These are quick first looks and trend and threats


Read More >>
Written by the security and AV professionals from team K7, meant for the general audience
Read More >>
These are usually articles that go into internals of a virus or deal with security issues
Read More >>
Senior managers speak on areas of interest to them, inside and outside the industry
Read More >>

August 20th, 2015

This blog intends to highlight some of the dangers faced by the general public associated with an ever expanding use of social networking sites, all set to grow at an even greater rate post the launch of government initiatives such as the Digital India campaign.

Social networking sites such as Twitter and Facebook provide an efficient interface for communication with multiple people in a user-friendly manner. People are connected to their friends, family and followers in real-time, on-the-go using mobile devices. The ugly side to this increasing use of social networking sites is the potential for controlled, targeted abuse within a very short space of time. Recently the Hindu newspaper reported the abuse of Twitter in the recruitment programme of banned organisations.

Users of social networking sites do not appear to think twice about sharing large amounts of their private Personally Identifiable Information (PII) online. This freely available PII, which includes date of birth, phone number, address, and so on allows malevolent actors to hone their attacks’ penetrative function. In addition, given the speed of transmission, it is possible for attackers to reach a large number of victims very quickly, potentially triggering a mass panic scenario, or spreading malware, or increasing recruitment for banned organisations, etc.

There is at least one documented case of the use of social networks to trigger mass panic in India through the use of doctored images and targeted, threatening messages. In August 2012 thousands of Indians from some North-Eastern states of the nation were made to feel threatened to the extent that they decided to flee in large numbers to their home states from other parts of the country; a grave situation indeed.

The above real-world example provides a stark reminder about the havoc that can be caused when malicious content goes viral, either intentionally or otherwise. Legislation related to IT in many countries provides for monitoring of online content, inclusive of social networking sites, especially given that national security could well be at stake. In the documented case mentioned above, the attack vectors were neutered and some semblance of normality restored only after the offending sites were temporarily blocked and bulk SMS/MMS were banned for a short time as per the provisions in law.

Some images (adapted to suit the article) are courtesy of several sites.

Samir Mody
Senior Manager, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed

August 14th, 2015

This blog intends to inform the general public about the impact on the Internet of an increase in the prevalence of self-destructing messaging services.

Almost everyone of us is so happy with more than one genie at hand; as we own a smartphone, tablet, laptop, etc … and a click of a button or a screen-touch can satisfy our cravings from food to knowledge. Also the communication world is never running short of new stuff popping up now and then with tweets, pokes, chats, likes, posts and so on.

Don’t we enjoy a twist in the movies we watch? One has to wonder if the Internet is the next ‘anterograde amnesia’ victim, where an unforeseen whirl takes over social networking services silently.

On one hand, Hadoop technology is booming to handle the exponential growth of data, and spiders are crawling over the internet to feed search engines. But there is a potential balance created by self-destructing communication methods important enough to discuss, as the number of apps and services providing this functionality are increasing with more number of users everyday. In addition the social networking giants’ competing feature is shifting focus from providing nearly unlimited storage space to providing an expiry time on demand. A silent balance is inching toward creating major chunks of the lost internet.

When communicating confidential information over the internet, there is a jolt in us. We think several times, whether we can trust the internet and its services. And for one reason or another, we compromise ourselves with the communication services we get online.

Now, the privacy jolt is taking a noticeable turn because it seems to give more power to the users like data wiping, evidence shredding, and “suicidal messages”. It is not strange for us to regret sending a wrong file or a message to an unintended recipient, for liking a wrong post or comment by mistake too. But it is also important to note that these auto-timed or customisable self-expiring messages are redefining secretive communication.

This trend seems to cure the privacy fever of social media with email bombs, ephemeral messages, auto-expiring tweets, timed chats, self-deleting pokes and much more; from its suffering to hold itself together with features like ‘recall’ or ‘undo’ a sent email, off the record chats, etc.

Such self-destructing email services promise to destroy their path traversed over the servers and the email itself in a prescribed amount of time. These promises are not new to us as we have been relying for years on strong encryption and secure channels.

There is always more than one solution to a problem. Few apps use temporary hyperlinks. Some provide a one-time password to access the timed webpage. The passwords and the websites are not available after the expiry time. Some store the contents temporarily in servers until the message is delivered to all the intended recipients and delete the contents from the servers and from the recipient’s inbox once the message is read. Some use external apps and browser extensions too.

Some apps face issues like screenshots being taken, accessed via different modes instead of viewing the content via the app, and message ID vulnerability hacks on related sites too. Some apps have already fallen victims to cyber forensic studies as they save the images and videos in hidden folders or rename the files to unknown file extensions; because researchers are ready to spend a number of hours and thousands of dollars for their research. But competitors release newer products with upgraded versions which offer more sophisticated artificially-intelligent communication systems.

Cyber criminals use such service widely to communicate their secrets or threaten victims. Of course anyone can use this service for having a legitimate conversation as well. One need not forget self-expiring attachments are also joining hands with this feature which prevents the messages from being copied, forwarded, edited, printed, or saved.

With competitors focusing on providing the self-destruction feature, the following questions certainly arise:

  • Will the internet become erasable?
  • Will social networking become the most secret communication method going forward?
  • Did we just discover invisible data or communication?
  • Will these mortal messages force cybercrime lexicology to accept its demise?
  • Will the expansion of SMS be changed to Short-lived Messaging Service?
  • Will the cyber crime investigators exclaim: “Eureka! But where did the evidence go?”?

Looks like we just have to wait and watch what surprises the future brings.

Images courtesy of:
cdn-media-1.lifehack.org/wp-content/files/2014/04/7557deec.jpg
blog.ericgoldman.org/wp-content/uploads/2014/08/shutterstock_167170781.jpg

Ayesha Shameena P
Threat Researcher, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed/

August 7th, 2015

This article intends to inform the general public about ‘Edge’, the newest browser from Microsoft shipped with Windows 10. It sheds some light on what’s new, what’s changed and why Edge was considered necessary.

It has been more than a week since Windows 10 started hitting users’ PCs; it has however been around for a couple of months via the Windows Insider program as a public beta. Reviews on the operating system have been trending in the tech review sites. Opinions in general have been on the positive side for Microsoft’s la(te)st operating system. One of the features that is generating interest is the new browser “Edge” offered in Windows 10.

Microsoft finally bid goodbye to its ageing browser, Internet Explorer (‘IE’). Antiquated design, interoperability issues and security holes riddled IE, warranting a better, modernized browser. Codenamed as project Spartan it finally shaped up as Edge. Microsoft reworked its browser almost from scratch, borrowing bits of goodness from its competitors while being unique in its own way by having a personal assistant or being able to annotate on webpages and share them; most important of all, though, improvements to security were made.

Security was probably one of the main concerns that pushed Microsoft to reimagine its browser design. So from a security perspective, Microsoft has got rid of its ActiveX support, infamous for its security vulnerabilities. Added to the “gone” list were BHOs (Browser Helper Objects, which went on to be synonymic to toolbars) and VBScript support. Over the years support for these three features caused numerous security headaches for Internet Explorer.

Edge would remain sandboxed from the rest of the Operating System, hence attempting to prevent any malicious scripts or code from affecting the OS itself. SmartScreen introduced in IE8 is also a part of the Windows 10 shell and is supported by Edge. This can filter out phishing sites by performing reputation checks and blocking them out. The new rendering engine would greatly eliminate interoperability problems for web developers, thereby allowing them to devote more time to security and stability.

Most security features that had been an opt-in in IE until now have been made mandatory and will always be on and protecting users. Though Edge looks promising it is a bit rough-edged at the moment. Microsoft is in the process of embracing the extensions model like its competitors, Google’s Chrome and Mozilla’s Firefox, which is said to roll out by the end of this year. Once this is done, Edge would be in a better position to handle the internet; at least way better than IE, one would hope.

A word of caution to our readers; while you may be impatient to upgrade your operating systems to Windows 10, beware of a new wave of spam emails doing the rounds. These are bogus emails offering users a free Windows 10 upgrade; even if you are not a Windows 7 or 8 user (free upgrades are given by Microsoft to genuine Windows 7 and 8 users only). These mails mostly come with a malware of the nasty ransomware category. Microsoft states that users will be informed of the upgrade on their screens and not via emails. Kindly refrain from clicking on such fraudulent emails.

Some images (adapted to suit the article) are courtesy of several sites.

Kaarthik RM
Threat Researcher, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed

July 31st, 2015

This blog intends to discuss a few real-time difficulties in identifying whether a downloaded Android application is safe or not, along with a few precautionary steps for Android smartphone users to follow when downloading an application.

Year-on-year, smartphone usage in India is growing at an enormous rate. These days almost everything is mobile, i.e. smartphones have accommodated users in such a way that users welcome applications even for their day-to-day commercial activities like paying bills, ticket booking, etc.

Now, there arises a serious question of trust, “How far is the downloaded application safe?” It is generally believed that an application can be reasonably judged by the permissions that it requests from the user during installation. Unfortunately, in recent times, most of the legitimate applications are seen to request permissions that appear to be in no way related to their current core functionality, but only in view of the application’s future enhancements.

Recently, I came across a popular taxi booking application requesting permission to access media files (photos/videos) as shown below.

The above scenario was observed in a well-known banking application as well.

I would also like to share another interesting incident. A couple of days ago, we at K7 Threat Control Lab, received a “false positive” report from an end user claiming that a famous game application has been flagged incorrectly.

Upon further investigation, it was noticed that the application is actually a fake installer. Unlike the original game app, this fake application tries to download further applications.  The above described unexpected behaviour from a game application is not acceptable.

With many other potentially fake applications of this kind doing the rounds and the latest trend of online portals moving onto app-only services, the security risk level is certainly increasing. Worst-case scenario could involve the case of mobile wallet applications, where a user may also save his/her credit card information for future use.

It goes without saying that identifying an application as suspicious or safe remains a tough job especially for an end user. With a mobile malware application exhibiting similar permission requests and functionality to a legitimate application, the malware analysis process is complicated. Security experts invest more time in code and metadata study to confirm an application as safe, one example being the exhaustive permissions list requested by both  legitimate and malware applications, that may not even be needed for their operation.

Even though the risk cannot be eliminated completely, it can be effectively reduced by following the following oft-stated traditional but yet effective precautionary steps:

  1. Think twice before you download an application whether you really need it.
  2. Download applications only from the official Playstore.
  3. Use the “Verify apps” feature from the Android OS to check whether the app is safe or not.
  4. Install trusted mobile security software, also typically downloaded from the official Playstore.

V.Dhanalakshmi
Senior Threat Researcher, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed/

July 23rd, 2015

This blog intends to inform the general public about some of the potential challenges posed to the security industry allegedly by international intelligence and law enforcement agencies.

A couple of years ago in an article for Virus Bulletin magazine, in response to insinuations pertaining to a tacit collusion between some members of the security industry and intelligence/law enforcement agencies, I had suggested that these agencies do not require the collaboration of Anti-Virus companies to conduct their spying activities:

“Let us not be naïve…. Should these agencies wish to snoop, they don’t require the cooperation of AV vendors.”

Recent revelations bear witness to the above statement. It is apparent that international intelligence agencies, through their codenamed “Project CAMBERDADA”, have been investing effort in their attempts to compromise several well-known Anti-Virus products, our very own K7 Computing’s products included, in order to circumvent detection and blocking of their spying activities.

Above image courtesy of Project CAMBERDADA presentation

In addition to reverse-engineering Anti-Virus products, there have even been allegations of infiltration within Anti-Virus companies’ internal networks to siphon out sensitive data.

We stand shoulder-to-shoulder with our colleagues in security companies all over the world in our pledge to protect users in any event against formidable opposition and an increasingly complex threat potential.

Samir Mody
Senior Manager, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed

July 16th, 2015

Here is an account of an unexpected incident that reignited my fading passion for email header analysis. And it was that… a friend of mine got a nasty headache. Ah yes, you read it right.

My friend runs a one-man-show as “the IT guy” for an organization. Every day he goes to work as energetic as he can be and returns completely drained from having to deal with the bulk of unsolicited emails (aka “spam”) that floods the company’s mail server.

But the “headache” was the result of their domain getting blacklisted.

They started receiving tons of bounced emails from mail addresses which meant nothing to them. And at times they even received mails that seemed to originate from their own domain.

He had no clue as to why their domain started receiving huge amounts of bounced back emails or why their emails were not delivered to the intended recipients.

Whilst he was trying to work out why this was happening, the poor domain was marked down for “rolling out bulk emails” and the domain was blacklisted. That explains the delivery failures.

He worked vigorously with the provider to whitelist the company’s domain; but the issue repeated itself in an uncontrolled fashion that it became a part of his routine to bail out the domain.

He wanted to find if the computers on the office network were infected by some malware and how their emails are being hacked, especially given that they have one of the best Anti-Virus products installed and a good set of security policies in place.

And his plea to take a look into the issue pushed me to awe Joe.

Scrutinizing the few email headers he showed me, I was able to identify that a rare form of spam attack nicknamed “Joe job” was causing damage to the company and its domain’s reputation.

So what actually is a “Joe job”?

A spammer can craft the email header to make it appear to come from a spoofed sender, i.e. the recipient would see something like “john@domain.com” in the “from” address but the actual sender would be someone else.

Also, the “reply-to” field can be played with so that any responses or bounce-backs would be redirected not to the address in the “from” field but to the one specified in the “reply-to” field.

Spammers use this technique for various reasons including hiding their identity, escaping the issue of handling undesired bounced-back/non-deliverable emails, skipping spam filters and stealing the victims’ bandwidth.

Here is a description of the original attack for reference: http://joes.com/spammed.html

Though the Sender Policy Framework records (SPF records allow domain owners to publish a list of IP addresses or subnets that are authorized to send email on their behalf) and security policies are properly set up, a few misses while configuring the mail server ended up feeding the domain’s reputation to spammers in this case.

It is important to remember that spam filters cannot be too rigid, but a simple rejection of bounced back emails from unknown senders could have saved the domain, to some extent, from falling prey to such spam attacks and causing a headache for my friend (although this did rejuvenate my fading passion…).

Image courtesy of:
blog.antispam.fr/wp-content/uploads/2013/03/email-bounce.jpg

Ayesha Shameena P
Threat Researcher, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed

July 10th, 2015

Microsoft is set to do away with its cycle of serving up security updates, released on the second Tuesday of every month. This is (un)officially known as ‘Patch Tuesday’ in tech circles.

In an earlier blog post, we had mentioned that Microsoft is doing all it can to beef up on their security front. Along the same lines, this is also a move to ensure that any security update, critical or not, will reach a Windows 10 user immediately and will no longer have to wait for a month.

Yes, updates will be rolled out 24/7 year round for all devices that run Windows 10, thereby potentially reducing the time taken to address a security issue once it is found. These releases are not restricted to security updates alone, but any software enhancements would also follow the same pattern.  A round-the-clock approach updating the OS infrastructure could also improve the quality of the updates; in the past there have been issues with unstable patches.

While the month-on-month cycle is going to remain for Business and Professional users, Microsoft has reworked this under the title Windows Update for Business. This would provide features to prioritize patching based on chosen devices, to specify timeframes during which updates should occur, and peer-to-peer delivery of the updates for bandwidth conservation in an environment of a large number of computers.

This expedited update schedule is primarily aimed at securing devices ASAP once a security lapse has been identified and fixed.  Though Microsoft claims that users will be provided free lifetime upgrades, the timeframe might in fact be tied down to the type of device that the OS is running on and the device’s supported lifetime.

Perhaps Microsoft is taking the timely patching of security lapses to an even higher level since many supposedly dead and dried malware (Conficker, etc.) that aren’t supposed to be spreading are still doing the rounds just because a patch hasn’t been applied. It is imperative that we as users take security, at least as seriously as Microsoft appears to be doing.

Image courtesy of:
keepcalm-o-matic.co.uk

Kaarthik R.M
K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed

July 2nd, 2015

The Honourable Prime Minister of India, Shri Narendra Modi, launched the Digital India project yesterday, an ambitious undertaking to interconnect and deliver government services to India’s 1.25 billion citizens.

Fortunately, the challenge of securing the vast cyber space for netizens has been keenly recognised by the Government of India as the Prime Minister stated the following in his speech:

“I dream of a Digital India where cyber security becomes an integral part of national security”

The Prime Minister made unambiguous references to the potential vulnerability of India’s current and future critical infrastructure and services to cyber-attack. The plethora of international spying, hacking, and Denial-of-Service attacks, which have made the headlines in recent times, allows one to put things in perspective. India has its own share of inimical nation states, along with non-state actors, both beyond as well as within the country’s borders.

The Prime Minister also recognised the dangers posed to an average netizen at a personal level. He related how common theft has progressed from stealing somebody’s wallet on a bus, in the past, to the current ability of criminals situated thousands of miles away to wipe out a bank account within the time it takes to click one’s fingers.

Indeed, as highlighted previously on our blog, there exists legislation to aid the protection of netizens from common cybercrime, as well as provisions to safeguard national cyber security. However we believe there is lot more to be done. In this blog we wish to highlight certain problem areas which need to be taken into account to boost cyber security for the netizen, and thus, for the nation.

There is a lot of emphasis on the use of online social media and sharing of data “securely”. Of course netizens are only too keen to share Personally Identifiable Information (PII) on public sites, which may not even be hosted in one’s home country. Apart from its general nuisance value, leakage of PII allows the mounting of sophisticated targeted attacks. We recommend thinking several times before posting private information on public sites.

Plans to provide many services online, including secure private document storage, will require netizens to be made aware of basic security hygiene, at least vis-à-vis the use of strong passwords which must be difficult to crack. However, for ease of remembering, it is likely that many, if not most, netizens would employ the same credentials across multiple portals. The compromise of just one password could leave your data exposed on several other sites. In addition, the secure storage of digital certificates, used to authenticate the source and ownership of documents, is a cause for concern as a stolen certificate could lead to complete identity theft.

The exploitation of vulnerabilities on both the client and server side poses a real and present danger to all users. On the client side, software installed on a user’s computing device can and do have hidden weakness that can be taken advantage of during attacks. Vulnerabilities on the server side, especially web servers, have the potential to compromise thousands, and with the advent of Digital India, perhaps millions. A huge proportion of websites, including many with ‘gov.in’ in the domain name, are not necessarily implemented and managed with security in mind, leaving netizens vulnerable. Several trusted Indian state and central government sites have been hacked and defaced in the recent (and not-so-recent) past. We have blogged previously about website hacking, and remediation techniques with which webmasters ought to be familiar. We hope that the government portals which deliver services will be made robust to any form of attack, particularly intrusion and Denial-of-Service.

Mobile devices are set to play a crucial role in the Digital India project. Android is likely to be the most common mobile platform used to communicate with government portals, given the relatively low cost of Android devices. It must be noted that despite Google’s assertions to the contrary, Android devices are certainly not invulnerable to malware attacks. Mobile devices must also be secured, with the user being made aware of the do’s and don’ts of app installation.

The above list of issues is far from exhaustive. We have touched merely the tip of the iceberg. Covering other potential issues is beyond the scope of this particular blog.

An interconnected, inclusive Bharat via the Digital India campaign is an exciting prospect. We wish the campaign all the very best, and we, as IT security professionals, hope to contribute significantly to its success. We would simply like to reiterate the cyber security threat potential to netizens and the Government of India so that robust security hygiene is maintained with discipline, allowing the freedom of a safe online service experience. Jai Hind!

Some images (adapted to suit the article) are courtesy of several sites.

Samir Mody
Senior Manager, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed

June 29th, 2015

Online free software exists aplenty, keenly attracting a user’s attention. The question is, “Are these free software applications really trustworthy?” . With security as the main concern, a computer user must be careful enough while installing any software that is downloaded online. Many of these free software install toolbars or other kinds of unwanted software that are bundled with them.

On the other hand, there are popular free software like Adobe Reader, Adobe Flash Player, etc., that seem to have become an almost mandatory part of computer use these days. Thankfully, these software installs do not include any compulsory extra activity apart from their core functionality, and even attempt to keep themselves secure with regular security updates as and when required.

Security updates are necessary given that many of these free software utilities have loopholes (also known as vulnerabilities) that are left unseen even after they are released to the outside world. These loopholes tend to attract attacks from remote hackers to compromise the user’s computer.

It is a known fact that many users globally, including a high proportion in India, have pirated software (especially the Windows OS) installed on their computers for whatever reason. Historically pirated versions of the Windows OS have not been eligible to receive either security or product updates, leaving the computer far more vulnerable to attack as cyber criminals always strive to exploit a new route or loophole in installed software to enter the target machine.

Therefore one should always be aware of the importance of the security updates. K7 users can run a “Vulnerability Scan” to determine if any known vulnerable components of certain high-profile software exist on the computer. At least in the case of popular free software users are strongly advised to avail of free security updates such as those provided by Adobe Reader, Adobe Flash Player, Java etc., to better guard against unpleasant surprises.

Image courtesy of:
Yadadrop.com

V.Dhanalakshmi
Senior Threat Researcher, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed/

June 19th, 2015

Windows 10 and its imminent launch have fuelled many discussions within tech circles. In this context we decided to share our thoughts on one interesting Windows 10 security provision.

Windows has had long-term issues with security. Hence over the last couple of years Microsoft has devoted extra resources on bumping up its security focus and image. With recent versions of Windows, Microsoft has added security-centric features like Secure Boot, ELAM, Windows Store Apps and AppLocker, and introduced SmartScreen at a desktop level. In addition, Windows Defender was upgraded from an antispyware solution to an antimalware solution in an attempt to make Windows more secure than before.

With Windows 10, Microsoft is trying to up the ante in terms of security. MMPC recently published an article explaining their new Antimalware Scan Interface (AMSI) which aims to curb malware at the memory level. The article goes on to explain how obfuscation is employed even in script-based malware, from string concatenation to a simple XOR to more complex encryption. AMSI will provide an interface to Anti-Virus products to contextually scan for specific mal-content in a target memory region. An obfuscated mal-script must be fully deobfuscated before it is fed to a scripting engine. Any bonafide security product can register for a callback in this context to invoke a scan of this deobfuscated content using the AMSI APIs provided by Microsoft.

This would aid security vendors since there is no current documented way to intercept a dynamic script buffer. Hence, security products have had to occasionally resort to undocumented methods to attempt intercepting the content fed into the script engine, which could entail stability and performance issues.  Microsoft’s AMSI should prove a more reliable alternative to DIY solutions for script-interception.

Please refer to our earlier blog post for a detailed example of obfuscation in script-based malware.

K7 is getting ready for the Windows 10 release, and we will ensure that all our products are automatically upgraded through regular updates to remain compatible with Windows 10. As a K7 user, there is no effort required from you to prepare for this upgrade.

Images courtesy of:
royalwise.com
encrypted-tbn2.gstatic.com

Kaarthik RM
K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed