These are quick first looks and trend and threats


Read More >>
Written by the security and AV professionals from team K7, meant for the general audience
Read More >>
These are usually articles that go into internals of a virus or deal with security issues
Read More >>
Senior managers speak on areas of interest to them, inside and outside the industry
Read More >>

May 22nd, 2015


Despite device manufacturers’ announcement to the user about the void warranty on rooting Android phones, users still root their phones for various reasons such as installing special applications that runs only on a rooted device, removing built-in apps, USB tethering, turning the device into a Wi-Fi hotspot, etc., compromising on the features of security, performance and at the potential cost of the phone itself, as the user might fail at any step in the device-dependent process of rooting the device without a warranty safety net.

Apart from the traditional rooting methods, there are tools available online to root the device that can be run through either ADB or installed directly on the device.

One should also be aware that many Android malware require root access (administrative power) to execute the desired malefide functions on the victim’s device. They acquire root access by bundling with other good applications that require root access, by triggering an application in the victim device that requires root access, or by invoking exploits that they carry within themselves, as in the case of Android/DroidDream that carries the exploits RageAgainsttheCage and Exploid. In addition the recent Android PowerOffHijack malware exemplifies the ill-effects on the Android operating system if administrative power is acquired by a malware.

Security enhancements in Android notwithstanding, there are still new vulnerabilities and exploits for the OS being identified regularly. As per the recent Microsoft report that includes statistics on vulnerabilities and exploits reported in the second half of 2014, lots of the non-Windows exploits found on Windows computers are for the Android operating system and Open Handset Alliance.

All this implies that Android smartphone users should:

  • Ponder whether they really need to root the device
  • Be vigilant about the applications downloaded to root the device
  • Download the required application only from the official Google Playstore
  • Turn on the feature of “Verify apps” that is available with Android 4.2 or higher

Images courtesy of:
Talkandroid.com
Rootmyandroid.org
www.techlegends.in

V.Dhanalakshmi, Senior Threat Researcher, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed/

May 11th, 2015

This is the third part of the blog series on women’s cyber safety, discussing “ONLINE SHOPPING”, the popular term doing the rounds in recent times, continuing from the second part which described cyberbullying and its consequences in one’s life . A survey states that the majority of the goods sold online are of fashion categories, which in turn could suggest that there are a huge number of women customers indulging in online/mobile shopping.

The convenience of online shopping is coupled with its own risk. Online shoppers should be aware of the possibility of online fraud as cyber criminals continue to engage cyber space to target credit/debit cards, bank accounts and miscellaneous user credentials to carry out financial transactions.

Online buyers should be aware of the following:

  1. Phishing attacks where a fraudulent website resembles a popular legitimate website enticing the user to carry out financial transactions which results in both monetary and data loss to the user or causes the download of a malware hosted on the crafted website.
  2. One should also be careful about the online portal at which she/he opts to shop, as there are online fraud campaigns reported where the purchased goods are either never delivered or a different product is delivered to the buyer with a time delay. In either case ultimately it is a financial loss to the buyer.
  3. Shop online only through the portals whose website address starts with “https://” (‘s’ stands for secure) with a lock symbol appearing next to it (or sometimes on the bottom right corner of the browser window), which indicates that the portal uses SSL encryption.

With the increasing usage of smart devices, shopping is being made mobile- “SHOPPING ON THE GO”. The number of Indian customers for mobile shopping is growing given the special deals on purchases and the reduced time factor. In addition, the concept of e-wallet has attracted a large user base by presenting the shopper with additional deals and discounts.

E-wallet portals or mobile shopping applications are seen to:

  1. Provide the choice of saving the buyer’s credit/debit card details in their database for future use. This raises the question “how secure is the data stored at the merchant’s end?”
  2. Auto-login with Facebook or Google account. In case of the mobile being stolen or lost, auto-logging in along with saved credit/debit card details might be a recipe for disaster.

Regardless of whether the shopping is through online computers or mobile devices, one should always:

  • Choose a reputed portal by reading through the reviews available and its track record
  • Download the mobile shopping/banking apps from the official app store
  • Think twice before saving your banking information or credit/debit cards details
  • Avoid opening advertisements or mails from an unknown seller or portal

Images courtesy of:

Dealwithus.co.in
betanews.com
globaldatacompany.com
thinglink.com

V.Dhanalakshmi, Senior Threat Researcher, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed/

April 27th, 2015

This is the final part of a six-part blog based on the paper submitted by my colleague Gregory and myself on Advanced Persistent Threats (APT), for AVAR 2014. Continuing from the fifth part of our paper…

Data Exfiltration and Cleanup



This stage of the APT involves the assailants collecting the sensitive data and transmitting it stealthily to a remote location. Data extraction can either be a one-time event or spread over a period of time, followed by constant snooping of the victim, all the while remaining hidden.

Once the objective of an APT campaign is achieved, the attackers exit the network in a phased manner after covering their tracks and clearing all the potential evidence of an intrusion.  The attackers could also plant or manipulate data in the target’s environment in an effort to create misdirection.

Extraction methodology

Confidential data that is collected during the period of the APT is copied to a staging server, compressed, encrypted and kept ready for transfer. Outbound sessions are then established that resemble legitimate traffic thereby attempting to fly under the security radar. The confidential data is thus extracted possibly in small chunks over a period of time.

The bad actors could exfiltrate data using any/all of the following methods:

HTTP/FTP/Cloud Storage Uploads

An HTTP/FTP upload or a cloud transfer is initiated by an application which is already approved by the firewall. Additionally, the packets could be SSL or custom encrypted making it difficult for security solutions to sniff.

Outgoing Emails with Password Protected Attachments

Sensitive contents are password protected and then transmitted using either a compromised employee’s email credentials, or by using a custom SMTP server.

Customized DNS Queries

Small chunks of data such as user credentials may be sent as custom DNS requests to DNS servers controlled by the attackers. The packets are then reassembled as required at the attackers end.

Fig.14. shows encrypted data sent as a DNS query

VPN/IPv6 Tunnels

VPN and IPv6 tunnels are created from the staging server to a remotely controlled machine. The contents are then securely transmitted through these tunnels.


The hacking outfit commonly known in computer security circles as Comment Crew [13] has been observed using the above data exfiltration techniques. Sensitive data which could potentially be Gigabytes in size would first be collected in a centralized location & compressed in a password-protected RAR file. The final archives would be split into chunks and uploaded using FTP, custom file transfer tools, etc.

Cleanup Methodology

The attackers tend to delete their malicious code and its associated components by remotely issuing self-destruct commands from their C2C server. A time/event bound kill switch built into the malicious code could also be automatically triggered to avoid being caught.

System logs that maintain login attempts, security logs that maintain protection status, audit files that track system changes, etc. are modified by the attackers to make a forensic reconstruction of the attack impossible.

Indicators of Compromise

Capturing and transmitting confidential data is the raison d’etre of any APT. In order to facilitate this transmission, the attacker must contact external servers from inside the victim’s network.

Here are some of the common symptoms that indicate suspicious activity within the organization’s network:

Wrong Data in the Wrong Place

Movement of encrypted or confidential data from a machine containing sensitive information to a potential upload server with Internet access, all within the organizations internal network could indicate that something is wrong.

Similarly, availability of large quantities of known-encrypted or sensitive data on a machine it’s not supposed be on could also indicate that something is amiss.

Anomalous Traffic


The following anomalies could indicate a compromise:

  1. Connections made directly to IP addresses
  2. HTTP/FTP connections on non-standard ports
  3. Connections to previously unused or high risk geo locations
  4. Accessing algorithmically generated domain names (DGA)

Other Indicators

Inconsistent events in audit logs maintained at network and endpoint level, changes in the system drivers list without an application uninstallation progress, etc. can also be used as indicators of compromise.

Prevention/Detection

Confidential information is the crown jewel of any company and typically it is this information that the attacker is focused on stealing. The following solutions can be involved in protecting the exfiltration of this confidential data:

Hardened DNS Servers


Outgoing DNS queries should be logged and monitored extensively for anomalies. Organizations could also create and maintain their own hardened DNS servers.

Security Solutions

Data aware technologies like Data Leakage Prevention (DLP) can be added to the organization’s existing layer of defense. Once critical and confidential data is identified, DLP solutions track and prevent this data from falling into the wrong hands.

URL scanners with built-in reputation intelligence can be used to detect:

  1. Access to subdomain/domains which are not popular or appear suspicious
  2. Repeated attempts to connect to domains which no longer resolve
  3. Attempts to connect to blacklisted or malicious IP addresses/domains
  4. Newly registered domains

Network scanners with Deep Packet Inspection and machine learning capabilities can be used to build a knowledge base of general network usage trends. Alarms are raised when deviations exceed pre-defined thresholds. This knowledge base includes:

  1. Commonly used protocols with source and destination information
  2. Common geo locations contacted
  3. Number of connections and the length of connections made depending on the time of the day

Software that take disk backups and dump physical memory images at regular intervals are of great help during incident response and forensic analysis of a potential APT attack.

Conclusion

The implications of the complexity and perseverance of Advanced Persistent Threats are of major significance to the existing security infrastructure. The evasion techniques discussed in this paper have exerted colossal pressure on the current methods used to detect and report these threats, especially where the human element is involved.

Safeguarding oneself against APTs requires more than just traditional security solutions. The need of the hour is a comprehensive, holistic security plan that intelligently integrates events reported from numerous forms of security established at various levels of the organization. This solution should be able to handle massive volumes of logs and spot patterns of an attack, find sources of a breach and stop new threats in their tracks.

Things are about to get a whole lot more difficult with compromised mobile devices joining the fray. Strategies to identify and stop sophisticated, multi-pronged APT attacks have been discussed; however coordinated implementation is far from straightforward. We live in interesting times.

References:

[13] http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf

Lokesh Kumar
K7 Threat Control Lab

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:
http://blog.k7computing.com/feed/

April 20th, 2015

Following positive feedback on our blog a couple of months ago describing CTB Locker we have been requested to do a piece on another ransomware, TeslaCrypt.

Ransomware is a type of malware, becoming more common by the day, which denies access to your computer resources, e.g. by encrypting your personal documents, etc., until a hefty sum is paid to the criminal gang which caused the infection. Ransomware is terribly destructive which is why my colleague Gregory and I have decided to present our views on how to curb this scourge at the international Virus Bulletin security conference later this year.

Now then, TeslaCrypt. There has been plenty of publicly-available data on TeslaCrypt since its emergence in February. It is possible that many currently believe that TeslaCrypt attacks only gamers and gaming software. This is not the case, of course. Similar to most other ransomware TeslaCrypt encrypts documents, music and photos. In addition to these common filetypes it also encrypts files with extensions which are used specifically by gaming software.

A fresh sample of TeslaCrypt from a couple of days ago reveals that its functionality has not changed much from its first avatar, even as it is enveloped in new robes to evade detection, which it fails to do, by the by. This “latest version” (VV3) of TeslaCrypt encrypts files with the following extensions:

.sql;.mp4;.7z;.rar;.m4a;.wma;.avi;.wmv;.csv;.d3dbsp;.zip;.sie;.sum;.ibank;.t13;
.t12;.qdf;.gdb;.tax;.bc6;.bc7;.bkp;.qic;.bkf;.sidn;.sidd;.mddata;.itl;.itdb;
.hplg;.hkdb;.mdbackup;.syncdb;.gho;.cas;.svg;.map;.wmo;.itm;.sb;.fos;.forge;
.ztmp;.sis;.sid;.ncf;.menu;.layout;.dmp;.blob;.esm;.vcf;.vtf;.dazip;.fpk;.wb2;
.vpk;.tor;.psk;.rim;.w3x;.fsh;.ntl;.arch00;.lvl;.snx;.cfr;.ff;.vpp_pc;.lrf;.ltx;
.vfs0;.mpqge;.kdb;.db0;.dba;.rofl;.hkx;.bar;.upk;.das;.iwi;.litemod;.asset;.xf;
.bsa;.apk;.re4;.sav;.lbf;.slm;.bik;.epk;.rgss3a;.pak;.big;.unity3d;.wotreplay;
.py;.m3u;.flv;.js;.css;.rb;.png;.jpeg;.txt;.p7c;.p7b;.p12;.pfx;.pem;.crt;.cer;
.srw;.pef;.ptx;.r3d;.rw2;.rwl;.raw;.raf;.orf;.nrw;.mrwref;.mef;.erf;.kdc;.dcr;
.bay;.sr2;.srf;.arw;.3fr;.dng;.jpe;.jpg;.cdr;.indd;.ai;.eps;.pdf;.pdd;.psd;.dbf;
.rtf;.wpd;.dxg;.dwg;.pst;.accdb;.mdb;.pptm;.pptx;.ppt;.xlk;.xlsb;.xlsm;.xlsx;
.xls;.wps;.docm;.docx;.doc;.odb;.odc;.odm;.odp;.ods;.odt;.pkpass;.mov;.vdf;
.icxs;.hvpl;.m2;.mcmeta;.mlx;.kf;.iwd;.xxx;.desc;.der;.x3f;.cr2;.crw;.mdf;


A diff between the extension list then (February-end) and now shows the following entries:

> .sql
> .mp4
< .sc2save

> .zip
< .mcgame

> .mov
< .001

> .vcf
< .DayZProfile

> .dba
< .dbfv

> .dbf

“>” indicates a new entry and “<” indicates a removed entry. Interestingly it appears there’s now a reduced emphasis on gamers and more on the general public, targeting ZIP archives and database-related files, etc.

The main ransom demand splash screen and “help” message remain relatively unchanged:

Note, the threat to double the decryption price is somewhat different from the previous one which, as usual, claimed that the private key would be deleted after the time counter has run down to 0.

Encrypted files still appear as <original file name with original extension>.ecc:

TeslaCrypt still masquerades as the infamous Cryptolocker, a year after its demise, by continuing to create a shortcut on the desktop with the said name:

As can be seen from the above image TeslaCrypt continues to execute itself as a randomly-named EXE at the root of the Application Data directory. It still drops a file called key.dat in the same location. It has been reported that key.dat contains the 256-bit AES symmetric key used to encrypt the target files, which is eminently possible. It is worth mentioning that TeslaCrypt contains references to OpenSSL functions, e.g. BN_CTX_new(), which must be used to perform the encryption. The exact format of key.dat is as yet unknown so we are unsure which part of it may be the AES key.

Thus far we have covered several indicators of compromise, and we hope you are not experiencing an uncomfortable sense of déjà vu whilst reading this blog. Let’s now address the typical queries related to malware, with the focus on TeslaCrypt and other ransomware:

  • How did it get on my computer?

TeslaCrypt’s modus operandi vis-à-vis spreading itself is via hacked websites which trigger exploits for your browser, typically referred to as a drive-by-attack. Other ransomware tend to spread via mass-mailed attachments.

  • How should I prevent an infection?

The malware should be arrested as soon possible before any damage is done. As in the case of any other malware, we would recommend the usual hygienic best practices:

  1. Surf only known, highly-reputable sites
  2. Don’t open email attachments from unknown sources
  3. Keep your security software up-to-date. Some security software such as K7’s Total Security contains Carnivore Technology to heuristically block attempts to exploit your browser
  • Now that I am infected, what should I do?

We’ll have to be brutally honest. In the case of modern ransomware you have found yourself in a difficult situation. It is typically impossible to decrypt the targeted files without the appropriate key. We strongly discourage paying any ransom to potentially obtain the key and recover your files, though, since this would only serve to fund and encourage further criminal activity.

Restoring a previous known good state from OS system restore points is sometimes an option but TeslaCrypt attempts to prevent this escape by deleting the restore points by executing the following command:

vssadmin delete shadows  /all

Instead it is hoped that you would have backed up your important files in a disciplined fashion on external media and/or on online repositories. If you are not in the habit of backing up your files, we would highly recommend this practice. Please note, a general hard disk failure is much more likely to strike you than a ransomware infection!

We hope this content helps build awareness about malware in general and ransomware in particular, with an emphasis on TeslaCrypt, thus aiding the relentless battle against innumerable cyber bandits.

Generic ransomware image (first) courtesy of:
files.itproportal.com

Samir Mody
Senior Manager, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed

April 17th, 2015

In a previous blog we mentioned that it might be beneficial for Indian netizens to have a very high-level overview of how existing cyber laws are meant to protect them.

The Information Technology (Amendment) Act 2008 has provisions to enable cyber policing, thereby attempting to ensure cyber security, which is defined thus:

“cyber security” means protecting information, equipment, devices, computer, computer resource, communication device and information stored therein from unauthorised access, use, disclosure, modification or destruction

The following images describe activities which are outlawed in the aim of ensuring cyber security:

Anyone found indulging in any of the above illegal activities would attract stiff punishment as mentioned below:

We hope this provides netizens with a better understanding of the provisions in the IT (Amendment) Act 2008. We will continue to explore more niche aspects of the Act in our upcoming blogs.

Images are courtesy of several sites including:
botandbotnets.weebly.com

Samir Mody
Senior Manager, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed

April 10th, 2015

This is the fifth part of a six-part blog based on the paper submitted by my colleague Gregory and myself on Advanced Persistent Threats (APT), for AVAR 2014.

Continuing from the fourth part of our paper

Expanding Access and Strengthening Foothold

The device that falls first is usually not the primary target of the APT. This backdoored computer is instead used as a base to search and compromise more devices that likely contain credentials to other workstations, application servers, etc. The assailants move laterally within the network, gaining access to these machines, strengthening their foothold, all the while hunting for valuable target information which was the objective of the attack.

Expansion Methodology

The initial infected host connects back to a command and control (C2C) infrastructure controlled by the bad actors. It sends critical information such as password details, privileges of the currently logged user, mapped drive information, etc. and awaits further instructions. The following techniques are used by the attackers to expand their access:

Privilege Escalation

The attackers exploit privilege escalation vulnerabilities to escape the confines of a limited user’s account. The objective here is to gain “root” on the infected machine which enables them to perform tasks that require elevated privileges such as creating/deleting system services, accessing critical process’ memory space, mapping internal networks, etc.

Fig.13: Privilege escalation code used from the Council for Foreign Relations Watering Hole attack

Remote Exploitation

Malware components can exploit network vulnerabilities to compromise systems accessible in the local network. The Stuxnet malware exploited a 0day Print Spooler (CVE-2010-2729) remote code execution vulnerability to propagate itself into new machines.

Installing More Tools

During the initial compromise, the malware authors use custom zero-day code that exploits vulnerabilities in common applications. In the expansion stage of the APT though, to avoid having to re-write code, the bad actors tend to use standard tools.

These tools could include system utilities like PsExec [9], network packet sniffers like tcpdump [10], password extracting tools like gsecdump [11], Cain&Abel [12], etc.

Obtain Credentials

With the help of the tools installed, the attackers brute-force login credentials to workstations and servers that likely contain sensitive data.

They could establish remote desktop sessions to these machines and eventually make their way onto domain controllers that have unrestricted access to the entire network.  They then begin their hunt for the target data to be extracted, if they haven’t found it already, that is.

Indicators of Compromise

Once the assailants possess domain level credentials, their movement within the network resembles that of legitimate traffic and so becomes very difficult to track. The following behaviors on the other hand could indicate a compromise and are relatively easy to track:

Presence of Unwarranted Files

Unauthorized use of kernel modules to elevate ones privileges could imply a compromise. The presence of unapproved software, modified versions of existing drivers containing trojanized code, tools like port scanners, password crackers, network sniffers, etc. could also indicate a compromise.

Login Irregularities

Repeated failed login attempts using non-existent user accounts, successful login attempts to machines that deviate from established baseline logins, login activity at odd hours, etc. could mean something is amiss.

Anomalies in Security Settings

Unauthorized disabling of security software, tampering of exclusion lists in firewalls and Anti-Virus, even for a brief period of time, could indicate a compromise.

Anomalies in User Account Activity

Changes in behavior of a user account such as time of activity, type of information accessed, systems accessed, etc. could indicate a compromise.

Prevention/Detection

Along with multi-factor authentication for sensitive accounts, updated Anti-Virus software that detects unwanted tools, a strong password policy, etc. the following solutions can be implemented to augment the network’s security:

Unified Extensible Firmware Interface (UEFI) and Secure-Boot

Privilege escalation attempts can be significantly reduced by using UEFI/secure-boot enabled machines that provide a level of trust from boot-up time.

Early Launch Anti-Malware (ELAM)

Security solutions with early loading components that are capable of detecting and blocking unauthorized kernel code should be installed throughout the network.

Click here to read the final part of this blog

References:

[9] http://technet.microsoft.com/en-us/sysinternals/bb897553
[10] http://www.tcpdump.org
[11] http://www.truesec.com/Tools/Tool/gsecdump_v2.0b5
[12] http://www.oxid.it/cain.html

Lokesh Kumar
K7 Threat Control Lab

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

http://blog.k7computing.com/feed/

March 30th, 2015

Authorization, an access control system, is all about administering and providing sensitive system access to a process or an application or a class of users based on their privilege level. Privacy and security concerns arise when system resources are accessed by an unauthorized process, application, or user.

Application and system developers always strive to incorporate secure authorization systems in their software. On the other hand, hackers come forth with new exploit techniques to elevate the access privilege associated with a specific process, system, or user. Many of the attacks start with an entry into the targeted systems with limited privileges and then an attempt to elevate privileges by exploiting a vulnerability in the OS itself or in third-party installations.

We conducted a short piece of research work on Elevation of Privilege (EoP) vulnerabilities using publicly available information on vulnerabilities discovered in operating systems, desktop applications and browsers. Interestingly the data indicates a significant rise in EoP vulnerabilities over the past two–and-half years.

From our research set on Microsoft Windows operating system vulnerabilities found over the time period mentioned earlier, we found that out of 700 vulnerabilities, 115 vulnerabilities were Privilege Escalation vulnerabilities, i.e. approximately 16%. It is clear from the research data set that attackers or malware writers are focusing more on EoP vulnerabilities to carry out their malicious attack as silently as possible.

Standalone exploitation of EoP vulnerability might not be sufficient for the attacker to achieve the required destructive behavior thus forcing the attacker to look for yet more vulnerability in the system to exploit.

The following is a list of commonly exploited Windows components:

The Group Policy Service
Windows kernel-mode driver (Win32k.sys)
Cryptography Next Generation kernel-mode driver (cng.sys)
WebDAV kernel-mode driver (mrxdav.sys)
TS WebProxy Windows component
Windows User Profile Service (ProfSvc)
Microsoft IME
TypeFilterLevel Checks
Windows audio service component
Windows TCP/IP stack (tcpip.sys, tcpip6.sys)
Kerberos KDC
FASTFAT system driver, FAT32 disk partitions
Message Queuing service
.NET Framework
Windows Task Scheduler
Windows Installer service
DirectShow
Ancillary Function Driver
On-Screen Keyboard
ShellExecute API
TypeFilterLevel checks
Group Policy preferences
NDProxy component
Local Remote Procedure Call
Windows audio port-class driver (portcls.sys)
Hyper-V
USB drivers
Windows App Container
DirectX graphics kernel subsystem (dxgkrnl.sys)
Service Control Manager (SCM)
NT Virtual DOS Machine (Ntvdm.exe)
asynchronous RPC requests handling (Rpcss.dll)
TrueType font files handling
Windows Print Spooler (Win32spl.dl)
NTFS kernel-mode driver (ntfs.sys)
Windows CSRSS (cmd.exe)
Remote Desktop ActiveX control (mstscax.dll)
Windows USB drivers

We see that the attackers often aim at a relatively highly destructive attack by exploiting privilege escalation and code execution vulnerabilities together.

Techniques employed by malware writer constantly evolve to achieve the desired privilege escalation undetected. There are many privilege elevation techniques publicly available online, such as:

  1. METHOD OF PROVIDING A COMPUTER USER WITH HIGH LEVEL PRIVILEGES, PATENT 7,945,947
  2. Exploiting The Known Failure Mechanism in DDR3 Memory referred to as Row Hammer to gain kernel privilege with the only “patch” being a replacement of the DRAM!

Sometimes it is simply not possible to patch a vulnerability.

Elevation of Privilege is not limited only to operating systems but is also witnessed in desktop applications, browsers, web applications and even in hardware. With the increasing popularity of Internet of Things across devices everywhere, the effect of exploiting an  Elevation of Privilege vulnerability in just one of the links in Internet of Things could give the attacker complete control of the whole system.

Image courtesy of:

tompattersontalks.blogspot.in

Priyal Viroja, Vulnerability Researcher, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed/

March 25th, 2015

The controversial Section 66A of the Information Technology Act 2000 (Amendment 2008) has been struck down by the honourable Supreme Court as unconstitutional vis-a-vis Article 19 (Right to Freedom) of the Constitution of India. The honourable Supreme Court has deemed Section 66A to be “nebulous”, and its decision is no doubt related to the numerous high-profile incidents across India related to citizens posting allegedly overly-sensitive content online.

Most netizens are probably completely unaware of Indian cyber laws. Perhaps this is an opportune occasion to provide readers with a short blog series deconstructing the Indian IT Act, focussing on its cyber policing aspects. After all it is important to understand at a high level how existing cyber laws are meant to protect citizens by enhancing IT security.

Samir Mody
Senior Manager, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed

March 23rd, 2015

The internet is abuzz with live scores, statistics, predictions and match highlights of ICC Cricket World Cup 2015 as it gets closer to the final. A simple “2015 World Cup” keyword search can equip an avid cricket enthusiast with all the latest on the World Cup. Yet, the majority of cricket fans are unaware that the top search results could list malicious websites through the attack vector SEO (Search Engine Optimization) poisoning that cyber criminals employ to rank their websites in the top search engine results for a related keyword search.

A cricket fan should be aware about the risk in accessing an unknown website that is ranked highly in the search result. For example, by building a legitimate-looking website that is in sync with the latest information on the World Cup and incorporating their social engineering expertise the attackers could manipulate search engines to feature their website prominently.  This specially crafted website might carry a link to a malware file download to infect the victim’s computer.

SEO poisoning attacks are subtle, hard to detect by laymen and tend to occur every time a global event happens. This could even serve as an entry point to large organizations. Hence, every internet user is advised to access only known reputed websites for the latest happenings to ensure safe computing.

Bleed Blue!

Images courtesy of:

quoteimg.com
4to40.com

Archana Sangili, Content Writer

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed/

March 18th, 2015

In the interest  of sharing VB2014 conference papers and presentations the editor of Virus Bulletin magazine has blogged about Gregory Panakkal’s paper titled “Leaving our ZIP undone: How to Abuse ZIP to Deliver Malware Apps” on VB’s information portal on recent security trends.

This paper explores the ZIP file format, specifically as an APK as handled by the Android OS and details the new malformations that can be imposed on the APK file format to bypass AV engine unarchiving and scanning, whilst keeping the APK valid for the Android OS. This paper also describes the concept of a “chameleon ZIP” that is application specific, and the challenges for the AV engine components that scan content based on the identified package type.

A Chameleon Zip Example

Archana Sangili, Content Writer

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed/