These are quick first looks and trend and threats


Read More >>
Written by the security and AV professionals from team K7, meant for the general audience
Read More >>
These are usually articles that go into internals of a virus or deal with security issues
Read More >>
Senior managers speak on areas of interest to them, inside and outside the industry
Read More >>

Archive for the ‘Security news’ Category

Problems (In)Securing IoT Ecosystem

Thursday, April 7th, 2016

Here is the first part of a two-part blog that covers the security problems in the Internet of Things (IoT) in more technical terms than our previous series .

Imagine that you are on your way back home in a self-driven car, browsing the internet on your mobile. As you come within a 2-mile radius of your house, the air-conditioner switches itself on at the temperature of your choice. You enter your garage, the doors opening automatically, and walk into your room. The lighting dynamically adjusts according to the weather outside, and the lasagna that was in the oven is now all warmed up.

Twenty years ago, if somebody told me such a tale, I’d have laughed and said “you watch too much science fiction”. But today, this scenario is within the scope of modern reality. The IoT revolution is finally here, and it is supposedly bringing joy and comfort to people. But there’s a downside to IoT: it is increasingly becoming an attractive target for cybercriminals. The increase in the sheer number and variety of connected devices has opened up possibilities for coming up with new and more diverse attack techniques.

IoT.security.JPG

Security flaws in IoT products have been brought to light by hackers and security researchers. Some of the hacks which made security news were: Smart home, Surveillance cameras, Jeep car (accessed remotely and its engine killed remotely). In addition an airplane’s cockpit controls were accessed via the in-flight entertainment system. As if these weren’t enough, even pacemakers and insulin pumps were demonstrated as being hackable.

If one were to take a closer look into these hacks, a bunch of recurrent fundamental security problems with the IoT ecosystem come forth. Let’s take a look at some of those problems.

Communication Channels

IoT devices mostly communicate wirelessly using protocols like LTE Advanced, Cellular 4G/LTE, 3G GPS/GPRS, 2G/GSM/EDGE, CDMA, EVDO, WIMAX, Weightless, Wifi, Bluetooth, UWB, Z-Wave, Zigbee, 6L0wpan, NFC and RFID. There are known security flaws associated with these protocols, and yet they continue to be widely used. This leaves us with two non-trivial choices:

  1. Fix the issues with these protocols
  2. Come up with better and more secure protocols

Both of the above choices are non-trivial to execute.

Authentication and Authorization

Credentials/tokens are essential in the traditional authentication and authorization approach. However, IoT has added new modes: biometrics, sensors, NFC, RFID, and sometimes, surprise surprise: no authentication at all! All these years industry has been struggling with securely storing credentials in one way or another. But now we have a whole new array of authentication and authorization approaches to take care of.

End-to-End Encryption

Mobile apps, messaging apps in particular, first encrypt the user’s data on the device using state-of-the-art industry-standard encryption algorithms. Then anti-snooping, end-to-end encryption techniques are deployed. However, the same approach can’t be taken with IoT devices as the modes of communication are fundamentally different. Here, the communication is not one-to-one but, one-to-many or many-to-many. Data travels through many communication channels and nodes. Also, the security protocols used by devices might vary.

Minor faults in end-to-end encryption may lead to exposure of credentials, tokens, and other sensitive informations. Imagine that you have a router using a state-of-the-art encryption algorithm. This router then communicates with a thermometer, which stores the network password in plaintext. Now, to break into the network, all one would need to do is target the thermometer, thereby bypassing the entire robust network security framework.

Insecure Web/App Interface

Web/App interfaces are infamous for being targets of choice for hackers. This can be attributed to the bugs/defects present in the underlying frameworks that these interfaces run on. A vulnerable interface could provide a hacker with access to the server or to the cloud itself. The common problems associated with this are:

  1. A lack of robust password recovery mechanisms
  2. No protection against cross-site scripting (XSS), code/SQL injections, etc.,

Hardware Failures

Preoccupied with creating a sleek and minimalistic design, some manufacturers tend to neglect hardware bugs. These bugs, in turn, can allow attackers to reboot the device(s) and their corresponding hotspots. It is not possible to deliver hardware patches over the air.

Unprotected Client Devices

IoT users’ use of desktops, laptops, tablets, mobiles, etc to operate IoT devices, in turn, opens a remote door to devices. All these devices have a long and notorious history of severe vulnerabilities. Consider a scenario of a company building a smart bulb with all these fancy remote control features. They have a highly compatible, secured mobile app, web interface and embedded hardware. But what if customers have a weak wireless setup, outdated mobile operating system, vulnerable desktop applications? On whom are we going to pin the blame for a breach??!

Image credits:
www.eweek.com

… to part II: risks from stolen user’s information

Priyal Viroja, Vulnerability Researcher, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed/

Don’t Read That Ransomware Spam Script! Seriously Bad Story.

Wednesday, March 9th, 2016

Beware of two aggressive ransomware spam campaigns which have been active for the past few weeks.

The above screenshot of my own spam folder exemplifies the typical theme used by the new ransomware kid on the block, “Locky”, and the latest version of an established ransomware called “TeslaCrypt“.

Although both ransomware spam runs pretend to be an “Invoice”, the next stage of the infection vector for Locky and TeslaCrypt differ significantly from each other. Locky spam mails contain an attachment such as ‘scan_<number>.doc’, whereas the current TeslaCrypt spam contains a ZIP archive wrapping a JavaScript file, e.g. ‘invoice_<random alphanumeric>.js’.

The Locky DOC file contains a password-protected macro VBA script. Please note, since macros can contain malicious code they are disabled by default in Microsoft Word, and should remain so. The objective of the Locky macro script as well as the TeslaCrypt JavaScript is to download and execute the respective ransomware payload EXE.

Typical malicious spam campaigns deliver the payload directly in a ZIP attachment containing an EXE. However such attachments are easier to block at the email gateway level since they are considered “high risk”. It is more difficult to block non-EXE files at the gateway as a matter of policy, hence the Locky and TeslaCrypt attachments are more likely to get past gateway filters onto the local computer. Thereafter, given their script context rendered by standard interpreting applications, the download and execution of the ransomware payload is less likely to be blocked by behavioural protection mechanisms such as HIPS and the firewall.

K7 has robust protection at multiple levels against both ransomware campaigns, however, as always, prevention is much better than cure. In the case of spam, it is best to completely avoid emails from unknown sources, especially those which expect one to open an attachment or click on a link.

Samir Mody
Senior Manager, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed

K7 Computing’s Security Alpha Geeks Introduce Generic Anti-Ransomware Prototype at VB Conference 2015

Friday, October 9th, 2015

So last week, Samir Mody and Gregory Panakkal, security experts from K7 Computing, showcased a generic anti-ransomware framework at this year’s Virus Bulletin International Conference. It garnered quite an excited bunch of fellow security enthusiasts at Prague, Czech Republic, where the conference was held, to listen to the duo talk about this prototype.

This presentation addressed majorly on file encrypting ransomware variants. A demo followed to display the capability of this generic anti-ransomware prototype in defending ransomware through samples obtained from valid sources.

K7 Computing is extremely proud of the team behind the idea to develop a simple solution to thwart complex ransomware menace. This generic framework is on the process of being incorporated into our products, and we are super excited. We also would take this opportunity to thank our readers, for sending ransomware samples requested by them to test our prototype.

For curious souls who want extensive information on this, please find the complete slides here.

Archana Sangili, Content Writer

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:
http://blog.k7computing.com/feed/

Tearing Down the Wall

Thursday, October 1st, 2015


In all likelihood, the ransom note above is possibly what an already overworked IT technician of a corporate network is staring at at this moment. In addition to their woes, IT administrators are now burdened with the task of dealing with Cryptowall; a troublesome breed of malware which until now restricted itself to infecting mostly home users.

With gigabytes of confidential data available on network storage devices & tormented users willing to do whatever it takes to retrieve the company’s data back, life has never been easier for Cryptowall authors. Needless to say, it is only a matter of time before things take a turn for the worse.

To enlighten our users, we have already dissected the infection vector of this category of malware, discussed the possibility of retrieving the original files, advocated that paying the ransom is a bad idea and advised that prevention is better than cure, through blog entries available here and here.

To assist our customers, researchers at K7 Threat Control Lab have come up with reinforcements in this fight against Cryptowall. We have developed a heuristic anti-ransomware prototype which will allow monitoring, identifying and eliminating this menacing enemy based on run-time behaviour.

Samir Mody and Gregory Panakkal from K7 TCL will be discussing this prototype & presenting their paper titled “Dead and buried in their crypts: defeating modern ransom-ware“ tomorrow, the 2nd of October 2015 at the Virus Bulletin International security conference held at Prague.

We hope to see you all there !!

Lokesh Kumar
K7 TCL Systems Manager

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:
http://blog.k7computing.com/feed

Pick the Permissions; Android Marshmallow

Wednesday, September 2nd, 2015

This blog intends to inform the general public about some of the feature enhancements in the next version of Android (6.0), labelled “Android Marshmallow” focussing on the significance of the permissions list of an application.

Last week Google announced its next version of Android, Android 6.0 nicknamed “Marshmallow”. Though the final release date of Marshmallow is not yet confirmed, here are some of the interesting features included in Marshmallow, by no means an exhaustive list:

  • Android Pay

With this feature users can enter their credit card details and Google will create a virtual account to enable an easy checkout process using the NFC system.

  • Application linking

As of now when a user clicks on a link, a dialog box pops up prompting the user to select one of the available applications like Chrome or another suitable browser application to render the link. With Android Marshmallow, the Android OS verifies the link with the respective application server (provided the corresponding app is installed) and post authentication, with the help of an auto-verify feature (application developers can code an auto-verify feature in their application) the link is opened within the application.

  • Unlock feature

Fingerprint scanner support.

  • Power

Though not security-related it is interesting to know that “Doze Mode” is incorporated to improve the device’s standby time. Using motion detectors, Android will identify if the device is idle or in use. If the device is found idle, Android kills the background processes to improve the battery life.

  • App permissions

Yes! Now I can choose what an application should be allowed to do in real time!. Traditionally, Android applications request the user for their required resource-access permissions at install time. These permissions cannot be modified post installation. With Android Marshmallow, users can choose to allow or deny a specific permission from the permission list of an Android application whilst the application is active. The description of this feature claims that the applications will request for the required permissions the first time the application’s feature is invoked, instead of requesting all the permissions in one go at installation time. As many of Android malware disguise themselves as legitimate applications or are bundled with other legitimate applications, restricting an application based on the permissions (which in turn restricts the app’s functionality) would help increase the security of the user’s device and personal data.

However, users-awareness about the importance of the permissions granted and the functionality of an application is still essential. As we discussed in our previous blog, a taxi-booking application does not typically need permission to access the files in the device’s SD card to perform its functionality. Similarly, a gaming application does not require permission to access contacts information for it to operate. One should be aware about the permissions that should be granted or denied to avail of the application’s actual functionality.

In addition, for Android Marshmallow, if the same permission restrictions hold good for a legitimate security application as well, there is a possibility that a malware with super-user access could modify the granted permissions list of the security application. As suggested by us in our VB2014 paper, updating the Android OS framework such that trusted security applications are loaded earlier than any other application installed could help handling these situations.

Image courtesy:
Androidpit.com

V.Dhanalakshmi
Senior Threat Researcher, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed/

Real or Fake App?

Friday, July 31st, 2015

This blog intends to discuss a few real-time difficulties in identifying whether a downloaded Android application is safe or not, along with a few precautionary steps for Android smartphone users to follow when downloading an application.

Year-on-year, smartphone usage in India is growing at an enormous rate. These days almost everything is mobile, i.e. smartphones have accommodated users in such a way that users welcome applications even for their day-to-day commercial activities like paying bills, ticket booking, etc.

Now, there arises a serious question of trust, “How far is the downloaded application safe?” It is generally believed that an application can be reasonably judged by the permissions that it requests from the user during installation. Unfortunately, in recent times, most of the legitimate applications are seen to request permissions that appear to be in no way related to their current core functionality, but only in view of the application’s future enhancements.

Recently, I came across a popular taxi booking application requesting permission to access media files (photos/videos) as shown below.

The above scenario was observed in a well-known banking application as well.

I would also like to share another interesting incident. A couple of days ago, we at K7 Threat Control Lab, received a “false positive” report from an end user claiming that a famous game application has been flagged incorrectly.

Upon further investigation, it was noticed that the application is actually a fake installer. Unlike the original game app, this fake application tries to download further applications.  The above described unexpected behaviour from a game application is not acceptable.

With many other potentially fake applications of this kind doing the rounds and the latest trend of online portals moving onto app-only services, the security risk level is certainly increasing. Worst-case scenario could involve the case of mobile wallet applications, where a user may also save his/her credit card information for future use.

It goes without saying that identifying an application as suspicious or safe remains a tough job especially for an end user. With a mobile malware application exhibiting similar permission requests and functionality to a legitimate application, the malware analysis process is complicated. Security experts invest more time in code and metadata study to confirm an application as safe, one example being the exhaustive permissions list requested by both  legitimate and malware applications, that may not even be needed for their operation.

Even though the risk cannot be eliminated completely, it can be effectively reduced by following the following oft-stated traditional but yet effective precautionary steps:

  1. Think twice before you download an application whether you really need it.
  2. Download applications only from the official Playstore.
  3. Use the “Verify apps” feature from the Android OS to check whether the app is safe or not.
  4. Install trusted mobile security software, also typically downloaded from the official Playstore.

V.Dhanalakshmi
Senior Threat Researcher, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed/

Domain-hungry Spam

Thursday, July 16th, 2015

Here is an account of an unexpected incident that reignited my fading passion for email header analysis. And it was that… a friend of mine got a nasty headache. Ah yes, you read it right.

My friend runs a one-man-show as “the IT guy” for an organization. Every day he goes to work as energetic as he can be and returns completely drained from having to deal with the bulk of unsolicited emails (aka “spam”) that floods the company’s mail server.

But the “headache” was the result of their domain getting blacklisted.

They started receiving tons of bounced emails from mail addresses which meant nothing to them. And at times they even received mails that seemed to originate from their own domain.

He had no clue as to why their domain started receiving huge amounts of bounced back emails or why their emails were not delivered to the intended recipients.

Whilst he was trying to work out why this was happening, the poor domain was marked down for “rolling out bulk emails” and the domain was blacklisted. That explains the delivery failures.

He worked vigorously with the provider to whitelist the company’s domain; but the issue repeated itself in an uncontrolled fashion that it became a part of his routine to bail out the domain.

He wanted to find if the computers on the office network were infected by some malware and how their emails are being hacked, especially given that they have one of the best Anti-Virus products installed and a good set of security policies in place.

And his plea to take a look into the issue pushed me to awe Joe.

Scrutinizing the few email headers he showed me, I was able to identify that a rare form of spam attack nicknamed “Joe job” was causing damage to the company and its domain’s reputation.

So what actually is a “Joe job”?

A spammer can craft the email header to make it appear to come from a spoofed sender, i.e. the recipient would see something like “john@domain.com” in the “from” address but the actual sender would be someone else.

Also, the “reply-to” field can be played with so that any responses or bounce-backs would be redirected not to the address in the “from” field but to the one specified in the “reply-to” field.

Spammers use this technique for various reasons including hiding their identity, escaping the issue of handling undesired bounced-back/non-deliverable emails, skipping spam filters and stealing the victims’ bandwidth.

Here is a description of the original attack for reference: http://joes.com/spammed.html

Though the Sender Policy Framework records (SPF records allow domain owners to publish a list of IP addresses or subnets that are authorized to send email on their behalf) and security policies are properly set up, a few misses while configuring the mail server ended up feeding the domain’s reputation to spammers in this case.

It is important to remember that spam filters cannot be too rigid, but a simple rejection of bounced back emails from unknown senders could have saved the domain, to some extent, from falling prey to such spam attacks and causing a headache for my friend (although this did rejuvenate my fading passion…).

Image courtesy of:
blog.antispam.fr/wp-content/uploads/2013/03/email-bounce.jpg

Ayesha Shameena P
Threat Researcher, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed

Patch Released, Before You Can Say ‘Patch Tuesday’

Friday, July 10th, 2015

Microsoft is set to do away with its cycle of serving up security updates, released on the second Tuesday of every month. This is (un)officially known as ‘Patch Tuesday’ in tech circles.

In an earlier blog post, we had mentioned that Microsoft is doing all it can to beef up on their security front. Along the same lines, this is also a move to ensure that any security update, critical or not, will reach a Windows 10 user immediately and will no longer have to wait for a month.

Yes, updates will be rolled out 24/7 year round for all devices that run Windows 10, thereby potentially reducing the time taken to address a security issue once it is found. These releases are not restricted to security updates alone, but any software enhancements would also follow the same pattern.  A round-the-clock approach updating the OS infrastructure could also improve the quality of the updates; in the past there have been issues with unstable patches.

While the month-on-month cycle is going to remain for Business and Professional users, Microsoft has reworked this under the title Windows Update for Business. This would provide features to prioritize patching based on chosen devices, to specify timeframes during which updates should occur, and peer-to-peer delivery of the updates for bandwidth conservation in an environment of a large number of computers.

This expedited update schedule is primarily aimed at securing devices ASAP once a security lapse has been identified and fixed.  Though Microsoft claims that users will be provided free lifetime upgrades, the timeframe might in fact be tied down to the type of device that the OS is running on and the device’s supported lifetime.

Perhaps Microsoft is taking the timely patching of security lapses to an even higher level since many supposedly dead and dried malware (Conficker, etc.) that aren’t supposed to be spreading are still doing the rounds just because a patch hasn’t been applied. It is imperative that we as users take security, at least as seriously as Microsoft appears to be doing.

Image courtesy of:
keepcalm-o-matic.co.uk

Kaarthik R.M
K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed

Citizen to Netizen in Digital India: The Need to Secure Cyber Space

Thursday, July 2nd, 2015

The Honourable Prime Minister of India, Shri Narendra Modi, launched the Digital India project yesterday, an ambitious undertaking to interconnect and deliver government services to India’s 1.25 billion citizens.

Fortunately, the challenge of securing the vast cyber space for netizens has been keenly recognised by the Government of India as the Prime Minister stated the following in his speech:

“I dream of a Digital India where cyber security becomes an integral part of national security”

The Prime Minister made unambiguous references to the potential vulnerability of India’s current and future critical infrastructure and services to cyber-attack. The plethora of international spying, hacking, and Denial-of-Service attacks, which have made the headlines in recent times, allows one to put things in perspective. India has its own share of inimical nation states, along with non-state actors, both beyond as well as within the country’s borders.

The Prime Minister also recognised the dangers posed to an average netizen at a personal level. He related how common theft has progressed from stealing somebody’s wallet on a bus, in the past, to the current ability of criminals situated thousands of miles away to wipe out a bank account within the time it takes to click one’s fingers.

Indeed, as highlighted previously on our blog, there exists legislation to aid the protection of netizens from common cybercrime, as well as provisions to safeguard national cyber security. However we believe there is lot more to be done. In this blog we wish to highlight certain problem areas which need to be taken into account to boost cyber security for the netizen, and thus, for the nation.

There is a lot of emphasis on the use of online social media and sharing of data “securely”. Of course netizens are only too keen to share Personally Identifiable Information (PII) on public sites, which may not even be hosted in one’s home country. Apart from its general nuisance value, leakage of PII allows the mounting of sophisticated targeted attacks. We recommend thinking several times before posting private information on public sites.

Plans to provide many services online, including secure private document storage, will require netizens to be made aware of basic security hygiene, at least vis-à-vis the use of strong passwords which must be difficult to crack. However, for ease of remembering, it is likely that many, if not most, netizens would employ the same credentials across multiple portals. The compromise of just one password could leave your data exposed on several other sites. In addition, the secure storage of digital certificates, used to authenticate the source and ownership of documents, is a cause for concern as a stolen certificate could lead to complete identity theft.

The exploitation of vulnerabilities on both the client and server side poses a real and present danger to all users. On the client side, software installed on a user’s computing device can and do have hidden weakness that can be taken advantage of during attacks. Vulnerabilities on the server side, especially web servers, have the potential to compromise thousands, and with the advent of Digital India, perhaps millions. A huge proportion of websites, including many with ‘gov.in’ in the domain name, are not necessarily implemented and managed with security in mind, leaving netizens vulnerable. Several trusted Indian state and central government sites have been hacked and defaced in the recent (and not-so-recent) past. We have blogged previously about website hacking, and remediation techniques with which webmasters ought to be familiar. We hope that the government portals which deliver services will be made robust to any form of attack, particularly intrusion and Denial-of-Service.

Mobile devices are set to play a crucial role in the Digital India project. Android is likely to be the most common mobile platform used to communicate with government portals, given the relatively low cost of Android devices. It must be noted that despite Google’s assertions to the contrary, Android devices are certainly not invulnerable to malware attacks. Mobile devices must also be secured, with the user being made aware of the do’s and don’ts of app installation.

The above list of issues is far from exhaustive. We have touched merely the tip of the iceberg. Covering other potential issues is beyond the scope of this particular blog.

An interconnected, inclusive Bharat via the Digital India campaign is an exciting prospect. We wish the campaign all the very best, and we, as IT security professionals, hope to contribute significantly to its success. We would simply like to reiterate the cyber security threat potential to netizens and the Government of India so that robust security hygiene is maintained with discipline, allowing the freedom of a safe online service experience. Jai Hind!

Some images (adapted to suit the article) are courtesy of several sites.

Samir Mody
Senior Manager, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed

Buy None (maybe)Get One(malware) Free

Monday, June 29th, 2015

Online free software exists aplenty, keenly attracting a user’s attention. The question is, “Are these free software applications really trustworthy?” . With security as the main concern, a computer user must be careful enough while installing any software that is downloaded online. Many of these free software install toolbars or other kinds of unwanted software that are bundled with them.

On the other hand, there are popular free software like Adobe Reader, Adobe Flash Player, etc., that seem to have become an almost mandatory part of computer use these days. Thankfully, these software installs do not include any compulsory extra activity apart from their core functionality, and even attempt to keep themselves secure with regular security updates as and when required.

Security updates are necessary given that many of these free software utilities have loopholes (also known as vulnerabilities) that are left unseen even after they are released to the outside world. These loopholes tend to attract attacks from remote hackers to compromise the user’s computer.

It is a known fact that many users globally, including a high proportion in India, have pirated software (especially the Windows OS) installed on their computers for whatever reason. Historically pirated versions of the Windows OS have not been eligible to receive either security or product updates, leaving the computer far more vulnerable to attack as cyber criminals always strive to exploit a new route or loophole in installed software to enter the target machine.

Therefore one should always be aware of the importance of the security updates. K7 users can run a “Vulnerability Scan” to determine if any known vulnerable components of certain high-profile software exist on the computer. At least in the case of popular free software users are strongly advised to avail of free security updates such as those provided by Adobe Reader, Adobe Flash Player, Java etc., to better guard against unpleasant surprises.

Image courtesy of:
Yadadrop.com

V.Dhanalakshmi
Senior Threat Researcher, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed/