Mirai – The Botnet of Things

Mirai – The Botnet of Things

The dynamic of the Internet of Things shows us the daily progress of digitalization. More and more devices are connected to the Internet, providing users comfort and efficiency. The market is constantly filled with new devices and the variety of functions attracts many users. Today, there is already a huge network of data, servers and connected intelligent devices – which, however, represents a new and above all enormous target for cyber criminals due to the unconsidered security vulnerabilities of smart devices.

The malware Mirai took advantage of this weakness: In October 2016, the botnet virus became widely known for the first time due to the largest DDoS attack ever launched, targeting the DNS provider “Dyn”. As a result, the websites and services of many international companies, including Amazon, Netflix and Spotify, were unavailable for a long time. For businesses, this can mean a loss of millions. What exactly is the story behind the malware that exploits the weaknesses of technological progress?

The origin of the Mega Botnet

2016 wasn’t the first time such an IoT botnet “hit” the market: according to independent security journalist Brian Krebs from krebsonsecurity.com, there have been Mirai-like predecessors since 2014, known as Bashlite, Gafgytm, QBot, Remaiten and Torlus. The Botcode of Mirai was created from the improved codes of its forerunners, compiled by several developers. It was finalized by a group of hackers who joined forces in 2014 and started DDoS attacks on competing Minecraft servers under the pseudonym “lelddos”, using the Mirai Botnet to slow them down or take them off the Internet, which cost their operators a lot of money.

Mirai has been designed to eliminate malware from already infected IoT devices and eventually takes it over itself. Affected devices, again, looked for other vulnerable devices to take over. Due to the growing number of IoT products controlled by Mirai, the botnet became more extensive and hackers attempted larger targets. In September 2016, the French hosting company OVH suffered a DDoS attack with a total capacity of up to 1.5 terabits per second.

Shortly after that attack, one of the co-developers Mirais, published the source code of the malware online under the name “Anna-Senpai”. Thus, the author enabled many hackers to copy and further develop the code. The release led to a rapid increase in imitators operating their own Mirai botnets. This eventually ended in an attack on Dyn’s server just a month later. Due to the amount of new variations of Mirai, tracing those responsible became much more difficult. But only a few weeks after that, the FBI tracked down three young Americans.

On the 5th of December 2017, the hackers pleaded guilty in court in Alaska for developing the malware and merging it into a botnet to harm companies and “other targets”. According to the court documents, the cybercriminal group also planned to earn money with its own DDoS-as-a-Service offer and racketeering. To avoid a prison sentence, the 21- and 22-year-olds agreed to assist the FBI in solving complex cybercrime investigations. Nevertheless, the sentence included a five-year suspended sentence, 2,500 hours of community service, and $127,000 in refunds. Even though, the criminal malware developers are now kept in check, the malware code still exists and can be reused, converted and improved by other hackers.

The Return of Mirai

In March 2019, security experts discovered a new type of Mirai, which is aimed primarily at IoT devices within companies. Cybercriminals expect this to increase their attack power even more as they gain access to greater bandwidth over corporate networks. The new Mirai version contains several more features, including 11 additional exploits, bringing the total number of exploits of the malware to 27. These additional features give the program an even larger attack surface. The malware spreads primarily through presentation systems, smart TVs, routers and IP cameras.
Companies are advised to change the credentials of the implemented IoT devices and to consider the security of these devices in their IT security strategy as well.

This development shows the uncertainty IoT devices face in the digitized world – the security factor is essential for businesses and users. A study by the Berkeley School of Information and the Center for Long-Term Cybersecurity (CLTC) identified the total cost for consumers caused by a hack of a smart device and additional power consumption when that device is involved in a cyberattack: For example, the combined costs of the attack on Dyn in October 2016 amounted to around 115,000 dollars for IoT users. In a worst-case scenario, the calculator results in a sum of about 68 million dollars, about 100 dollars per user, for a DDoS attack involving 600,000 IoT devices.

The rise of DDoS Attacks

The additional attack surface, which results from the very weakly protected Internet of Things, is also reflected in the increasing number of DDoS attacks on companies.

Hornetsecurity News

Stay in touch

Sign up to get the latest News about Cloud Security.

Whereas three years ago, there were still around 9,000 attacks per quarter on corporate infrastructure and servers in the German-speaking area, attacks increased year by year.
In the 1st quarter of 2019, there were already 11,177 DDoS attacks registered in Germany, Austria and Switzerland alone. But not only the number of attacks is on the upswing, the volume is also growing significantly. According to the Link11 DDoS Report Q1 2019, the largest DDoS attack in German-speaking countries reached a volume of 224 gigabits per second. With an increase of 70 percent compared to the same period last year, the average of the middle range of this quarter was already 3.8 Gbps. The Internet of Things is contributing significantly to the increased performance of attacks – a fact that takes cyber security to a new level once again.

Crypto mining – From the gold rush in the digital world

Crypto mining – From the gold rush in the digital world

It has been more than a century since the so-called “Klondike Gold Rush” broke out in Alaska. Many tried their luck as treasure hunters and set out under the most difficult conditions in search of the coveted precious metal. Since then, a lot has happened and real gold diggers are mostly only to be found in adventure stories. For in the age of the Internet and with the development of digital currencies, new, much more attractive ways of supposedly making quick and big money have emerged. One of them has a surprising amount in common with the legendary Klondike Gold Rush: “crypto mining” or “digging cryptocurrencies”.

The procedure of illegal crypto mining

Cryptocurrencies have become established as a legitimate means of payment. Since the payment units called “Bitcoin” or “Monero” are neither issued by states nor banks, they have to be generated and transferred in a different way. This process, called “mining,” can be done by the users themselves, using computers. But it is not that simple: In order for the digital currencies to be generated, the systems must solve complex algorithmic tasks. The more units to be generated, the more complex the calculation tasks. The exchange of currencies is organized on a decentralized basis and can be handled directly between users via the blockchain using a peer-to-peer network.

The following motto for miners is derived from this: With more computing power, the tasks can be solved faster and at the same time this means more Bitcoins, Moneros and co. Here, lot of system resources are used, which is why the graphics card and the processor are put under considerable stress. In addition, the computationally intensive process brings with it immense power consumption. Conversely, this leads to high electricity prices and the heavy wear on hardware often makes crypto mining unprofitable – especially when the exchange rate is just not playing along.

High profit margins thanks to botnet

As a result, criminal crypto miners have developed various methods to circumvent the high electricity prices found in industrialized countries in particular. One variant is the large-scale mining of cryptocurrencies in countries with extremely low energy prices. For this purpose, entire data centers are set up in countries such as Iceland, Georgia and Venezuela, which are only used for the generation of cryptocurrencies.

Due to the immense power consumption, crypto mining, especially in this country, can only be deemed “lucrative” with the help of botnets. The idea behind this is that cybercriminals can combine the computing power of the computers embedded in a bot network and use them for free. Through a command-and-control server, they gain central control over all devices integrated in the bot network – but how do they do it?

How Cybercriminals send a crypto-miner into the system

In order to make a computer part of a botnet, cybercriminals first have to get “dropper” software into the computer. Regarding the distribution channels, there are no limits to the creativity of digital criminals. The dropper usually reaches the targeted devices via infected websites, but combining it with spam emails is also a popular distribution channel. Here, cybercriminals send spam to a large number of email addresses, hoping that recipients will click on the link contained in the email. On the infected web pages, the dropper is silently downloaded in the background and then executed. The dropper itself does not pose the real danger, because it first downloads the crypto miner and a special tool, which gives instructions to the miner.

For example, the tool can tell the crypto miner to slow down its activities as soon as a resource-hungry application starts. So it is less likely that the victim will notice the fraud. But that’s not all: Some versions of the malware even have the ability to disable antivirus programs and restore the miner when an application tries to remove it. IT security experts believe that some bot networks can sometimes bring in up to $200,000 per month.

What is the current threat situation?

As late as 2018, crypto miners were right at the top of cybercrime’s malware popularity scale – ahead of the well-known blackmail ransomware scam. A crypto miner is used in 9.7% of all recorded malware attacks overall, according to the cyberthreat report by Hornetsecurity. In numbers, that equates to around 29 million out of a total of 300 million malware attacks worldwide. At AV specialists GDATA, three versions of crypto miners were among the top 10 repelled malware programs. But currently the cryptocurrencies are weakening. In particular, the Bitcoin price is like a rollercoaster ride. As a result, the use of crypto mining for cybercriminals is of course not nearly as effective as the previous boom of Bitcoin and co. in December 2017 – but at the same time does this mean that illegal crypto mining is just a fad and the great hype is long gone?

Quite the contrary, because renowned financial experts are sure: At the moment, it is simply a bubble and as soon as it bursts, the investment in digital money will skyrocket again. Bitcoin expert Aaron Lasher goes even further: He believes that a Bitcoin could be worth about 200,000 euros in ten years.

Crypto Mining Infographic by Hornetsecurity

Harvard expert Dennis Porto, who has calculated that the Bitcoin price will rise in the next five years to up to 100,000 euros, backs this up. As crypto mining and the price of cryptocurrencies go hand in hand, illegal crypto mining activities are also likely to increase considerably with the occurrence of this scenario.

Protection in case of emergency: How do I effectively protect myself against crypto miners?

A traditional antivirus program is far from sufficient when protecting against complex malware. You are therefore advised to take other precautions. Since crypto miners can only start their work when an infected file or website is opened, access should be prevented ideally in advance.

This can be ensured in companies, in particular through the use of managed security services. To effectively close the gateway, a combination of spam filters, web filters and Advanced Threat Protection is advised. The spam filter ensures that suspicious emails containing links to infected websites are rigorously filtered out. This way the recipient cannot accidentally click on the malicious link, because the email does not even reach their email inbox.

Advanced Threat Protection intervenes when there is an infected file in the attachment of an email containing, for example, the “dropper” of a crypto miner. The intruder is quarantined and blocked from entering the email inboxes, just like spam emails. When surfing the Internet, a web filter provides security against harmful content. It reliably blocks access to dangerous sites, such as those on which a crypto miner is installed, and informs the user about the threat that lurks there.

The gold rush fever among cybercriminals does not simply have to be accepted like this. The worse it is for cryptocurrency prices and the more users hedge against crypto miners in advance, the less likely one is to fall victim to the scam.

Internet of Things: More time for security in the era of innovation

Internet of Things: More time for security in the era of innovation

A life in the smart home through connected devices

It’s 6:18 am, the smart light alarm clock gently brings its owner out of his slumber to start the day and the morning routine full of energy. Since the alarm clock is linked to various devices in the house via the Internet, the heater heats the bathroom to the desired temperature of 21 degrees at 6:20 am. The coffee is also ready on time at 6:35 am. Even the way to work is monitored by the smartphone app, reporting that a traffic jam may mean delays. When leaving the house, energy consumption is reduced as both the heating and lights are automatically turned off.

Devices that are equipped with an Internet connection and can communicate with each other make such a smart home possible. And the number of these devices is increasing year by year: The market researchers of the American IT consulting institute Gartner estimate that by 2020, around 20 billion networked devices will be used worldwide, both by private users and by companies. Known as the Internet of Things, the devices create a kind of global infrastructure for technologies that link together physical and virtual objects.

Introduction to the Internet of Things (IoT)

What does Internet of Things actually mean and how did it come about?

“The Internet of Things (IoT) is a network of physical objects that contain integrated technology to communicate and capture things, or to interact with their internal states or the external environment.”(Gartner)

Ten years after the invention of the World Wide Web, British technology pioneer Kevin Ashton coined the term “Internet of Things”. Ashton is considered the co-founder and developer of the so-called radio-frequency identification (RFID) technology. A device that is equipped with an RFID transponder, receives its own “identity” and is able to receive and submit information – in order words “communicate”. In 1999, Ashton first used the term Internet of Things in a presentation demonstrating RFID technology and its relationship and importance to logistics. RFID is therefore considered the basis of the Internet of Things.

The ultimate goal of the “Internet of Things” is to unite the real world with the virtual to make it more comfortable, efficient, economical and secure. For example, devices connected to the Internet are used in a variety of private, economic, but also scientific and political fields. American technology company Leverege, which specializes in IoT, divides the world of the Internet of Things into three categories:

  • Things that collect information and send it (to a server).
  • Things that receive information and act accordingly.
  • Things that can be assigned to both category 1 and 2.

How does an IoT system work?

The applications of the Internet of Things are diverse and extend across a wide range of industries – but building an IoT system always consists of the same four components:

1. Sensors/Devices
An important part of the Internet of Things is data. Accordingly, sensors or devices are necessary, which as a first step collect data from their environment. These can be as simple as a temperature measurement or as complex as a full video transmission.

2. Connectivity
In order to send or exchange the collected data, a connection from a sensor to a server or to the cloud is required. The devices can, for example, be connected to the cloud via mobile, Wi-Fi, Bluetooth or satellite.

3. Data processing
In order to process the sent data for information, a server is needed which connects to the device and “communicates”. Processing takes place in most cases via the cloud.

4. User interface
The information collected must be made useful to the user in some way or displayed and made accessible. Therefore, an interface is required that outputs the information, for example, via notification by text, voice or sound. Depending on the IoT application, the user can also perform an action and influence the system, or the system automatically executes actions through predefined rules.

Hornetsecurity News



Stay in touch


Sign up to get the latest News about Cloud Security.

Why is the cloud so important to the Internet of Things?

The progress of cloud technology has a significant impact on the evolution of IoT systems. Because the devices are not only used for private purposes, but are also becoming increasingly prevalent in the industry. In such applications, hundreds of sensors and devices can be used quickly. However, this creates a large amount of data that can only be processed with the help of immense computing power.

The cloud technology is intended for these purposes, because it consists of a large network with powerful servers. The computing power of the cloud and the resulting capabilities, such as Artificial Intelligence (AI) and Machine Learning (LM), allow the data mass generated by IoT systems to be used intelligently. The system makes “smart” decisions and is also fully scalable. So, instead of having a fixed server that has limited performance, more computing power can easily and quickly be freed up for the “communication” of the Internet of Things in a cloud system.

What is the difference between IoT and IIoT?

While we connect IoT in everyday life with networked vacuum cleaners, intelligent lamps and digital heaters, the Internet of Things is also used in the production environment: The Industrial Internet of Things (IIoT) is, so to speak, the industrial expansion of the Internet of Things. IIoT makes Industry 4.0 possible only to this extent. There are not two or three sensors in an industrial hall, but one hundred, two hundred or even thousands. The evaluation of this data makes it possible, for example, to detect irregularities in real time and to solve any problems that might occur, automatically and without delay.

However, IIoT is not only used in production, because order and dispatch processes can also be optimized by smart devices. Stock about to run out? A sensor records the current inventory and informs the purchasing department. Parcel courier stuck in traffic? Thanks to GPS, the recipient receives a push message directly explaining that his package will be slightly delayed. Particularly interesting is a smart production facility if maintenance can be optimized. Routine checks are no longer necessary if the entire system is monitored by intelligent devices. An efficient and cost-effective solution for businesses – but what about the security of such networks?

Does IoT pose a cybersecurity risk to businesses?

Any device that has a computer chip and network connection is potentially vulnerable to hacking. This begins with a light bulb and ends with the acquisition of a nuclear power plant. In August 2019, the FBI commented on this topic: “Routers, wireless radios links, time clocks, audio / video streaming devices, Raspberry Pis, IP cameras, DVRs, satellite antenna equipment, smart garage door openers, and network attached storage devices could be hijacked for their computing power.”

With inadequately secured connections, IoT devices are increasingly becoming the target of cybercriminals, for example, using the processing power of sensors to create huge botnets. The malware Mirai infected more than 600,000 IoT devices in 2016 and successfully attacked several companies via DDOS attacks. Victims included American global companies like Netflix and Amazon, whose services were no longer usable for some time. In addition to the loss of service, such attacks often result in high loss of revenue and damage to the image of the company affected. Sending spam emails, hiding network traffic or generating ad-click fraud is also possible through the unauthorized takeover of IoT networks. Most importantly, cybercriminals are looking for data: The basis of the Internet of Things is the exchange and gathering of information from and about its users. Passwords and account access credentials, as well as details about daily user behavior, are of interest to hackers who can use this information for their own purposes, obtaining it easily and quickly if the network is not be adequately secured.

Why are IoT hacks already a real danger?

Currently, the number of networked devices is estimated at about 7.5 – 15 billion. In the next 5 to 10 years, the number is expected to increase to around 75 – 125 billion. Alexa and Google Home alone can be found in every fourth American household.

Big technology companies like Google and Amazon are of course eager to protect their devices from attacks. That’s why they invest huge budgets in their IT security. However, a large proportion of companies pay little attention to cybersecurity, because due to the high pressure to innovate, the main focus is on developing new devices in order to expand the product portfolio and increase sales. According to a recent security survey, some 950 of the companies surveyed invested around 13% of their IoT budgets in the security of their product or service development. Fewer than three out of five (59%) companies encrypt all data they collect or store on IoT devices.

Lack of security interest shown by companies and users

87% of all successful attacks on IoT devices are due to software which is not up to date, weak passwords, or a combination of both (Jason Sattler, 4/1/2019). Responsibility lies, on the one hand, with the companies, and on the other hand, with the users themselves. For example, many companies deliver their devices with a default password (e.g.: user: admin / password: password). If the user does not change or cannot change the login details, it is easy for cybercriminals to hack a variety of devices with a simple script.

The software looks similar because on the one hand, the user is obliged to regularly install updates in order to close security gaps. On the other hand, there are companies that, at worst, develop devices that are not updatable. Often older devices simply no longer receive updates. The user is ultimately the victim. Other attack surfaces include open ports and USB ports, SQL injection, insecure web interfaces, buffer overflow, network device fuzzing and cross-site scripting (XSS). The focus is on the development of new and innovative devices, but not their security. Many technologies are simply too cheap to cover the costs of IT security.

Internet of Things without legal security standards

The system behind a “smart device” is very different from that of a computer: The structure and operation are much more complex than, for example, that of a light bulb. In addition, a computer has much more processing power. Accordingly, there are many ways to protect the system of a computer from unauthorized access. But how do you protect a smart light bulb? Smart home appliances or networked machines have low computational power because they are often just small sensors connected to external servers. A script consisting of just a few KB therefore runs on the devices. The possibilities for a backup are therefore limited.

The market of the Internet of Things is still quite new, demand is growing steadily and the industry is therefore fast-paced. Many manufacturers often lack the necessary expertise to protect the devices from possible cyber attacks, but time is also a factor to which security falls victim: Companies are under great pressure to bring new and innovative products to market faster than the competition. As a result, cybercriminals can develop new ways to gain access to devices faster than it takes to secure them. Another challenge for the growing Industrial Internet of Things market is that there are no legal production standards for companies. Hackers are aware of this lack of such standards and see IoT devices as easy targets. In addition, hackers can establish a broad reach with minimal effort through the growing number of smart gadgets.

But where there is no plaintiff, there is no judge: There are currently no laws or established security standards regarding the form in which IoT and IIoT must be protected. This leads to disorientation for both the manufacturer and the buyer alike, because both ask the same questions: Is the device secured well enough? And: How well is the device protected compared to other devices?

Foundations for a secure Internet of Things

The most important measure for more security in the IoT and IIoT domain is to make the manufacturers of smart products responsible. In view of the increasing risk, the British Government, in cooperation with the European Committee for Standardization, the European Telecommunications Standards Institute and the Cybersecurity Tech Accord, published a document in February this year entitled ETSI TS 103 645. An essential element of the 16-page document is provided by 13 paragraphs or arrangements addressed to companies that should serve as a guide to IoT consumer safety in the manufacture of smart devices. These include the following items:


1. No universal default passwords

2. Implement a vulnerability detection tool

3. Implement regular software updates

4. Ensure secure storage of access data and sensitive information

5. Enable secure communication (encryption)

6. Reduce exposed attack surfaces

7. Ensure software integrity

8. Ensure protection of personal data

9. Ensure fail-safe design of systems

10. Monitor system telemetry data

11. Make it easier for consumers to delete personal data

12. Ensure easy installation and maintenance of equipment

13. Ensure validation of data entry


However, the paragraphs are only “suggestions” and are not yet mandatory – they could at least serve as the basis for an IoT certification process.
In addition, new tools such as “AutoSploit” enable potential security vulnerabilities to be found already during production. Thanks to artificial intelligence, the tool performs fully automatic searches for code errors that could lead to cyberattacks (Dan Mosca, 2018). The following continues to apply in the IT industry: Secure by Design.

How do I protect my company from IIoT attacks?

According to the current situation, as a user, whether privately or at work, you cannot assume that networked devices are secure. In the area of digitization, many companies use the Internet of Things as part of their digital transformation. To do this, they are connecting a growing number and variety of IoT devices to the corporate network. These interact or communicate with other valuable IT resources and often process sensitive information. Precisely for this reason, companies must take precautions to ensure IT security, to protect access and data, but without losing touch with the digital future at the same time.

Cyber risk analysis
Before an IoT system is introduced, cyber risk should be analyzed and integrated into the company’s risk management. Assessing security for all planned IoT services and products is essential. In addition, regular reviews and certificates from IoT services provide customers with qualified proof that companies and manufacturers protect personal data well and process it transparently for users.

Regular inspection by a responsible person
During operation, there must be regular checks on the security of networked devices. For this reason, it is important to appoint a responsible person who guarantees the security in the long term going forward. Thus, this person must regularly check whether all updates have been installed, when the last update was made available, and which hacks have appeared on the Internet and could possibly pose a threat to the company’s system. Tools like Shodan control whether devices from their own network are visible on the “free” Internet.

How do I as a private person protect myself from a hack of my smart home?

Even for private end users, there is currently no quality seal as a guide for comparing the IT security of IoT devices. Therefore, the buyer himself must take security precautions. The following tips should be followed to increase the security of your IoT systems:

Only buy devices that you can update

Regularly install software updates

Change the default password of a device immediately after commissioning

Passwords for all IoT devices in the house should be different

If possible, periodically scan all devices and the network for viruses

Limit the access of associated apps to a minimum

Keep up to date on recent cyberattacks

Close ports in the network not currently required

Avoid IoT systems with a technically outdated web interface

Data should be encrypted via SSL / TLS

Some of these tips require some technical know-how. However, you can already increase security with little effort: Up-to-date software and secure credentials are the most basic recommendations to prevent your IoT system from being hacked.

Conclusion: Maintain progress and guarantee security

The possibilities offered by the Internet of Things are incredibly broad. Although IoT devices have already arrived in everyday life, we are only just scratching the surface of huge technical progress. Although innovation is a top priority among market participants, protection of IoT technologies should never be overlooked, as reported incidents have made very clear. In times of current and ever increasing cybercrime, security may be something that provides a competitive advantage over rivals and helps increase customer acquisition.

Experts interview: Dr. Yvonne Bernard about Artificial Intelligence

Experts interview: Dr. Yvonne Bernard about Artificial Intelligence


Currently the topic of artificial intelligence dominates every discussion about digitization. As a former researcher on open systems and trust- and security mechanisms, this development has prompted our Head of Product Management Dr. Yvonne Bernard to take a closer look. In her recently published article „AI – the same procedures as last century?“ she provides a view behind the current hype. In the following interview with Yvonne, we will explore the background of this innovative technology, take a look at the implementation of artificial intelligence in an entrepreneurial context, and in conclusion discuss its potential in IT security.


So, what made you decide to take a further look at AI?

Especially in recent years, I have seen an enormous increase in AI technologies applied and – perhaps more importantly – advertised by technology companies and vendors around the world.
Since I have been dealing with this topic in research and teaching for several years, I was really curious: Have the mechanisms that I used and taught at Leibniz Universität Hannover developed further? Basic research takes up to 20 years, as they say, to be separated (if at all) from basic research in business-relevant technology, but to be honest, some of the features we used back then, such as artificial neural networks, were already older than me.


If you say this technology has been around for decades, why is it actually being applied just now?

Nowadays, what makes the implementation of AI technologies really worthwhile is the possibility to store and process large amounts of data and to adapt the processing schemes if necessary. Big data doesn’t mean storing everything and then looking at what you do with it: you have to think about data types in order to calculate efficiently and effectively on the basis of these data volumes. Also, the promotion of these technologies, which have been in use for years, has of course made its contribution to the hype. Furthermore, the growing number and quality of libraries that are available to the public and not only to researchers is a further aspect. You don’t have to spend much time looking for suitable software or frameworks to realize your AI ideas in functional code. Frameworks such as TensorFlow, Caffe and CNTK can be mentioned here. Thus, AI is increasingly used for the fast and (nearly) optimum solution of real problems.

Hornetsecurity News

Stay in touch

Sign up to get the latest News about Cloud Security.


What has made the use of AI possible in companies and what is the necessity?

As already mentioned, the increasing number and quality of libraries and the possibility to work with large amounts of data are the main growth drivers of the use of AI in the business environment. In addition, completely new and additional techniques such as supervised machine learning can be applied. In this case, a certain amount of the available total data is used, which is assumed to be very similar to the data for which the algorithms are trained for. An “unlearning” of desired characteristics is thus to be excluded.
To compare: In research laboratories, it is always important to make sure that the algorithms to be applied are well parameterized and suitable for the targeted data set. In business life one often does not want to and cannot spend this time to evaluate every possible parameter set. Moreover, a learning algorithm that learns something unexpected is great for a researcher but cannot be tolerated in business.


In which industries and processes do you see the greatest opportunities for the application of artificial intelligence?

It is safe to say that AI will not be the only solution to each of today’s problems. But there are areas where AI techniques are easier and more accessible than ever, and nothing should prevent developers and system developers from using the former pure research technology in any way that helps them find a good (or if possible the best) solution to their real problems. I would like to emphasize that – also at Hornetsecurity – many procedures from the quantity of AI methods have already been used successfully for years. In the past, however, such techniques were not advertised consciously, whereas today AI is perceived as a quality criteria or at least as an innovation. In general, the application is generally widespread in the area of optimization procedures and is also recommended, since simple heuristics are often not sufficient in terms of quality, but the determination of the optimal solution would not be possible in the desired time due to the complexity of processing times. Suitable learning methods can achieve excellent results in a short time – if you know how to use them wisely. Optimization processes can be found in almost all industries.

And finally: Do you think that artificial intelligence will influence and change IT security?

Yes, absolutely, but in both ways: Not only security research, but also attackers will increasingly use the accessibility of these technologies. With our comprehensive understanding and many years of experience in this field of algorithms, Hornetsecurity is well prepared for this “Arms Race”.

Ghidra – Reverse Engineering Tool of the NSA

Ghidra – Reverse Engineering Tool of the NSA

On March 5, 2019 the long-awaited Reverse Engineering Tool of the US Secret Service NSA was presented at the RSA Conference. Our Head of Product Management Dr. Yvonne Bernard was there live at the event and shares her impressions in the following.

Ghidra! – Even our Security Lab is curious to see what the tool, which the NSA will publish as “Open Source Software”, has to offer. Reverse engineering tools are rare and expensive – but essential for security researchers and malware analysts to get to the bottom of suspicious files. The rush to the lecture by Rob Joyce, Senior Advisor for Cybersecurity (NSA), was therefore enormous, so that the lecture room had to be enlarged. Rob Joyce started his lecture with a touch of humor, because he realized that half of the audience was only present because “NSA” appeared in the title.
Straightaway, he clarified that the tool has no backdoor; if there is a community where you can’t permit it, it’s this community. If applicable, different from open operating systems – “Each of your Android phones has a little bit of NSA in it”. However, some rumors in the web disprove the statement about missing backdoors at Ghidra – the Java debug port is currently under discussion.

Hornetsecurity News

Stay in touch

Sign up to get the latest News about Cloud Security.

Ghidra offers a wide range of useful features for security researchers and has been designed for collaborative use: Analysts can collaborate on a project basis and share information easily and globally. This is one of the purposes which the secret service set itself with the release.
Due to the simple extensibility, researchers can add their own tools and integrate their own small applications, e.g. in Java or Python.
A generic processor model (Sleigh) in the background makes it possible to observe the effects of changes of single parts in the binary in all levels directly and thus to understand foreign software better. In addition to the interactive user interface, Batch processing is also possible to perform large quantities of analyses simultaneously.

Another important feature is the Undo/Redo function, which can be applied to undo certain actions without understanding the complete analysis results. It can also be used to transfer actions to other samples.
The first impression of the tool is very promising, but Hornetsecurity only tests the software in isolated secure environments for data examples that are suitable for this purpose – because some skepticism remains.

Some impressions of the Ghidra-Presentation

Social engineering – How hackers get at your data without programming skills

Social engineering – How hackers get at your data without programming skills

“There’s no technology today that can’t be overcome through social engineering.” (Kevin Mitnick, former hacker and social engineering expert)

Even with the best technical security precautions, every company has a risk factor that is difficult to control: the human one. To get hold of important data or gain access, a hacker needs to understand not only computers but also people. What exactly is social engineering and how can you protect yourself? We will answer key questions about this in the article below.

What’s behind “social engineering”

Social engineering is all about manipulating individuals on an interpersonal level. It involves the hacker trying to gain their victim’s trust and persuade them to reveal confidential information, for example, or to share credit card details and passwords.

The method is not something that only occurs on the Internet, but a scam tactic that has been used for many decades. One of the best-known ploys is the “grandparent” scam, where a fraudster telephones an elderly person and passes themselves off as a relative in desperate need of money (German police program for crime prevention, 2017).

Criminals also regularly use social engineering for financial gain through online dating services. A seemingly young, attractive woman will contact a man who is obviously looking for a new partner. The imposter plays their single-woman-in-love role well enough to win the victim’s trust in a relatively short time. Then the criminal asks the victim to help them with money for something like visiting their “new partner” – after which they often cut off contact.

Social engineering attacks on companies

If social hacking works in the private sphere, then businesses are the next target up for criminals – chiefly because there are often higher sums of money up for grabs here. Hackers follow much the same approach as with private individuals, although obtaining the information needed for a professional attack takes significantly more time. This makes the following information especially relevant for cybercriminals:

  • Who is the head of the company (CEO) and which individuals are in leadership positions?
  • Who is authorized to make bank transfers?
  • When is the CEO on vacation or out of town for a work trip?
  • What business activities are currently happening?

Hackers will usually target an employee who is authorized to carry out financial transactions, sending them an urgent message from a fake email address that looks like it has come from the boss.

Examples of Social Engineering:

Due to the apparent urgency of the request, the email recipient then finds themselves rushing to follow their superior’s instructions without asking any significant questions. Once the data has been sent, the cybercriminal goes straight to work or money is transferred directly to the social hacker’s account. In 2016, large enterprises like Austrian aeronautics supplier FACC and Nuremberg-based cable manufacturer Leoni learned hard financial lessons about this modus operandi when they suffered losses of several million euros.

Hornetsecurity News

Stay in touch

Sign up to get the latest News about Cloud Security.

But be warned – CEOs and people in accounting are not the only ones who are vulnerable:

Felix from IT here. I’ve noticed a couple of irregularities with your account on our system. Can you give me your login details so that I can check it out?

Regards, Felix”

How would you react to a message like this? Would you reply? You may not know everyone in IT, but Felix appears to be a coworker and looking to help you safeguard internal IT security.

In large firms especially, most employees will not be familiar with the whole IT team. Anyone trusting such an email makes it possible for sensitive data to be stolen and puts many other areas of a business besides IT security at immense risk.

Phishing: the impersonal form of social engineering

A less laborious type of social engineering is the classic phishing email. This usually involves fake PayPal emails containing a link to a simulated website so much like the original that it is difficult to notice any deception. The email will ask people to update or verify their login details on this website, but doing so delivers the data directly into the hands of the scammers.

Unlike a personalized email, these messages are highly generic. The classic phishing email is based on a simple and less costly method, which means huge volumes of emails are sent. Even if only a fraction of the recipients fall for the ruse, hackers will have found the social engineering attack worthwhile..

Social engineering needs no programming expertise

Technical obstacles are overcome simply by employing psychological tricks, with hackers exploiting people as the weakest link in the IT security chain. Even the most secure vault in the world can be opened if the access details are handed over to unauthorized individuals. This saves the criminal a great deal of technical effort and lessens the chance of them being detected by IT security measures.

If you had replied to the email from Felix above, the hacker would have infiltrated the company network within a few minutes. No effort, no programming skill, no great risk. Criminals leverage employees’ fundamental trust and curiosity in order to steal data or money.

How can I protect myself and my company against social engineering?

Organize preventive training sessions on a regular basis to educate yourself and your colleagues about the dangers of fake emails. Regular information emails can also help to raise awareness of the issue.

As long as criminals have not gained access to an employee’s or the CEO’s email account, there are several different ways to recognize fake emails:

  • Verify the sender address: Check the sender address carefully. Is the email address really correct? Have any letters been swapped, maybe? Or an upper-case I replaced with a lower-case L? There will often be an automatically generated and untraceable second email address behind the first one. If you think an email is suspicious, you can take a closer look at the header. Information like the actual sender and the server that the message was sent from can all be found in an email’s header. In most cases, the sender is the clearest criterion for identifying a fraud attack.
  • Check first hand: Contact colleagues directly if you’re unsure. Call the person in question or speak with them face to face.
  • Rhetoric: With CEO fraud attacks especially, it is important not to let yourself be intimidated. Ask yourself whether the boss really wants to transfer €20,000 into an unknown account without anyone’s knowledge. Or consider whether your IT colleague Felix could in fact have noticed “unusual activity” and why that would make him require your login anyway. And even as a private individual – if you receive a surprising email from a company where you are a customer, it can help to make a brief call to their support team.
  • Pay attention to spelling mistakes: Phishing emails, in particular, are full of misspelled words; from an incorrectly written name to sloppy language that suggests the text was not written by a native speaker but perhaps translated by automated language software.
  • Don’t click on links directly: If the content of an email leaves you in any doubt, the best thing is not to click on any links inside it and instead to access the website concerned directly through your browser. For example, if Amazon asks you to update your details, then you should go directly to Amazon.com and look for a corresponding message there. If there is nothing to be found, you have likely received a phishing email.
  • Hover over links: Before you open a link, mouse over it. With most browsers, a small window will open in the bottom left. This is the URL which will be accessed when the link is clicked. Checking the URL provides information about the true destination of the displayed web address.

Google phishing quiz: Your free awareness check

A few weeks ago, Google created a security quiz in response to the sharp growth in phishing attacks. This quiz challenges you to try and spot a phishing email. Can you see through any social engineering attack? Find out now!

Additional safeguards with Hornetsecurity Advanced Threat Protection

Classic phishing emails will generally be identified and weeded out immediately by a good spam filter. A personalized social engineering attack, however, is not much different from a perfectly ordinary email. These unwanted emails will therefore end up in your inbox in spite of spam filtering.

Advanced Threat Protection goes a step further: various deep filters and heuristic detection mechanisms will uncover almost any fake email. With the help of AI, the filter learns from every attack and thus improves its detection rate on a daily basis. Advanced Threat Protection covers many of the above points completely automatically.
Ultimately, though, you should always question every email and be cautious about sharing data.