These are quick first looks and trend and threats


Read More >>
Written by the security and AV professionals from team K7, meant for the general audience
Read More >>
These are usually articles that go into internals of a virus or deal with security issues
Read More >>
Senior managers speak on areas of interest to them, inside and outside the industry
Read More >>

Archive for the ‘Security news’ Category

K7 @ CARO 2016

Thursday, May 26th, 2016

The CARO Workshop 2016, held in Bucharest, Romania, between May 19-20 featured presentations from notable security vendors and researchers, with a focus on the application of machine learning to security. The keynote speech was by Dr. Ashkan Fardost, who, among other things, talked about connecting reindeer to the internet.

K7’s Gregory Panakkal  and Georgelin Manuel participated in the CARO workshop with their presentation titled “A High-Performance, Low-Cost Approach to Large-Scale Malware Clustering”. Their popular talk suggested a technique to cluster huge numbers of malware files on commodity hardware. This presentation demonstrated clustering 2 million files on a machine with a modest configuration in under 3 minutes. The ideas exhibited were well-received, and attracted considerable attention from researchers who are thirsting for alternatives to distributed computing, which is currently the standard solution for handling large numbers of files.

Image courtesy of 2016.caro.org

Product Engineering Team

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed/

Does Android Nutella Hit the Security Sweet Spot?

Thursday, April 28th, 2016

This blog intends to inform the general public about the next version of Android (7.0), expected to be labelled “Android Nutella” focussing on the significance of improved or new security features in the sweet next in line from Google.

The next dessert to taste after Marshmallow, provisionally “Nutella” (Android 7.0), loaded on Nexus devices, is expected to hit the market in Q3, 2016.

Few of the confirmed major new features in Android N as per the Android N Developer Preview version are:

  • Multi-window mode
  • Efficient Doze mode
  • Direct-reply notifications/Quick settings
  • Shifting Android Java language libraries to OpenJDK
  • Faster App optimization by ART
  • Android Beta Program
  • Data Saver mode
  • Video and Picture at the sametime
  • Changing display screen size
  • Dark mode
  • New folder icons
  • Clear All feature in recent apps list
  • Lock screen enhancements

It is to be noted from the above feature list of Android N that there are no major security enhancements in Android N revealed in the Developer Preview versions.

Lock screen enhancements:

  • In Android N, it is possible to enable a setting that allows the user to display user information like name, address, blood group, etc., on the lock screen.
  • The latest developer preview 2 of Android N  allows the user to reply to notifications from the lock screen itself.

Saying that, the enhancements at the lock screen level raises the question of privacy, i.e. data security. Suppose the device is misplaced or lost, it is possible for a third party to know the user’s identity. Credit card and banking divisions always verify a user’s identity for any request of user-profile change or account request, exactly the kind of information which can be obtained from a stolen Android N phone might enable a third party to easily steal or misuse the victim’s account.

It goes without saying that there could be a password protection mechanism to access user’s personal data. However, in that case it might not serve the purpose of helping in an emergency.

As the Android threat landscape seems to have gone a bit silent of late, at least in the IT security  world, after the discovery of the Stagefright exploit, and given Google’s super confidence in the absence of malware for Android, perhaps, the Android N development team might have skipped Security in the major feature enhancement list.

Even though the Android malware landscape has not thrown up too much to write home about in the last few months, it is understood that as there is always a malware threat for any popular OS, and hopefully Google is continuing to take security seriously. Note, apparently not all the features have been revealed in the preview versions of Nutella so let us wait for the release candidate of Android N to have a clear picture of any major security feature changes. The proof will be in the eating…

Image courtesy:
nutella.com

V.Dhanalakshmi
Senior Threat Researcher, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed/

Serve in India? Store in India! Please…

Friday, April 22nd, 2016

The Union Home Minister Rajnath Singh recently requested the likes of Google, Facebook and WhatsApp to base their servers in India for security reasons.

WhatsApp has launched end-to-end encryption which makes snooping on WhatsApp traffic via, say, a Man-in-the-Middle very difficult, thus maintaining high levels of privacy. However, the events in parts of the country over the past few days are a reminder of the power of social media in disinformation campaigns.

