handles the basic tasks of password capture and replay, and includes a password generator. Unlike most competing products, it doesn't directly handle syncing your passwords between devices; if you want syncing, you must connect to your existing cloud storage. You also get a limited ability to fill Web forms with personal data.
In testing, I couldn't get the password manager's Firefox extension to load. Also, some features worked in Chrome but not in Internet Explorer. If you get this password manager as part of the Steganos suite, you might as well use it. But if you're shopping for a standalone password manager, there are much better choices.
The two standalone Steganos products I've reviewed account for five of the suite's nine component icons. Password Manager and Private Favorites both correspond to Steganos Password Manager. Safe and Portable Safe are parts of Steganos Safe, as is Shredder. For the remainder of this review I'll focus on the rest of the privacy components.
Encrypt and Hide
The name Steganos comes from the term steganography, which is not the same as encryption. The aim of encryption is to ensure that others can't decipher your secrets. The aim of steganography is to conceal the fact that you have secrets. When you process a file through the suite's Crypt & Hide component and then shred the original, a hacker or snoop won't find any evidence that the sensitive data exists.
I don't know precisely how this tool processes files—it's not in the company's interest to reveal such information. But here's a simple example of how steganography could work to hide a file inside an image. First, picture that the file contains a list of numbers representing the exact color of each pixel in the image. Now round all those numbers so they're even. That tiny change doesn't make a visible difference in the image. Convert your secret file into a stream of bits, and step through the list of the image's pixels, leaving the color number unchanged for zero bits and making it odd for one bits. You've hidden the file in a way that's completely recoverable, but the image doesn't look appreciably different.
Steganos can use BMP, WAV, or JPG files as carriers for encrypted data. The help system advises using a carrier file at least 20 times the size of the encrypted data. You can also use it to create encrypted archives without hiding them, much as you'd do with a ZIP archive utility. Note, though, that the archives created by Steganos use the proprietary EDF format, not the standard ZIP format.
To create a simple encrypted archive, drag files and folders onto the Crypt & Hide dialog, or browse to locate the desired items. You can also enter a text description of the contents. Clicking Save lets you define the name and location for the resulting EDF file. The password entry dialog is the same as that used by Steganos Safe and Steganos Password Manager. It rates password strength as you type, with the option to use a virtual keyboard, or to define the password by clicking a sequence of pictures.
To create an encrypted file and also hide it, follow precisely the same procedure, but click the Hide button instead of the Save button, and choose a BMP, WAV, or JPG file as carrier. That's it. Your secret files are hidden within the chosen carrier. Don't believe it? Launch Crypt & Hide again, choose Open, and select your carrier. Once you enter the password, your files are back. Of course you must use the shredder to destroy the originals.
As you use your computer and browse the Web, you leave behind traces of what you've been doing. Sure, you hid your secret plans using Crypt & Hide, but if MyWorldTakeover still shows up in the list of recent documents, you're busted. In a similar way, your browsing history may reveal way too much about what you've been researching. That's where TraceDestructor comes in.
TraceDestructor clears various types of browsing traces from Chrome, Firefox, Internet Explorer, and Microsoft Edge. For Edge, it just clears cookies and cached files. For the others, it can also wipe out such things as history, autocomplete data, and passwords. It can also empty the Recycle Bin and eliminate Windows temporary files, recently used file lists, and other traces.
Cleaning up traces doesn't take long. When the process has finished, Steganos advises you to log off and on again, for full cleanup. Simple!
Clicking the Privacy icon brings up a simple settings dialog with four on/off switches, all off by default. I couldn't test Webcam protection, because my virtual machine test systems simply don't have webcams. In addition, every time I opened Privacy Settings I got a notification from Windows that the webcam privacy component crashed.
Webcam protection does nothing but deactivate your webcam, so you must turn that protection off if you want to use the cam for videoconferencing. A similar feature in ESET Internet Security 10 lets you disable the webcam in general but enable specific programs. That would prevent webcam spying while still letting you Skype, for example.
Kaspersky Total Security also offers webcam blocking for all but permitted programs. It extends similar protection to the microphone, to head off the possibility of a snoop listening in on your activities.
Internet advertisers work hard to profile your personal surfing habits, so they can target ads based on your interests. If you've ever bought (or looked at) a product on one site and then seen an ad for that product on a different site, you've seen this process in action. You can set your browser to send a Do Not Track header with each request, but sites aren't compelled to obey this header. The Prevent tracking option in Steganos filters out tracking activity before it reaches the browser.
Some trackers skip the usual techniques for tying together all data about your online activity, instead trying to create a fingerprint of your devices and activity, including precise data about the browsers you use. Steganos lets you replace your actual browser details with a generic fake set, to anonymize your browser type. Finally, you can choose to block advertisements altogether. The Block ads, Prevent tracking, and Anonymize browse type settings are simple on/off switches.
In testing, these three privacy elements initially didn't work. I confirmed this using various online tests. I reinstalled the product, to no avail. I installed it on a physical system, thinking that it might be incompatible with running in a virtual machine. Here, too, the privacy elements just didn't work. Tech support determined this was due to the absence of a proxy process that provides all three types of filtering.
Going back and forth with tech support, I determined that the installer failed to create a necessary configuration file. Even after I manually copied the config file that tech support supplied, it did not launch the proxy process. After more back and forth, I got the proxy running on both systems. It seemed to be running smoothly on the physical system, but its output on the virtual system contained many error messages. That being the case, I focused on the physical system.
There's no way to tell if the Prevent tracking feature is working, but Anonymize browser type should change the user agent string that your browser sends to every website. It did not do so. And although the filter's output log contained tons of ad blocking reports, the ads visibly weren't blocked.
The worst thing about this component is that even when its proxy failed to load, it didn't display any kind of error message. The privacy features work silently, so you'd have no idea that they weren't functioning, unless you noticed its failure to block ads.
There is one icon I haven't covered, E-Mail Encryption. I've skipped this one for several reasons. First, it is not a Steganos product; it's from another company, MyNigma. Second, on a PC it only functions as an Outlook plug-in, and my test systems don't have Outlook. Third, it only works to encrypt email between other users of MyNigma, so it's not useful for general-purpose encrypted communication.
Another Take on Privacy
Abine Blur is another suite of tools aimed at protecting your privacy. Its active Do Not Track component goes way beyond just sending the DNT header, which websites can ignore. Furthermore, unlike Steganos, it makes its activity visible. It includes a simple password manager, but goes beyond Steganos by offering a safety report that flags weak and duplicate passwords.
Blur protects your privacy by masking email accounts, credit cards, and (on a smartphone) phone numbers. Suppose you make a purchase from a merchant using a masked email account, and a masked credit card. Mail from the merchant reaches your inbox, but you can delete the masked account if it starts getting spam. And a merchant who doesn't have your real credit card number can't sell the card data or overcharge you. Read my review for a full explanation.
Blur doesn't block ads, and it doesn't include file encryption, but all of its components are directly aimed at protecting your privacy. Even if you do install the Steganos suite, consider trying Blur's free edition for additional protection. Note that if you do opt for a $39-per-year premium subscription, you can use Blur on all your devices.
Do You Already Have It?
You may also find that you've already got significant privacy protection courtesy of your security suite. For example, Kaspersky and AVG Internet Security include an active Do Not Track system, like what Blur offers, and Kaspersky can block banner ads. Webcam protection in Kaspersky and ESET goes farther than what you get with Steganos.
As for encrypted storage, the core of Steganos Privacy Suite, you can find a similar feature in many suites, among them McAfee LiveSafe, Bitdefender, Kaspersky, and Trend Micro. Admittedly, none of the suites build out this feature into the comprehensive encryption system that is Steganos Safe.
As for password management, it's becoming a common bonus feature in larger suites. Webroot includes a version based on award-winning LastPass, and McAfee comes with all the multi-factor authentication glory of True Key. Symantec Norton Security Premium, Trend Micro, ESET, Kaspersky, and Bitdefender are among the other suites with a password manager built right in.
Before you purchase a set of privacy tools, check to see what you already have right in your existing security suite.
A Mixed Bag
Steganos Safe is easier to use than other container-based encryption programs, and has some nifty features to both encrypt and hide your files. However, Steganos Password Manager lacks advanced features, and some of its features didn't work in testing. The Crypt & Hide component is a kick, as it truly hides your secrets, leaving no trace. But the browser-related privacy filters just didn't work in testing. Steganos Privacy Suite is a mixed bag, for sure.
There aren't many utilities specifically devoted to privacy. Abine Blur Premium remains our Editors' Choice in this interesting field. I look forward to seeing more competition in the specific area of privacy protection.
But that malware doesn't infect their computers, researchers said.
Instead, it causes unsecured routers to connect to fraudulent domains. Using a technique known as steganography, the ads hide malicious code in image data.
The hidden code then redirects targets to webpages hosting DNSChanger, an exploit kit that infects routers running unpatched firmware or are secured with weak administrative passwords. Once a router is compromised, DNSChanger configures it to use an attacker-controlled domain name system server.
This causes most computers on the network to visit fraudulent servers, rather than the servers corresponding to their official domain. Patrick Wheeler, director of threat intelligence for security firm Proofpoint, told Ars: These findings are significant because they demonstrate clearly that ubiquitous and often-overlooked devices are being actively attacked, and once compromised, these devices can affect the security of every device on the network, opening them up to further attacks, pop-ups, malvertising, etc.
Thus, the potential footprint of this kind of attack is high and the potential impact is significant. Lots of moving parts The ads first check if a visitor's IP address is within a targeted range, a behavior that is typical of many malvertising campaigns, which aim to remain undetected for as long as possible.
If the address isn't one the attackers want to target, they serve a decoy ad with no exploit code in it.
In the event the IP address is one the attackers want to infect, they serve a fake ad that hides exploit code in the metadata of a PNG image.
The code, in turn, causes the visitor to connect to a page hosting DNSChanger, which once again checks the visitor's IP address to ensure it's within the targeted range. Once the check passes, the malicious site serves a second image concealed with the router exploit code. Enlarge / DNSChanger attack chain. Proofpoint "This attack is determined by the particular router model that is detected during the reconnaissance phase," a Proofpoint researcher who uses the moniker Kafeine wrote in a blog post. "If there is no known exploit, the attack will attempt to use default credentials." In the event there are no known exploits and no default passwords, the attack aborts. Enlarge / A fake DNSChanger ad. Proofpoint DNSChanger uses a set of real-time communications protocols known as webRTC to send so-called STUN server requests used in VoIP communications.
The exploit is ultimately able to funnel code through the Chrome browser for Windows and Android to reach the network router.
The attack then compares the accessed router against 166 fingerprints of known vulnerable router firmware images. Proofpoint said it wasn't possible to name all the vulnerable routers, but a partial list includes: D-Link DSL-2740R COMTREND ADSL Router CT-5367 C01_R12 NetGear WNDR3400v3 (and likely other models in this series) Pirelli ADSL2/2+ Wireless Router P.DGA4001N Netgear R6200 The malicious ads are delivered in waves lasting several days at a time through legitimate ad networks and displayed on legitimate websites. Proofpoint's Wheeler said there isn't enough data to know how many people have been exposed to the ads or how long the campaign has been running, but he said the attackers behind it have previously been responsible for malvertisements that hit more than 1 million people a day.
The campaign was still active at the time this post was being prepared. Proofpoint didn't identify any of the ad networks or websites delivering or displaying the malicious ads. As Ars reported last week, a similar malvertising campaign—images with hidden code that double-check IP addresses—also reached more than 1 million people a day. Proofpoint said the two campaigns aren't related. DNS servers translate domain names such as arstechnica.com into IP addresses such as 18.104.22.168, which computers need to find and access the site.
By changing router settings to use an attacker-controlled server, DNSChanger can cause most, if not all, connected computers to connect to impostor sites that look just like the real ones.
So far, the malicious DNS server used by DNSChanger appears to be falsifying IP addresses to divert traffic from large ad agencies in favor of ad networks known as Fogzy and TrafficBroker.
But the server could be updated at any time to falsify lookups for Gmail.com, bankofamerica.com, or any other site.
In such a scenario, HTTPS protections wouldn't flag the impostor. The best defense against these attacks is to ensure routers are running the latest available firmware and are protected with a long password that's generated randomly or through a technique known as diceware.
Disabling remote administration and changing its default local IP address can also be helpful.
STUN (Session Traversal Utilities for NAT) servers send a ping back that contains the IP address and port of the client; from the server’s perspective.
If not, a victim is shown a benign ad.
The AES key is used to cloak traffic and decrypt router fingerprints used to determine if a target is using vulnerable model. “Once it performs the reconnaissance functions, the browser will report back to the DNSChanger EK which returns the proper instructions to perform an attack on the router,” Proofpoint said. “The Chrome browser is functioning correctly, but the router has vulnerabilities that can be exploited.
Because browsers must talk with routers through which clients connect to the Internet, legitimate traffic/connections can be exploited to change the router’s DNS settings,”Patrick Wheeler, director of threat intelligence at Proofpoint, said. “The browser is simply doing what it is supposed to, talking with the router and, ultimately, receiving DNS information from it.” In cases where the router is not vulnerable, attackers will use DNSChanger to attempt to use default credentials to change DNS entries.
If the vulnerability is present, attackers will use the known router exploits to modify the DNS entries in the router and also try to make administration ports available from external addresses for additional attacks. The goal is to change DNS records on routers so cybercriminals can steal traffic from large web ad agencies such as Propellerads, Popcash and Taboola. “At the time of our examination, they were redirecting the traffic to Fogzy (a.rfgsi[.]com) and TrafficBroker,” Proofpoint wrote. Wheeler said there are also indications that DNSChanger is being used in man-in-the-middle attacks. He added, “We do not rule out the possibility of future malicious actions depending on the motivation or goals of those controlling the exploit kit.” Mitigation efforts include applying the latest manufacturer router updates. Proofpoint also recommends a number of ways to tighten security to lesson the likelihood of an attack.
Those recommendations include changing the default local IP range on routers, disabling remote administration features on SOHO routers and using ad-blocking browser add-ons.
Beginning in early October, its unusually stealthy operators scored a major coup by getting the ads displayed on a variety of unnamed reputable news sites, each with millions of daily visitors.
Borrowing from the word steganography—the practice of concealing secret messages inside a larger document that dates back to at least 440 BC—Stegano hides parts of its malicious code in parameters controlling the transparency of pixels used to display banner ads. While the attack code alters the tone or color of the images, the changes are almost invisible to the untrained eye.Enlarge / Left: Clean picture; middle: picture with malicious content; right: malicious version enhanced for illustrative purposes. Eset The malicious script is concealed in the alpha channel that defines the transparency of pixels, making it extremely difficult for even sharp-eyed ad networks to detect.
After verifying that the targeted browser isn't running in a virtual machine or connected to other types of security software often used to detect attacks, the script redirects the browser to a site that hosts three exploits for now-patched Adobe Flash vulnerabilities. "We can say that even some of the other major exploit kits, like Angler and Neutrino, are outclassed by the Stegano kit in terms of referrals—the websites onto which they managed to get the malicious banners installed," Eset researchers wrote in a report published Tuesday. "We have observed major domains, including news websites visited by millions of people every day, acting as 'referrers' hosting these advertisements. Upon hitting the advertising slot, the browser will display an ordinary-looking banner to the observer.
There is, however, a lot more to it than advertising." The ads promote applications calling themselves "Browser Defence" and "Broxu" and targeted people who visited the news sites using Internet Explorer browsers.
The script concealed in the pixels exploited a now-patched IE vulnerability indexed as CVE-2016-0162 to obtain details about the visitors' computers.
Among other things, the script checked for the presence of packet capture, sandboxing, and virtualization software and a variety of security products. Machines that didn't exhibit signs of the software and contained a vulnerable version of Flash were then redirected to the exploit site, which would serve one of two families of malware.
The Ursnif family is made up mainly of modules for stealing e-mail credentials, logging keystrokes, taking screenshots and videos, and acting as a backdoor.
The Ramnit variety of malware offers most of the same capabilities and mainly targets the banking industry. The attackers took extra pains to ensure the machines being infected didn't belong to security-savvy people who might detect what was happening.
In addition to a check carried out by the script embedded in the ad, a separate check was carried out by the exploit server before going through with the attack.
The Eset report didn't identify any of the sites that delivered the malicious ads.
It did say that the people exposed were concentrated in Canada, the UK, Australia, Spain, and Italy, which are the countries served by the affected ad networks.
Earlier versions of the campaign from 2014 and 2015 targeted people in the Netherlands and the Czech Republic.
The Flash vulnerabilities exploited included CVE-2015-8641, CVE-2016-1019, and CVE-2016-4117. Update: To execute the hidden payload, the malicious ads load a heavily modified version of Countly, an open-source package for measuring website traffic.
This countly, however, is not the stock library of the open source mobile & web analytics platform you would download from github.
It is a heavily modified and obfuscated version, with some parts deleted and interlaced with custom code.
This custom code is responsible for an initial environment check.
Information about the environment is reported back to the server as XOR-encrypted parameters of the 1x1gif file, as captured in the image above. The following information about the environment is sent:systemLocale^screenResolution^GMT offset^Date^userAgent^pixelRatio After that, the script will request the advertising banner.
The server will reply with either a clean or a malicious version, most likely also depending on the previous environment check. The script will then attempt to load the banner and read the RGBA structure.
There's no reason future campaigns—or possibly ongoing ones that have yet to be discovered—couldn't exploit zero-day vulnerabilities that infected a much larger base of people. Until ad networks get much better at detecting malvertising campaigns, the scourge is likely to continue.
The malware is programmed to spread aggressively across an organization’s network once it gets a foothold. The healthcare sector in particular has been disproportionately targeted – of the top 20 most affected organizations with the highest number of infected computers, 40 per cent were in the healthcare sector, Symantec reports. Selling healthcare records is a growing trade on cybercrime forums.
This could explain the attackers’ heavy focus on the healthcare sector. Gatak reels in victims through websites promising product licensing keys for pirated enterprise software packages (backup, 3D scanning software, etc).
These supposed software license key generators (keygens) actually come packed with malicious code. The software nasty also spreads to a lesser extent using watering hole attacks (where the instigator infects websites that members of the group are known to visit). The malware creates a backdoor on compromised machines before stealing information. Hackers are known for leveraging the malware to break into machines on associated networks, probably using weak passwords and poor security in file shares and network drives. “In some cases, the attackers have infected computers with other malware, including various ransomware variants and the Shylock financial Trojan,” Symantec reports. “In the case of Shylock, these appear to be older versions of the threat and might even be 'false flag' infections. “They may be used by the group when they believe their attack has been uncovered, in order to throw investigators off the scent,” it adds. The malware downloads instructions from pre-programmed URLs.
These instructions are snuck past network defenses using steganography, a technique for hiding data within seemingly-innocuous (usually, image) files. ® Sponsored: Customer Identity and Access Management
That's significant because the whole point of digitally signing a file is to guarantee that it comes from a particular developer and hasn't been altered en route. If an executable file is signed, information about its signature is stored in its header, inside a field called the attribute certificate table (ACT) that's excluded when calculating the file's hash -- a unique string that serves as a cryptographic representation of its contents. This makes sense because the digital certificate information is not part of the original file at the time when it is signed.
It's only added later to certify that the file is configured as intended by its creator and has a certain hash. However, this means that attackers can add data, including another complete file inside the ACT field, without changing the file hash and breaking the signature. Such an addition will modify the overall file size on disk, which includes its header fields, and this file size is checked by Microsoft's Authenticode technology when validating a file signature. However, the file size is specified in three different places inside the file header and two of those values can be modified by an attacker without breaking the signature.
The problem is that Authenticode checks those two modifiable file size entries and doesn't check the third one. According to Nipravsky, this is a design logic flaw in Authenticode. Had the technology checked the third, unmodifiable file size value, attackers wouldn't be able to pull off this trick and still keep the file signature valid, he said. The malicious data added to the ACT is not loaded into memory when the modified file itself is executed because it's part of the header, not the file body. However, the ACT can serve as a hiding place to pass a malicious file undetected past antivirus defenses. For example, attackers could add their malicious code to one of the many Microsoft-signed Windows system files or to a Microsoft Office file.
Their signatures would still be valid and the files functional. Moreover, most security applications whitelist these files because they're signed by trusted publisher Microsoft to avoid false positive detections that could delete critical files and crash the system. The second part of Nipravsky's research was to develop a stealthy way to load the malicious executable files hidden inside signed files without being detected. He reverse engineered the whole behind-the-curtain process that Windows performs when loading PE files to memory.
This procedure is not publicly documented because developers don't typically need to do this themselves; they rely on the OS for file execution. It took four months of eight-hours-per-day work, but Nipravsky's reverse engineering efforts allowed him to create a so-called reflective PE loader: an application that can load portable executables directly into the system memory without leaving any traces on disk.
Because the loader uses the exact process that Windows does, it's difficult for security solutions to detect its behavior as suspicious. Nipravsky's loader can be used as part of a stealthy attack chain, where a drive-by download exploit executes a malware dropper in memory.
The process then downloads a digitally signed file with malicious code in its ACT from a server and then loads that code directly into memory. The researcher has no intention of releasing his loader publicly because of its potential for abuse. However, skilled hackers could create their own loader if they're willing to put in the same effort. The researcher tested his reflective PE loader against antivirus products and managed to execute malware those products would have otherwise detected. In a demo, he took a ransomware program that one antivirus product normally detected and blocked, added it to the ACT of a digitally signed file, and executed it with the reflective PE loader. The antivirus product only detected the ransom text file created by the ransomware program after it had already encrypted all of the user's files.
In other words, too late. Even if attackers don't have Nipravsky's reflective PE loader, they can still use the steganography technique to hide malware configuration data inside legitimate files or even to exfiltrate data stolen from organizations.
Data hidden inside a digitally signed file would likely pass network-level traffic inspection systems without problems.