10 Dec Microsoft Updates December 2013 - Patching Critical 0day Exploited in the Wild Kurt Baumgartner
05 Dec Corporate threats in 2013 - the expert opinion GReAT
04 Dec Putting malware in the picture Tatyana Shcherbakova
04 Dec ZeuS – now packed as an antivirus update Andrey Kostin
03 Dec Top security stories of 2013 - the expert opinion GReAT
Join our blog
You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.
Now the UK government has released a green paper (i.e. a consultation document on proposed legislation) called New Powers Against Organised and Financial Crime. This paper examines legislation that would fill 'a gap in the criminal law for catching those involved at the edges of organised crime'.
Among other things, the paper states that: 'Currently law enforcement authorities essentially have a choice between prosecution or no action when dealing with organised crime. That can be a stark and unproductive choice and we see a place for something in between - organised crime prevention orders - which could be imposed on individuals or organisation in such a way as to prevent organized criminality continuing.'
These Organised Crime Prevention Orders would enable the courts to take action against people suspected, on the 'balance of probability', of being involved in organized crime (including cyber crime), even where there is insufficient evidence for a criminal prosecution. Such measures, which might include 'imposing restrictions on travel or limiting the use of communications to phone numbers which had been notified in advance', are designed not to be punitive, but preventative, i.e. to 'deter continuing criminal activity'. Failure to comply with such an order would constitute a criminal offence.
All this could be seen in a positive light, as providing useful weapons in the fight against serious crime, including cyber crime. However, the initiative does throw up some questions. Perhaps the most obvious one is this: if there are 'gaps' in the criminal law, why fill them with civil legislation?
The reason, it seems, is that the burden of proof required by civil courts is lower than that needed to successfully bring a criminal prosecution. And this point leads on to concerns about civil liberties. Will the ends really justify the means? Preventing serious and organized crime is a laudable aim - but if the means erode existing civil liberties, it might be a high price to pay.
Back in the Middle Ages, a password was exactly what it said: a simple word that could be used to gain access to a castle, a secret meeting or any other closed area. These days it’s less likely to be a word, but rather a string of characters like “hTfd4Xz”.
There are situations where passwords don't need to be very complex, since the user will be forced to wait a couple of seconds after each attempt (e.g. when logging on to a server), or because the system will block further attempts after a wrong password has been entered several times (e.g. ATMs). This means that simply trying all possible variants (a brute force attack) isn’t going to be very useful.
However, the story’s very different for encrypted data devices – if they fall into the wrong hands, an attacker can just plug them into his computer and try out all passwords without any limitations.
Most encryption programs don't ask the user to enter the encryption key itself, but a password which is then used to generate the final key. Like any password, one for an encryption program should be relatively complex. A hundred years ago a password like "King Richard" would have been adequate. But today it could be cracked within seconds, using a dictionary attack.
Just ten years ago, 40 bit keys and passwords were seen as “secure enough”. But once again, today it would take just a couple of hours to try all the possible variations.
Nowadays, 128 bit should be the minimum and 256 bit is becoming the standard. This is where the problem lies: if the data itself is protected using a 256-bit-key, the password should be the same length, otherwise the high-level encryption itself is useless.
Let's assume that upper case, lower case and numbers are all valid password characters – that gives 62 possibilities per position. With 43 positions, there are about 1.18e+77 possible variants, which is close to a 256 bit key (1.15e+77 possibilities). But who can memorize a password with 43 characters- for example, "jZ85xfbgGjf52d2sS8gd43ahfFR5rG3qZ4wF425FfVf"? And who has enough time to even type such a random string of letters and numbers? And such passwords are hardly likely to motivate users to change them regularly, which is of course recommended.
So what other options are there? Tips like creating passwords using the initial letters of easy to memorize sentences (e.g. "My cat likes to bounce off my furniture" -> "Mcltbomf") aren’t very helpful – the statistical likelihood of certain letters occurring decreases the randomness of such a password, and therefore its usefulness. Such passwords might make the user feel better, but they don't provide any real security.
Let's face it: the power of today’s decryption technologies has overtaken our ability to memorize complex passwords. Until someone invents a way to extend human memory, a password stored on a USB token or other device is the only answer - with the associated risk that the device might be stolen together with your encrypted data.
It’s sad, but true - when it comes to data encryption, the password has had its day.
Today I got some more information about the railway hotspot situation in the Netherlands.
It seems that the new portal I mentioned yesterday isn't exactly new. In fact, it’s the standard KPN (a major Dutch ISP) hotspot portal which is providing Internet access.
It turns out that our blog set some things in motion and KPN fixed the problem as I described, by redirecting to a different portal. It also turned out that the error had been present for quite a while, meaning a lot of users had potentially exposed their data.
While I was browsing the KPN hotspot site I came across this - a program which you can download which will secure the connection between your notebook and the hotspot.
I haven’t had a chance to look at it in depth, but I'm sure the extra layer of protection will come in handy.
A full week before the G8 summit begun in St. Peterburg, Kaspersky's own Virus Analyst Summit - the fourth edition - took place in Moscow, at the company's new office.
As we've mentioned before, this event takes place a couple of times a year. It gives the KL international team of virus analysts from France, the Netherlands, the US, Romania, Russia and UK a chance to meet and swap ideas.
This time we had a couple of new participants - Magnus (left), who's working out of the German local office, and Claudiu (right), who I work with in Bucharest. They're going to be part of our blogging team, as well as doing all the other things that we analysts do.
And as for what we actually do - well, there were lots of chances to discuss this. The summer 2006 summit included a crash course from Magnus in forensics, Shane's presentation on the deployment and development of honeypots, a discussion with Denis and Nikita on breaking long RSA keys, and David's vision of user education. And of course, there was time for less formal information swapping - the breaks were spent gazing into the future while enjoying a cup of tea and brownies.
We're already looking forward to the next summit. Maybe we bring extremes of temperature with us, or maybe there are only two types of weather in Moscow - white and green. Last time we met it was - 30; this time it was +30. It'll be interesting to see what new developments there are in malware evolution and climate change by the next time we meet.
We've received some comments and some questions about my previous blog post.
First, let me clarify. Naturally I didn’t solely rely upon the output from my web browser.
I analysed what was happening at network level: the POST information which contained the username and password was being transmitted via plain text using HTTP.
After the inquiries I was particularly interested to see if the situation was still the same following the weekend. After all, what I experienced could have been some glitch.
So yesterday I went to the local station nearby and tried to confirm Friday’s findings. Although the access point was visible, the Internet seemed to be dead - it was impossible to get a response from the access point.
In an effort to solve this puzzle, I rang one of my colleagues to see if he could check his location. Unfortunately he was unable to get an IP address from the hotspot so that attempt failed as well.
We gave up for the day.
I tried again today in the renewed hope of finding something. Once again, at the first station I was unable to get an IP address, which dampened my spirits a bit. However, when I tried the hotspot at the second station it cooperated. Success!
And the outcome? What I found was a completely revised portal on a different webpage, using HTTPS. That's good. Interestingly, the old portal is also still up and running, and still using HTTP.
My educated guess about all this? The Dutch railways announced yesterday that they are going to make Wi-Fi available on all trains. They probably constructed the new portal specifically for this. And probably something has gone wrong with the old portal - we don't know why. This might also be why connecting to the hotspots is such a problem; I was only able to get a connection at the biggest of the three stations I visited today.
It’s an interesting little security puzzle. And it once again highlights that you should always keep your eyes open for anything unusual, no matter what the time or place.
Today I was travelling in the Netherlands by train. One of the great things is that major stations have their own wi-fi access. When we stopped at a station, as usual I wanted to check my emails while waiting for the train to move on.
Once I established a connection with the access point and opened my web browser to log on I immediately noticed something suspicious. Instead of getting an HTTPS site I was being directed to an HTTP site.
In my mind there were two options. Either the log on procedure had changed, or I was dealing with a rogue access point. It turned out to be the first.
What's the problem with that? Well, anything you send over an unencrypted wi-fi connection is sniffable. This is why the log on page in particular should use HTTPS.
You can bypass traffic sniffing by using an encrypted tunnel to the service of your choice. For instance, emailing via SSL/TLS or using a VPN connection to do all your work. However you can not set up such a tunnel without having actually logged on to have full internet access. The log on credentials are transmitted in plain text.
This issue is particularly critical because a number of ISPs offer (limited) free internet access via these station hotspots. This means that if you log on using one of these hotspots, your log on details will be available to anyone with a network sniffer who is in the neighbourhood.
These hotspots may be convenient, but they’re currently insecure. As long as there’s no HTTPS available for logging on, I won’t be using this service, and I would advise users in the Netherlands to follow my lead.
Recently, there's been a lot of attention paid to different projects designed to use Google to find malware on the Internet. These projects use methods which have advantages and disadvantages. For instance, it's well known that Google doesn't index everything (yet) and malware authors can simply use the robots file to tell Google not to index their creations. On the other hand, it's a very cost effective way of obtaining infection statistics and samples.
Over the past year, we've been working on a couple of new projects here at Kaspersky Lab, to help us get a better view of what malware is available on the Internet. For instance, during January we ran a massive scan of the Romanian web space.
It's probably no surprise to anyone that exploits, especially IE-related ones, top the malware charts.
We'll publish a few more detailed results from these projects in the near future, including our scans of the Dutch and Brasilian web space. At the same time, it will be interesting to see if Google will take any precautions to prevent people from using it to find malware.
Most people I talk to claim that they are strong believers in updating. They update their operating system, applications that come with the operating system and security software almost religiously.
In turn most of these people are surprised when they hear that they should regularly check for updates to all the software they use. One example is some popular media players - some time ago, vulnerabilities were detected in them which allowed for remote code execution. And now of course we're seeing the same situation with Microsoft Office.
Over time we have also seen an increased focus on exploiting server-based software. Just think back to Net-Worm.Perl.Santy.a - it caused a major epidemic by exploiting a vulnerability in unpatched phpBB forums. More recently we’ve seen a large number of hackers targeting a vulnerability in IPB forum software. This resulted in a lot of sites being compromised and/ or defaced.
And right now we’re seeing extensive defacements on sites using outdated versions of Joomla and/ or Mambo.
It's clear if a site has been defaced. It won't be quite so obvious if a site has been compromised.
Although we’ve been telling people to update regularly for a long, long time, this latest case shows that we can’t say it too often. Once again: it's of the utmost importance you make sure that all of your software is up to date, both on your local machine and on any remote servers which you administer.
According to Wikipedia, Nigeria's main exports are cocoa and oil. But what you won't find in most travel guides is that Nigeria is also associated with 419 scams and Internet fraud in general. In Germany, this international crime ring is often called the Nigeria Connection.
Last Thursday the German police arrested a 34 year old in Berlin, who's presumably a member of the Nigeria Connection. He sold non existent items by on-line auction, and his more than 100 victims lost around 70,000 EUR. His victims transferred the money to illegally opened bank accounts - it was then withdrawn from the accounts using cashpoints that weren't monitored by cameras.
Working the other way round – as a bidder, not a vendor - is still on the daily agenda of the Nigeria Connection. How does this scam work? First, they bid on compact items like mobile phones and laptops, usually offering unreasonably high prices to ensure that their bids are accepted. They ask the vendor to send the item to Nigeria as soon as possible, often saying that it’s a birthday present for their children.
And usually they come up with the wildest stories - here are some excerpts from emails (with spelling and grammar errors typically found in Nigeria Connection messages) sent to the vendor following purchase:
“I live in australia, I'm interested in buying your item for my husband who went for christian program in nigeria.”
“Right now I'm in Osaka Japan a humanity programme. I want that item for my son in Nigeria.”
“I am Dr. Christy Ogieva, one of the Doctors currently in Turkey trying to put the Bird Flu under control. (...) for my son studing in Nigeria on the occasion of his birth day.”
The victim is told that they will receive full payment and money to cover additional shipping costs once the item has been sent. Usually the victims are asked to give their full address, phone number, email address and bank account information. There have been cases where vendors were told that the money would be delivered to them personally. Strange as it may seem, it looks as though there are people who believed this.
This scam has been around for a number of years now, but people keep falling for it. Members of the Nigeria Connection probably don't have as many children as they claim, but they do have a lot of imagination. And they’ll continue to use this to target unsuspecting on-line auction users.