These are quick first looks and trend and threats


Read More >>
Written by the security and AV professionals from team K7, meant for the general audience
Read More >>
These are usually articles that go into internals of a virus or deal with security issues
Read More >>
Senior managers speak on areas of interest to them, inside and outside the industry
Read More >>

Archive for the ‘Personally speaking’ Category

The Unknowns: 32 Lakh (3.2 Million) Card Details Stolen Apparently!!

Friday, October 21st, 2016

The sensational, massive theft of critical data from Indian debit card holders, and the subsequent abuse of card data in China and USA, have been widely reported in the Indian media.

1421732801789.jpg

Unfortunately the information available seems to be largely based on hearsay and conjecture, some of it even contradictory. The following Donald Rumsfeld (ex-United States Secretary of Defense) quote from February, 2012 comes to mind:

“Reports that say that something <redacted for effect> happened are always interesting to me, because as we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns – the ones we don’t know we don’t know.”

We may use the above quote to analyse the facts or lack thereof:

  • Known knowns – The critical details of lots of cards (32 lakh may be a paranoid extrapolation of the real figures) have been potentially compromised, many of which have been abused in China and USA
  • Known unknowns –  How exactly was the data stolen? Was there really ATM malware or some skimming device? Or was there a breach on the backend ATM infrastructure either via malware or via direct database hacking? How was the stolen data relayed back to the cyber criminals?
  • Unknown unknowns – Given the nature of this breach, what other parts of the ATM and banking networked infrastructure are vulnerable to attack? What will those scary headlines read in the future?

We are still in the hunt for real technical detail relevant to this particular breach. Malware samples or hashes would be very useful.

ATM and Point of Sale (PoS) malware are not a recent phenomenon. ATMs can be considered to be computers with some customised hardware, e.g. card reader, attached. They tend to:

  • run Windows XP as the OS hosting the ATM services
  • have no Anti-Virus software installed
  • perhaps employ inadequate encryption mechanisms to prevent the leakage of transaction data

Obviously these factors are not conducive to the maintenance of data security on ATM networks. Windows XP is known to be vulnerable and has been unsupported by Microsoft since 2014! Regardless of the true nature of the current breach it seems clear that the banking industry does need to take ATM security more seriously than employing security guards outside terminals who may doze, if even present, or worse. A good place to start would be to address the vulnerabilities highlighted above, i.e.:

  1. Upgrade the host OS to a more secure, light-weight one, and ensure that it is adequately patched
  2. Install customised Anti-Virus software with slim, relevant security updates
  3. Employ industry-standard encryption (AES/RSA/ECDH, etc.) across critical data transfer channels and storage areas
  4. Get the whole infrastructure vetted by competent third-party agencies through black-box (vulnerability assessment, pen testing, etc.), and white-box (code review) mechanisms

We shall keenly monitor developments in this case, especially if samples are forthcoming.

Image by Karl Hilzinger courtesy of:

http://www.smh.com.au/it-pro/security-it/credit-card-fraud-8-ways-your-details-can-be-hijacked-20150119-12ttwn.html

Samir Mody
AVP, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed

Dos and donts of DDoS from the “Armada Collective”

Monday, September 12th, 2016

Last week one of our Enterprise customers reported that they had received an email threatening them with a DDos attack on their allegedly vulnerable servers if one bitcoin (about US$600) were not paid to them. Furthermore, to force a greater sense of panic, there was a threat of spreading nasty ransomware on their network.

The extortionary email resembled the following:

It turns out that this so called “Armada Collective” group has made similar ransom demands in the past, and the threat has always turned out to be fake to date. No occurrence of an actual DDos attack has yet been reported by the Enterprise customer who received the aforementioned threat or by any of our other customers.

Of course there are real world examples of DDoS attacks which target businesses but the attackers’ modus operandi is typically different from that described above. Historically many DDoS attacks have taken place without prior warning and without a ransom demand.

If any of our customers or any other businesses receive threatening messages of the form shown above we recommend that you do not panic as there is no proof of an actual attack by these scaremongering cyber criminals disguised as “Armada Collective”. There is certainly no need to pay the ransom demanded. Instead we recommend that you implement adequate boundary-level protection for your servers and network, and assess/pen-test the servers for potential vulnerabilities to be identified and mitigated against ASAP.

Image courtesy of newspeechtopics.com

Samir Mody
K7 Threat Control Lab

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed/

K7 Celebrates 24 Years

Friday, September 2nd, 2016

K7 Computing celebrated its 24th anniversary last week with the annual “bay decoration” event, which puts to the test teamwork, camaraderie, creativity and sheer effort, of course. The following collage should give you an idea of how our workspaces were transformed for a day.

Enjoy…

K7 Team

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed/

Linux and Connected? Don’t Panic!

Friday, August 19th, 2016

This week’s hot news within network security circles is likely to be about the most recent update to the TCP specification which allegedly allows communication channels to be hijacked by a remote attacker. This latest TCP specification has been implemented on Linux systems, but is yet to be on Windows, apparently.

This is essentially an information disclosure flaw. The latest TCP specification may leak information about established, active connections through a side channel. The researchers who discovered the flaw claim it could allow a hacker to insert malicious or unwanted data packets into a data packet series between any two arbitrary machines whose IPs are known. Interestingly this Man-in-the-Middle type scenario would not require the attacker to insert himself/herself on the same communication channel as the connected target machines.

How serious is this flaw to a typical end user, though? To attack an end user, a hacker would need to identify a spoofed IP address to pretend to come from a specific source with which the user has already established a connection, and the user’s own target IP address. Hence, the probability that any specific user gets targeted at random is less, the reason being that there is a huge user base of dynamically-allocated IPs. Exploitation of the flaw could be more likely to succeed in IPv4 cases, but with the introduction of IPv6 the probability that an individual user’s IP would be found at random is small, both in the case of mobile devices and desktop computers.

Given the nature of an attempted attack perhaps this flaw will be more worrisome to web servers, etc., which are required to be ON all the time, and more likely to have predictable IPs.

As for the malware injection claim, it seems less likely that a malware payload by itself would be sent within a data packet. Rather, it could be a malicious URL that redirects the user to download the malware.

Installing a reputed and updated security product like K7 Total Security should block any malicious URLs being accessed or malicious files from being downloaded onto a victim’s computer.

Image courtesy: wakinguptheghost.com

Samir Mody, K7 Threat Control Lab
V.Dhanalakshmi, K7 Threat Control Lab

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed/

Sharing Our Knowledge with VIT

Wednesday, June 29th, 2016

A few weeks ago we had announced our intention to spread our knowledge about low-level security. We would like to share a proud moment with the public to demonstrate our commitment to the cause of spreading technical awareness, borne from our decades of experience and expertise in malware research and anti-malware technology development.

We were recently invited by the well-known academic institution, VIT Vellore, to conduct a day-long workshop on the malware analysis techniques we carry out at K7 Threat Control Lab (K7TCL). The idea of the presentation was to enlighten VIT staff on analysis techniques for both Windows and Android malware.

We are happy to have had this opportunity to share our knowledge, and we hope that the interactive session we conducted has helped VIT staff to understand the modern malware threat landscape, and the malware themselves in a more effective way.

Kaarthik.R.M
Shiv Chand.K
V.Dhanalakshmi
K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed/

The Best Way to Learn is to TEACH

Thursday, June 2nd, 2016

Here at K7 Computing we believe it is extremely important to further the education of both those within as well as those outside our organisation.

Security is a vast subject with a plethora of aspects to consider. We cannot of course cover everything, however K7 Threat Control Lab would certainly like to contribute to the security skill set of today’s students in order to help address the acute shortage of security personnel in the workforce. Many students may also enjoy learning techniques to counter cyber criminals.

Our security training programmes ought to be designed to provide students with a strong foundation in the technical aspects of IT security. For example the focus of our Malware Analysis Training Programme would be on learning about low-level malware techniques and analysis from first principles within a controlled “lab” environment.

If we are able to “train the trainers” then a multiplier effect could be triggered to accelerate the dissemination of technical security training across India and elsewhere.

Spread D WORD bit by bit.

Image courtesy of anytraining.co.uk

Samir Mody
Senior Manager, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed/

Serve in India? Store in India! Please…

Friday, April 22nd, 2016

The Union Home Minister Rajnath Singh recently requested the likes of Google, Facebook and WhatsApp to base their servers in India for security reasons.

WhatsApp has launched end-to-end encryption which makes snooping on WhatsApp traffic via, say, a Man-in-the-Middle very difficult, thus maintaining high levels of privacy. However, the events in parts of the country over the past few days are a reminder of the power of social media in disinformation campaigns.

Such social media services are regularly abused by terrorist groups to communicate amongst themselves as well as to spread propaganda. Therefore security agencies require access to communication content as per the provisions of the Information Technology Act. Since encrypted traffic makes it difficult to monitor the activities of suspects, it is important that content on the servers is made available when lawfully requested.

Such requests would be acquiesced to more readily if social media services for Indian citizens were hosted on servers within India’s jurisdiction, instead of typically in the US as is the case currently. The high-profile battle between the FBI and Apple in the US demonstrates the difficulties Indian security agencies could face in obtaining data from outside of India’s jurisdiction.

As I had mentioned a couple of years ago, the public’s opposition to the government imposing on their privacy is based on their prevailing threat perception. Given India’s history, geography and an unenviable record of victimhood, one would suggest that the threat perception in India is rather high.

Let us see if and how the social media giants bend to the government’s will.

Image courtesy of gadgets.ndtv.com.

Samir Mody
Senior Manager, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed

Five-Dimensional Protection in Cyber Space and Time…

Friday, April 1st, 2016

Our State-of- the-Art anti-cyber-threat facility has moved!!

As of today, we are conducting operations from our very own K7 Threat Control Lab Space Station.

Yes, our determined focus on taking our world-wide customer protection status to the next generation led to our decision to invest in infrastructure which would enable us to LITERALLY view the global threat landscape, thereby providing enhanced visual intelligence data.

We have now expanded our horizons to defend networks and devices across solar systems, and to research alienware. Interestingly some inter-galactic entities have expressed a firm desire to deploy endpoint protection on their advanced networked workstations. This is almost certainly as a result of an incident a couple of decades ago when a DOS-like scripty cross-architecture “virus” was transmitted wirelessly to the spaceships of a clan from a neighbouring galaxy, allegedly bringing them down.

We have been told that it was a tough day for their incident response and IT teams, and cost a bazillion hard-earned $PE$Os in damage.

K7 Development, focussed on innovation, is currently in the design phase for the K7IGS (K7 Inter-Galactic Security) product, which is scheduled to launch around the 1st of April 2017.

K7TCL SS infrastructure comes with funky technical features such as:

The docking station, with a physical fibre-optic pipe from Earth, provides an unmatchable 3×108 Mbps, thus allowing threat response in a flash.

The scale of the Internet of Things and the Cloud on Earth is less than microscopic when compared to Inter-Galactic Connectivity in Space and Time. Nevertheless K7TCL is ready for this exciting security challenge whether on Earth or beyond.

Image credits:

Kaarthik RM, K7 Threat Control Lab
Jason Brown from flickr.com
theknightshift.com
boomsbeat.com

Samir Mody
Senior Manager, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed

@ChennaiFloods: K7 Systems Were Impacted

Wednesday, January 27th, 2016

We had blogged a few weeks ago about the role that social media played during the recent floods in our home city of Chennai. In that blog we had stated the following:

“Historic rainfall in huge measure broke a century-old record for the highest rain in this region, and the subsequent clogging up of Chennai’s water bodies contributed to the flood situation. Chennai’s infrastructure took a massive hit with transport (road, rail and air), electricity and communication systems (mobile, landline and internet) going down…”

We ought to add that between the 1st and the 8th of December 2015 Chennai was declared a national disaster zone, and that K7 Computing’s own infrastructure was affected during this period due to the absence of power and network connectivity. Our systems were handicapped to the extent that our AV-Test results for the beginning of December 2015 were adversely impacted; both the reported Real-World test misses, one of which was only a partial miss given that HIPS behavioural protection triggered an alert, occurred during the aforementioned time window.

We are, of course, in the process of enhancing redundant systems at alternative geographical locations in order to maintain robust protection.

Samir Mody
Senior Manager, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

http://blog.k7computing.com/feed

Cyber Security: A Core Facet of National Defence Policy

Wednesday, December 16th, 2015

Cyber security, vis-a-vis national security, is high on the agenda of many nations. In fact Prime Minister Narendra Modi emphasises the need for robust cyber defences on a regular basis, both within India and abroad.

The keynote address titled “Securing Our Future” at the recently-concluded AVAR 2015 Security Conference held in Da Nang, Vietnam, by Mikko Hypponen made mention of the fact that cyber attacks are very much a part of a nation’s offensive strategy (typically espionage-related).

Even though most malware are written for financial gain, there is still a significant proportion which is created with a different motive in mind, involving both state and non-state actors. We ought to be expecting an increasing global cyber threat from terrorist organisations over and above the use of social media to communicate with their cadres and potential new recruits, and to attempt to deliver propaganda to the world at large.

Within the scope of the Internet of Things (IoT) our homes are being exposed to the outside world to a far greater extent than ever before. IoT, which involves various internet-enabled embedded utility devices (e.g. a smart fridge) that typically contain various security weaknesses, provides a whole new dimension of opportunity to hostile elements who can conduct attacks from thousands of miles away.

The AVAR 2015 conference, at which K7 Computing presented on ransomware, was well attended by several members of the Vietnamese defence and civil government bodies, as well as local journalists, signifying the emphasis that Vietnam places on the cyber security domain. In addition, the conference was formally supported by the Vietnamese Authority of Information Security.

K7 Computing hosted the AVAR conference a couple of years ago and will do so once again, the details of which will be revealed at a later date and time. Watch this space.

Image courtesy of betanews.com.

Samir Mody
Senior Manager, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed