English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1
Latest posting
By rating
By popularity

Join our blog

You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.

Opinions |Gaming the security - The new generation of consoles

Christian
Kaspersky Lab Expert
Posted December 16, 14:04  GMT
Tags: Gaming Consoles, Online Games, Gaming malware, Microsoft, Sony
0.4
 

With the Xbox One having landed in many countries, it's time to have a closer look at the new console generation. The Xbox One is equipped with two virtualized operating systems, both running on a hypervisor: the core system for gaming and a slimmed down version of Windows 8 for the app landscape. It is also planned to make it compatible with apps originally made for Windows Phone. It will also be interesting to see the level of platform sharing with Windows 8 and therefore the compatibility for malware targeting existing Windows systems. This, however, is still something yet to be explored.

There have already been malware attacks on games consoles in the past. Like Trojans for the Nintendo DS and Sony PSP as well as proof of concept attacks against the Nintendo Wii, in which the console was used as a door opener to breach corporate networks, as shown at BlackHat in 2010. The malware, however, was seldom seen in the wild and needed a -homebrew- firmware first, in order to be able to execute pirated games v this is the way the malware was disguised and it was then spread via torrents and other file sharing networks. This meant high barriers for malware authors and the reason for the low infection rates. However, the high interconnectivity of modern consoles, like apps for Twitter, Facebook, Youtube, chat tools and video conferencing like Skype opens doors and makes them more vulnerable to attacks.

Opinions |Securing your Email space

GReAT
Kaspersky Lab Expert
Posted August 09, 13:46  GMT
Tags: Website Hacks, Identity Theft, Email, Data leaks, Cyber espionage
0.4
 

Yesterday, Lavabit - a secure e-mail provider - announced that it's closing down their operations. The official text and the Website looks like this:

Lavabit was one of the very few secure e-mail service providers bringing security for its paid customers by encrypting all locally stored e-mail messages with an asymmetric key and AES-256. This means that in order to decrypt the messages, an attacker would need to compromise the server first and then to know your password. There was no way even for Lavabit to decrypt emails without a userís password. A detailed description of how the Lavabit technology worked is available here: pastebin.com/rQ1Gvfy0

Few hours later, Silent Circle, another secure e-mail provider, announced shutting down its Silent Mail service too.

In general in order to make an e-mail server secure there are several criteria to match:

  1. Secure encrypted connections between the user and the e-mail server (it must be encrypted with a strong algorithm and to have a validation process to avoid the risk of a man-in-the-middle attack)

Opinions |Cyber predators lurking

Roberto Martinez
Kaspersky Lab Expert
Posted November 26, 20:39  GMT
Tags: Instant Messengers, Social Networks, Social Engineering, Privacy
0.3
 

Theyíre stalking, taking advantage of the anonymity offered by the Internet and using the most advanced techniques to deceive their victims. They pose a persistent threat. They are often very patient and have sometimes communicated with their victims over a number of days, weeks, months and sometimes for over a year before they finally arrange to meet with the young person. They are a new breed of predators.

Opinions |How to survive attacks that result in password leaks?

Dmitry Bestuzhev
Kaspersky Lab Expert
Posted July 13, 15:18  GMT
Tags: Passwords, Data leaks, LinkedIn
0.2
 

We speak about attacks on online providers that result in the leak of personal usersí passwords. Just recently we saw the leak of 6.46 million Linkedin user passwordss. Right after this we saw a leak of 400 thousand Yahoo Voices passwords. These are not isolated cases; nowadays we see many successful attacks that lead to personal data leaks. One more example of this is the leak of personal information of users of one of the popular Android forums and finally the hack of the NVIDIA developer forum. Itís worth saying that many successful attacks are just not announced and the Internet community doesnít find out about them.

So, how do we deal with cases when our passwords can be leaked? Obviously the end user canít do much to protect his on-line service provider and prevent the leak, but there are some basic tips on how to avoid a big disaster when our passwords are compromised.

1.†† †Use a different password for each different online resource. Never reuse the same password for different services. If you do, all or many of your other online accounts can be compromised.
2.†† †Use complex passwords. This means, in a perfect scenario, a combination of symbols, letters and special characters. The longer the better.
3.†† †Sometimes our online service providers donít let us create really complex passwords, but try to use long passwords, with at least 23 characters in a combination of uppercase and lowercase letters. A password of 23 characters (131 bits) would be ok.

For some users itís hard to remember complex passwords, in which case a good solution would be to use a password manager like Kaspersky Password Manager.

Remember, you canít stop your service provider being hacked, but you can avoid a bigger disaster when all of your accounts get compromised at once just because you used the same password!

Comment      Link

Opinions |Traveling in an interesting time

Dmitry Bestuzhev
Kaspersky Lab Expert
Posted June 25, 05:15  GMT
Tags: Data leaks
0.1
 

When you arrive to a foreign country you may encounter an unexpected situation when the local authorities request your passwords. If you refuse, your entry to the country may be denied. That is a really bad situation. So, what should you do and what shouldn’t you do in order to not to lose your sensitive information and at the same time be granted entry to the country?

  • Have a bulk email with a unique password. This email address must be simple but a real one with no sensitive information stored in it. Please remember that the password you have for it shouldn’t be the same as for any other resource. The same is for the secret question you may have for the password recovery.
  • Don’t bring your main computer on trips! Have a travel one; use it only for when you travel abroad. Since it would be only for travel, you may encrypt only a part of the hard drive of this computer and not the entire disk. It will help you avoid more questions.
  • If you bring USB devices, make sure not to have anything sensitive on them.
  • Work only under your own VPN connections; make sure to use OpenVPN since it works even under very restrictive Firewalls and Proxies.
  • Make sure to use security software capable to detect malware and also network layer attacks.
comments      Link

Opinions |We Need More Than Jelly Bean

Tim
Kaspersky Lab Expert
Posted May 18, 17:03  GMT
Tags: Google
0.2
 

Google is set to launch Android 5.0, aka Jelly Bean, this fall. But do we even need it? While Google has made some steps in securing its Play branded marketplace, and offered a few security updates to the operating system, it is a fact that the most targeted Android platform is still 2.x. Why is that? There are several reasons, not the least of which is a lack of security patches provided to previously deployed operating system versions.

0.3
 

Market share! It’s an easy answer, but not the only one.

In 2011, Apple was estimated to account for over 5% of worldwide desktop/laptop market share. This barrier was a significant one to break - Linux maintains under 2% market share and Google ChromeOS even less. This 15 year peak coincided with the first exploration by the aggressive FakeAv/Rogueware market targeting Apple computers, which we discovered and posted in April 2011 and later in May 2011, which no longer seem to be such an odd coincidence. Also, the delay in Apple malware until now most likely was not because Apple exploits were unavailable, or because the Mac OS X system is especially hardened. The 2007 "Month of Apple Bugs" demonstrated that the Mac OS X and supporting code is full of exploitable flaws. Safari, Quicktime, and other software on Apple devices is regularly exploited during pwnage contests, but widespread cybercrime attention hadn’t caught on until this past year.

At this point, we still don't know who is behind Flashfake, so we don’t know for sure that they were the same Mac OS X FakeAv/Rogueware group. Speculating that eastern euro-cybercrime is behind the botnet would be a pretty confident way to go right now. There are known groups from the region that have succeeded at wringing ad revenues from traffic hijacking. We don't believe that other sensitive data has been targeted. And the exploit distribution URLs that we are aware of have only targeted mac users. These factors limit the operational and technical needs of a financially motivated cybercrime gang.

In a sense, it would appear that their activity was somewhat similar to the Koobface or Tdss gangs. They haven't commited large unique financial crimes to attract the attention of law enforcement, and their malware contains hooks and other code to perform more sophisticated banking crime than search traffic hijacking, but they most likely were looking to make a multitude of small financial gains. On the other hand, thankfully, Apple hasn't given these guys ample notice to make their run. There can be plenty of money in that business - it is estimated that the Koobface guys ran off with millions after Facebook "outted" their operation under investigation. But based on the domain registrations we have examined, the individuals are not quite so public and they are hiding their identities while they hijack search engine traffic. The malware itself injects a number of hooks into running applications, much like the Zeus, SpyEye, and other spyware. If these were used for financial crimes, the group operating this botnet would need to organize money mules and accomplices to launder their stolen money, which would grow the group and attract the attention of other authorities.

On the technology side, Java is a big part of the puzzle. Although the Trojan is called Flashfake because users were being convinced to install the malware as an Adobe Flash update, more recent versions of the malware were being installed via client-side Java exploitation.

Three vulnerabilities were targeted with client-side exploits, none of them were 0day, which seem to have become much more difficult to come by. Besides, this set worked just as well for these operators. It is interesting to note the duration of time from the original Oracle Java security update to the Apple Java security update, and when in that timeframe the release offensive security research publicly appeared. And, when were Metasploit open source exploit modules were released targeting the related Java vulnerabilities? The windows of time may be alarming – these are not 0day exploits, but Apple simply hasn’t released patches, leaving their customers exposed to the equivalent of known 0day exploits.

CVE-2012-0507

2012-02-15 Oracle patches Atomic Reference Array vulnerability

2012-03-10 First Itw exploits targeting the vuln

2012-03-30 Metasploit developers add Java atomicreferencearray exploit module

2012-04-03 Apple patches their code

CVE-2011-3544

2011-05-12 Reported to vendor

2011-11-18 Oracle patched their Java SE

2011-11-30 Metasploit developers add "Rhino exploit" module

2011-11-30 Krebs reports operational Blackhole site with the new Java exploit

2012-3-29 Patched by Apple

CVE-2008-5353

"Deserializing Calendar objects"

2008-08-01 Reported to Sun with first instance of the vulnerability

2008-12-03 Sun patches their code (Sun link down)

2009-05-15 Apple patches MacOSX code

2009-06-16 Metasploit developers add Java deserialization exploit

Also on this list is a lame exploit described as a signed applet social engineering trick.

I'd prefer to call it the "the terribly confused user presented with the Java 'do you want to trust this applet?' dialog and will run anything you present them" gamble. It first became a part of the Metasploit exploit module list on 2010-01-27. Basically, these guys present the user with a file that the user thinks is a JavaUpdate provided by Apple Inc themselves, which they grant trust to perform any action on their machine. The downloader will then communicate with a couple of sites to register and download new Flashfake components. These components in turn, collect the system UUID and timestamp, then auto-generate with a crypto algorithm a set of C2 domains, along with maintaining a list of hard coded domains. A couple of the newer components inject into running processes on the system hooking software functionality and hijacking traffic, much like past TDS malware.

Comment      Link

Opinions |10 Simple Tips for Boosting The Security Of Your Mac

Costin Raiu
Kaspersky Lab Expert
Posted April 09, 16:33  GMT
Tags: Apple, Oracle, Flashfake
0.6
 

Follow me on Twitter At the moment, there are more than 100 million Mac OS X users around the world. The number has grown switfly during the past years we expect this growth to continue. Until recently, Mac OS X malware was a somehow limited category and included trojans such as the Mac OS X version of DNSChanger and more recently, fake anti-virus/scareware attacks for Mac OS X which boomed in 2011. In September 2011, the first versions of the Mac OS X trojan Flashback have appeared, however, they didn’t really become widespread until March 2012. According to data collected by Kaspersky Lab, almost 700,000 infected users have been counted at the beginning of April and the number could be higher. Although Mac OS X can be a very secure operating systems, there are certain steps which you can take to avoid becoming a victim to this growing number of attacks.

Here’s our recommendation on 10 simple tips to boost the security of your Mac:

Opinions |CanSecWest: Let's talk about non-targeted attacks

Roel
Kaspersky Lab Expert
Posted March 10, 05:33  GMT
Tags: Targeted Attacks, Facebook
0.2
 

Today is the last day of CanSecWest - a security conference taking place in Vancouver, Canada. On Wednesday I filled in for Costin Raiu and talked about our forensics work into Duqu's C&C servers.

As I'm writing this, Google Chrome just got popped. Again. The general feeling is that $60k, even with a sandbox escape, isn't a whole lot of money for a Chrome zero-day. So, to see multiple zero-days against Chrome is quite the surprise, especially when considering the browser's Pwn2Own track record.

Separately, I found the Q&A session following Facebook's Alex Rice’s presentation immensely intriguing.

0.2
 

Will the Bouncer be effective in addressing the malware problems with Android apps?

First of all, this is a good and really necessary move Google is taking, however the solution will be only partial. Based on the public information around this service, all apps will be scanned for known malware. Basically that means a multi-scanner or something similar will be used, so the quality of malware detection will depend greatly on what AV engines Google will use to analyze apps. Not all AV engines have the same quality, so there is a possibility some malicious apps won't be detected as malicious. The second step offered by Google is emulation. It's a good approach, however it can also be cheated by anti-emulation tricks or a malicious app can be programmed to behave differently once an emulation is detected, making the app appear to be non-threatening.† So, basically the same malware tricks used to bypass Windows security can be implemented now on Android.

Is it still a good idea to use a mobile security program for protection even with Bouncer in place?

Yes, for sure it's a good idea. The situation is many people download apps not only from the official Android Market, but also from third-party sources.† Nobody knows for certain what kind of apps are out there on private market stores, run by people not affiliated with Google. Additionally as we mentioned if Google's multi-scanner won't count on all AV engines but only some of them, it's certainly good to use AV detection on your phone as a second opinion for anything that might have slipped past Google’s scanner.

Are there ways for hackers to sneak infected apps into the store despite Bouncer?

Yes and one of them is by hacking well known and trustful developers accounts. In fact I believe that will happen in the near feature. I say this because of Google says it will check all new developers account. If a developer is already known and trusted by Google, that developer account will be a prime target for cybercriminals. Also, even though we haven’t seen it happen yet, we know cybercriminals can start developing apps that work differently in specific geographic zones. For example, an app could be designed to only behave maliciously if it detects a Latin American carrier…if the same app is used by a US carrier, no malicious behavior will be detected. That's also an anti-emulation trick which can be exploited by cybercriminals in order to avoid Bouncer detection.

Comment      Link