Such social media services are regularly abused by terrorist groups to communicate amongst themselves as well as to spread propaganda. Therefore security agencies require access to communication content as per the provisions of the Information Technology Act. Since encrypted traffic makes it difficult to monitor the activities of suspects, it is important that content on the servers is made available when lawfully requested.

Such requests would be acquiesced to more readily if social media services for Indian citizens were hosted on servers within India’s jurisdiction, instead of typically in the US as is the case currently. The high-profile battle between the FBI and Apple in the US demonstrates the difficulties Indian security agencies could face in obtaining data from outside of India’s jurisdiction.

As I had mentioned a couple of years ago, the public’s opposition to the government imposing on their privacy is based on their prevailing threat perception. Given India’s history, geography and an unenviable record of victimhood, one would suggest that the threat perception in India is rather high.

Let us see if and how the social media giants bend to the government’s will.

Image courtesy of gadgets.ndtv.com.

Samir Mody
Senior Manager, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed

There is an I,o,T in Monetize

Friday, April 15th, 2016

Following part I of the blog series that describes the security problems in IoT, here is the second part of the series that explains technically how the information stolen from IoT users can be monetized.

risk.top_.jpg

The IoT security challenges described in part I give rise to unprecedented risks. Mischievous parties could remotely trigger havoc inside an IoT user’s physical environment: Burning down houses by hacking microwave ovens, or remotely turning off home security systems, or for the sake of fun, just causing devices to work in an irregular manner. These are just a few examples of IoT hacking which can be used by cyber criminals. The possibilities are endless, almost left to one’s imagination.

The associated risks would also extend to the internet used by the  common man. On a daily basis, websites already violate  user privacy by tracking a user’s activity: what you search for, what links you click on, what websites you visit; this valuable data can be sold off to commercial companies. These companies, in turn, use analytics to build user profiles to serve targeted ads to their audience. However, with the data generated by IoT products, these profiles would contain not only cyber-activity logs but also physical activity data for the user. A person using a pacemaker could now be targeted by insurance companies with specific schemes, even though he/she wouldn’t like others to know about their medical condition.

On the Dark Internet, a major chunk of content is based upon selling stolen credit card information and user credentials. The Dark Internet provides services for DDoS attacks and hacking accounts/websites for a fee. With the increasing adoption of IoT, we might see the rise of a new kind of data on these sites. Data stolen from IoT products would provide an entirely new set of data to be used for malicious purposes. There could be malware and viruses written specifically for IoT products which may go on to cause physical damage to life and property. Consider a botnet, capable of infecting a pacemaker device. It requires only a single command to cause irregularities in the pacemaker’s functionality thereby giving malicious parties the nefarious power to carry out mass murder.

We, as a security concern, believe that industry  can definitely reduce the risks associated in using IoT devices by tackling the afore-mentioned known security problems in the IoT ecosystem at different stages such as  manufacturing and custom-designed security quality assurance testing to ensure the maximum security of the IoT devices at the software level, up until the device reaches the user.

Image credits:
www.vipinkhandelwal.com

Priyal Viroja, Vulnerability Researcher, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed/

Problems (In)Securing IoT Ecosystem

Thursday, April 7th, 2016

Here is the first part of a two-part blog that covers the security problems in the Internet of Things (IoT) in more technical terms than our previous series .

Imagine that you are on your way back home in a self-driven car, browsing the internet on your mobile. As you come within a 2-mile radius of your house, the air-conditioner switches itself on at the temperature of your choice. You enter your garage, the doors opening automatically, and walk into your room. The lighting dynamically adjusts according to the weather outside, and the lasagna that was in the oven is now all warmed up.

Twenty years ago, if somebody told me such a tale, I’d have laughed and said “you watch too much science fiction”. But today, this scenario is within the scope of modern reality. The IoT revolution is finally here, and it is supposedly bringing joy and comfort to people. But there’s a downside to IoT: it is increasingly becoming an attractive target for cybercriminals. The increase in the sheer number and variety of connected devices has opened up possibilities for coming up with new and more diverse attack techniques.

IoT.security.JPG

Security flaws in IoT products have been brought to light by hackers and security researchers. Some of the hacks which made security news were: Smart home, Surveillance cameras, Jeep car (accessed remotely and its engine killed remotely). In addition an airplane’s cockpit controls were accessed via the in-flight entertainment system. As if these weren’t enough, even pacemakers and insulin pumps were demonstrated as being hackable.

If one were to take a closer look into these hacks, a bunch of recurrent fundamental security problems with the IoT ecosystem come forth. Let’s take a look at some of those problems.

Communication Channels

IoT devices mostly communicate wirelessly using protocols like LTE Advanced, Cellular 4G/LTE, 3G GPS/GPRS, 2G/GSM/EDGE, CDMA, EVDO, WIMAX, Weightless, Wifi, Bluetooth, UWB, Z-Wave, Zigbee, 6L0wpan, NFC and RFID. There are known security flaws associated with these protocols, and yet they continue to be widely used. This leaves us with two non-trivial choices:

  1. Fix the issues with these protocols
  2. Come up with better and more secure protocols

Both of the above choices are non-trivial to execute.

Authentication and Authorization

Credentials/tokens are essential in the traditional authentication and authorization approach. However, IoT has added new modes: biometrics, sensors, NFC, RFID, and sometimes, surprise surprise: no authentication at all! All these years industry has been struggling with securely storing credentials in one way or another. But now we have a whole new array of authentication and authorization approaches to take care of.

End-to-End Encryption

Mobile apps, messaging apps in particular, first encrypt the user’s data on the device using state-of-the-art industry-standard encryption algorithms. Then anti-snooping, end-to-end encryption techniques are deployed. However, the same approach can’t be taken with IoT devices as the modes of communication are fundamentally different. Here, the communication is not one-to-one but, one-to-many or many-to-many. Data travels through many communication channels and nodes. Also, the security protocols used by devices might vary.

Minor faults in end-to-end encryption may lead to exposure of credentials, tokens, and other sensitive informations. Imagine that you have a router using a state-of-the-art encryption algorithm. This router then communicates with a thermometer, which stores the network password in plaintext. Now, to break into the network, all one would need to do is target the thermometer, thereby bypassing the entire robust network security framework.

Insecure Web/App Interface

Web/App interfaces are infamous for being targets of choice for hackers. This can be attributed to the bugs/defects present in the underlying frameworks that these interfaces run on. A vulnerable interface could provide a hacker with access to the server or to the cloud itself. The common problems associated with this are:

  1. A lack of robust password recovery mechanisms
  2. No protection against cross-site scripting (XSS), code/SQL injections, etc.,

Hardware Failures

Preoccupied with creating a sleek and minimalistic design, some manufacturers tend to neglect hardware bugs. These bugs, in turn, can allow attackers to reboot the device(s) and their corresponding hotspots. It is not possible to deliver hardware patches over the air.

Unprotected Client Devices

IoT users’ use of desktops, laptops, tablets, mobiles, etc to operate IoT devices, in turn, opens a remote door to devices. All these devices have a long and notorious history of severe vulnerabilities. Consider a scenario of a company building a smart bulb with all these fancy remote control features. They have a highly compatible, secured mobile app, web interface and embedded hardware. But what if customers have a weak wireless setup, outdated mobile operating system, vulnerable desktop applications? On whom are we going to pin the blame for a breach??!

Image credits:
www.eweek.com

… to part II: risks from stolen user’s information

Priyal Viroja, Vulnerability Researcher, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed/

Don’t Read That Ransomware Spam Script! Seriously Bad Story.

Wednesday, March 9th, 2016

Beware of two aggressive ransomware spam campaigns which have been active for the past few weeks.

The above screenshot of my own spam folder exemplifies the typical theme used by the new ransomware kid on the block, “Locky”, and the latest version of an established ransomware called “TeslaCrypt“.

Although both ransomware spam runs pretend to be an “Invoice”, the next stage of the infection vector for Locky and TeslaCrypt differ significantly from each other. Locky spam mails contain an attachment such as ‘scan_<number>.doc’, whereas the current TeslaCrypt spam contains a ZIP archive wrapping a JavaScript file, e.g. ‘invoice_<random alphanumeric>.js’.

The Locky DOC file contains a password-protected macro VBA script. Please note, since macros can contain malicious code they are disabled by default in Microsoft Word, and should remain so. The objective of the Locky macro script as well as the TeslaCrypt JavaScript is to download and execute the respective ransomware payload EXE.

Typical malicious spam campaigns deliver the payload directly in a ZIP attachment containing an EXE. However such attachments are easier to block at the email gateway level since they are considered “high risk”. It is more difficult to block non-EXE files at the gateway as a matter of policy, hence the Locky and TeslaCrypt attachments are more likely to get past gateway filters onto the local computer. Thereafter, given their script context rendered by standard interpreting applications, the download and execution of the ransomware payload is less likely to be blocked by behavioural protection mechanisms such as HIPS and the firewall.

K7 has robust protection at multiple levels against both ransomware campaigns, however, as always, prevention is much better than cure. In the case of spam, it is best to completely avoid emails from unknown sources, especially those which expect one to open an attachment or click on a link.

Samir Mody
Senior Manager, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed

K7 Computing’s Security Alpha Geeks Introduce Generic Anti-Ransomware Prototype at VB Conference 2015

Friday, October 9th, 2015

So last week, Samir Mody and Gregory Panakkal, security experts from K7 Computing, showcased a generic anti-ransomware framework at this year’s Virus Bulletin International Conference. It garnered quite an excited bunch of fellow security enthusiasts at Prague, Czech Republic, where the conference was held, to listen to the duo talk about this prototype.

This presentation addressed majorly on file encrypting ransomware variants. A demo followed to display the capability of this generic anti-ransomware prototype in defending ransomware through samples obtained from valid sources.

K7 Computing is extremely proud of the team behind the idea to develop a simple solution to thwart complex ransomware menace. This generic framework is on the process of being incorporated into our products, and we are super excited. We also would take this opportunity to thank our readers, for sending ransomware samples requested by them to test our prototype.

For curious souls who want extensive information on this, please find the complete slides here.

Archana Sangili, Content Writer

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:
http://blog.k7computing.com/feed/

Tearing Down the Wall

Thursday, October 1st, 2015


In all likelihood, the ransom note above is possibly what an already overworked IT technician of a corporate network is staring at at this moment. In addition to their woes, IT administrators are now burdened with the task of dealing with Cryptowall; a troublesome breed of malware which until now restricted itself to infecting mostly home users.

With gigabytes of confidential data available on network storage devices & tormented users willing to do whatever it takes to retrieve the company’s data back, life has never been easier for Cryptowall authors. Needless to say, it is only a matter of time before things take a turn for the worse.

To enlighten our users, we have already dissected the infection vector of this category of malware, discussed the possibility of retrieving the original files, advocated that paying the ransom is a bad idea and advised that prevention is better than cure, through blog entries available here and here.

To assist our customers, researchers at K7 Threat Control Lab have come up with reinforcements in this fight against Cryptowall. We have developed a heuristic anti-ransomware prototype which will allow monitoring, identifying and eliminating this menacing enemy based on run-time behaviour.

Samir Mody and Gregory Panakkal from K7 TCL will be discussing this prototype & presenting their paper titled “Dead and buried in their crypts: defeating modern ransom-ware“ tomorrow, the 2nd of October 2015 at the Virus Bulletin International security conference held at Prague.

We hope to see you all there !!

Lokesh Kumar
K7 TCL Systems Manager

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:
http://blog.k7computing.com/feed

Pick the Permissions; Android Marshmallow

Wednesday, September 2nd, 2015

This blog intends to inform the general public about some of the feature enhancements in the next version of Android (6.0), labelled “Android Marshmallow” focussing on the significance of the permissions list of an application.

Last week Google announced its next version of Android, Android 6.0 nicknamed “Marshmallow”. Though the final release date of Marshmallow is not yet confirmed, here are some of the interesting features included in Marshmallow, by no means an exhaustive list:

  • Android Pay

With this feature users can enter their credit card details and Google will create a virtual account to enable an easy checkout process using the NFC system.

  • Application linking

As of now when a user clicks on a link, a dialog box pops up prompting the user to select one of the available applications like Chrome or another suitable browser application to render the link. With Android Marshmallow, the Android OS verifies the link with the respective application server (provided the corresponding app is installed) and post authentication, with the help of an auto-verify feature (application developers can code an auto-verify feature in their application) the link is opened within the application.

  • Unlock feature

Fingerprint scanner support.

  • Power

Though not security-related it is interesting to know that “Doze Mode” is incorporated to improve the device’s standby time. Using motion detectors, Android will identify if the device is idle or in use. If the device is found idle, Android kills the background processes to improve the battery life.

  • App permissions

Yes! Now I can choose what an application should be allowed to do in real time!. Traditionally, Android applications request the user for their required resource-access permissions at install time. These permissions cannot be modified post installation. With Android Marshmallow, users can choose to allow or deny a specific permission from the permission list of an Android application whilst the application is active. The description of this feature claims that the applications will request for the required permissions the first time the application’s feature is invoked, instead of requesting all the permissions in one go at installation time. As many of Android malware disguise themselves as legitimate applications or are bundled with other legitimate applications, restricting an application based on the permissions (which in turn restricts the app’s functionality) would help increase the security of the user’s device and personal data.

However, users-awareness about the importance of the permissions granted and the functionality of an application is still essential. As we discussed in our previous blog, a taxi-booking application does not typically need permission to access the files in the device’s SD card to perform its functionality. Similarly, a gaming application does not require permission to access contacts information for it to operate. One should be aware about the permissions that should be granted or denied to avail of the application’s actual functionality.

In addition, for Android Marshmallow, if the same permission restrictions hold good for a legitimate security application as well, there is a possibility that a malware with super-user access could modify the granted permissions list of the security application. As suggested by us in our VB2014 paper, updating the Android OS framework such that trusted security applications are loaded earlier than any other application installed could help handling these situations.

Image courtesy:
Androidpit.com

V.Dhanalakshmi
Senior Threat Researcher, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed/

Real or Fake App?

Friday, July 31st, 2015

This blog intends to discuss a few real-time difficulties in identifying whether a downloaded Android application is safe or not, along with a few precautionary steps for Android smartphone users to follow when downloading an application.

Year-on-year, smartphone usage in India is growing at an enormous rate. These days almost everything is mobile, i.e. smartphones have accommodated users in such a way that users welcome applications even for their day-to-day commercial activities like paying bills, ticket booking, etc.

Now, there arises a serious question of trust, “How far is the downloaded application safe?” It is generally believed that an application can be reasonably judged by the permissions that it requests from the user during installation. Unfortunately, in recent times, most of the legitimate applications are seen to request permissions that appear to be in no way related to their current core functionality, but only in view of the application’s future enhancements.

Recently, I came across a popular taxi booking application requesting permission to access media files (photos/videos) as shown below.

The above scenario was observed in a well-known banking application as well.

I would also like to share another interesting incident. A couple of days ago, we at K7 Threat Control Lab, received a “false positive” report from an end user claiming that a famous game application has been flagged incorrectly.

Upon further investigation, it was noticed that the application is actually a fake installer. Unlike the original game app, this fake application tries to download further applications.  The above described unexpected behaviour from a game application is not acceptable.

With many other potentially fake applications of this kind doing the rounds and the latest trend of online portals moving onto app-only services, the security risk level is certainly increasing. Worst-case scenario could involve the case of mobile wallet applications, where a user may also save his/her credit card information for future use.

It goes without saying that identifying an application as suspicious or safe remains a tough job especially for an end user. With a mobile malware application exhibiting similar permission requests and functionality to a legitimate application, the malware analysis process is complicated. Security experts invest more time in code and metadata study to confirm an application as safe, one example being the exhaustive permissions list requested by both  legitimate and malware applications, that may not even be needed for their operation.

Even though the risk cannot be eliminated completely, it can be effectively reduced by following the following oft-stated traditional but yet effective precautionary steps:

  1. Think twice before you download an application whether you really need it.
  2. Download applications only from the official Playstore.
  3. Use the “Verify apps” feature from the Android OS to check whether the app is safe or not.
  4. Install trusted mobile security software, also typically downloaded from the official Playstore.

V.Dhanalakshmi
Senior Threat Researcher, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed/