These are quick first looks and trend and threats


Read More >>
Written by the security and AV professionals from team K7, meant for the general audience
Read More >>
These are usually articles that go into internals of a virus or deal with security issues
Read More >>
Senior managers speak on areas of interest to them, inside and outside the industry
Read More >>

Archive for the ‘Security’ Category

The Pen is Deadlier than … You Might Think

Thursday, May 19th, 2016

This blog intends to educate the general public about the security risks pertaining to pen drives (aka USB sticks/drives, thumb/removable drives), data storage devices that can store text, images, music, videos, etc., and ways of mitigating the risks.

These devices come in handy when the user wants to transfer data between computers. They’re small in size but can hold large amounts of data. However, the utility and ubiquity of pen drives introduce significant security risks.

Pen drives pose a major security challenge to IT administrators. Some surveys indicate that 70% of businesses have reported loss of data through USB. Being small, pen drives can easily be misplaced or stolen and, if data is not backed up, it can mean loss of hours of hard work.  An even bigger challenge is to prevent infection through already infected USB drives.

The Autoplay feature in Windows is the key route to automatically infect PCs as soon as the infected pen drives are plugged-in. This autoplay feature causes removable media such as pen drives, CDs, etc. to open automatically when they are inserted into a computer.

Hackers and autorun worms use the autoplay feature to run malicious executables from removable drives. USB as an infection vector is not new; many older but infamous families of malware, notably Conficker, Sality and Gamarue use USB as part of their infection vector.

It is to be noted that many computers still have Windows XP, for which Microsoft withdrew support in April 2014, installed. Windows XP is popular among PC users especially in India, and has the autoplay feature enabled by default. Thus they are at greater risk of an autorun infection on their system than users who have updated their computer’s OS to recent versions of the Windows Operating System such as Windows 7. It is interesting to mention that most of these autorun worms originated in Asia.

Pen drives also provide an opportunity for malware to spread to stand-alone computers that are not connected to any network. The person carrying the infected pen drive, knowingly or unknowingly, bridges the air gap between the stand-alone computer and the network. It is of high probability that a pen drive used on one infected system (provided the infection on the system is capable of spreading itself) gets itself infected, thus spreading the infection to healthy computers when simply inserted into them.

Hence we advise users to practice one or more of the following recommendations to overcome the risks associated with using pen drives:

  1. Scan the pen drives for malware after sharing with your friends or family as a precaution against infections. Even if you have an up-to-date, reputable Anti-Virus Security product installed on your computer, your friends and family might not on theirs.
  2. Avoid using pen drives on public computers, e.g. at Internet cafes.
  3. If you have not already done so, install a world-class, up-to-date antivirus product like K7 Total Security.
  4. Use the autoscan feature, if any, in your Anti-Virus product to automatically scan all USB drives as they are connected to the system. Also schedule frequent, automatic scans on your PC to keep it infection-free.
  5. To prevent loss or theft of data, you may block USB devices from being used on your system. K7 Total Security has features to block pen drives and restrict read-write access to USB drives.
  6. Vaccinate your pen drive to ensure that it does not get infected by an Autorun worm even if it is used on an infected machine.

Images courtesy of:
Com.net
Technologymess.com

Rathna Kamakshi
Manager – K7 Support

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed/

Caution: Free WiFi Ahead

Thursday, May 12th, 2016

Continuing our series on cyber security following the two-part blog on digital signing, this is the eighth post which hopes to enlighten users on how to safely tread the open WiFi zones in public areas.

Free WiFi hotspots, which were a luxury some time ago in India, have become the norm nowadays. With the Indian government aiming to take the Internet to last tier cities, towns and villages it is only a matter of time before we are encapsulated in WiFi zones everywhere. This is aimed at bringing the wealth of information available on the internet to the masses. However, the omnipresence of WiFi could attract a great deal of sniffing and eavesdropping.

Open WiFi hotspots, though meant for the greater good, could become the medium for information security mishaps. Any data sent to an unprotected network could easily be monitored using packet or network sniffing applications by a hacker with malintent.

When using an open WiFi hotspot the network traffic between your device and the router is not encrypted, as opposed to using a home WiFi connection which should usually be secured by a passphrase which encrypts the traffic and shields it from eavesdroppers. Hence in an open WiFi connection, any data you send to the router is sent in a visible form and can be snooped upon by using packet or network sniffers. Imagine someone filling out details to an online form; the data submitted could fly across as plain text and can be easily grabbed off the air.

It is advisable to avoid using internet banking and online shopping portals, and communication apps when connected to an open WiFi. Also, it is advisable to turn off network sharing, in the case of laptops, since they could be accessible to people who are connected on the same network, and if the shared resource has no authentication then it would become an easy target for intruders.

A user needn’t explicitly open an app (with a potential security loophole) on his or her mobile device to expose its security hole. Most apps today keep looking for an active internet connection either to push or retrieve notifications thereby exposing its security lapse on an open WiFi connection. It is therefore advisable to restrict background data when on an open WiFi network.

Of course one cannot totally dismiss an open WiFi connection as inherently unsafe. It would be user-practices that make it safe or unsafe. For those who are totally dependant on an open WiFi network, they could choose to use a VPN application thereby securing their communication with the network within a secure channel, and decide to post content only to websites that are signed and secure.

Images were courtesy of:
muraldecal.com
toonclips.com

K7 Threat Control Lab
If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed/

Public Website: Protected or under Private control

Thursday, May 5th, 2016

Yet another reminder of the importance of implementing robust website security, the flash news today alleged that “IRCTC website has been hacked, a major public website! And apparently, thousands of users’  data including PAN card details etc.,  could be in danger of being stolen.

Public websites that are used nation-wide and meant to store huge user data should ensure the highest levels of data security. It should be noted that since such publicly-available websites provide a treasure trove of data to hackers, they are high-value targets of compromise. They could also be a target for pranksters and hacktivists seeking publicity.

Hackers usually hack a website by exploiting one or more of the weak links in the website design. Real-time data stolen from these kinds of websites earn them a lot of monetary benefits, as the stolen data can be sold for huge amounts of money either to legitimate, typically marketing, companies or another hacker group.

Any down-time for such important public portals for even a short amount of time to fix the issue might entail a hefty economic hit, and inconvenience thousands of users. However, security of these public websites demands regular vulnerability assessments and penetration tests to identify weaknesses, and software updates for the hosting platform on which it runs and for third-party installed security software.

Prevention is better than Cure.

V.Dhanalakshmi
Senior Threat Researcher, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed/

Does Android Nutella Hit the Security Sweet Spot?

Thursday, April 28th, 2016

This blog intends to inform the general public about the next version of Android (7.0), expected to be labelled “Android Nutella” focussing on the significance of improved or new security features in the sweet next in line from Google.

The next dessert to taste after Marshmallow, provisionally “Nutella” (Android 7.0), loaded on Nexus devices, is expected to hit the market in Q3, 2016.

Few of the confirmed major new features in Android N as per the Android N Developer Preview version are:

  • Multi-window mode
  • Efficient Doze mode
  • Direct-reply notifications/Quick settings
  • Shifting Android Java language libraries to OpenJDK
  • Faster App optimization by ART
  • Android Beta Program
  • Data Saver mode
  • Video and Picture at the sametime
  • Changing display screen size
  • Dark mode
  • New folder icons
  • Clear All feature in recent apps list
  • Lock screen enhancements

It is to be noted from the above feature list of Android N that there are no major security enhancements in Android N revealed in the Developer Preview versions.

Lock screen enhancements:

  • In Android N, it is possible to enable a setting that allows the user to display user information like name, address, blood group, etc., on the lock screen.
  • The latest developer preview 2 of Android N  allows the user to reply to notifications from the lock screen itself.

Saying that, the enhancements at the lock screen level raises the question of privacy, i.e. data security. Suppose the device is misplaced or lost, it is possible for a third party to know the user’s identity. Credit card and banking divisions always verify a user’s identity for any request of user-profile change or account request, exactly the kind of information which can be obtained from a stolen Android N phone might enable a third party to easily steal or misuse the victim’s account.

It goes without saying that there could be a password protection mechanism to access user’s personal data. However, in that case it might not serve the purpose of helping in an emergency.

As the Android threat landscape seems to have gone a bit silent of late, at least in the IT security  world, after the discovery of the Stagefright exploit, and given Google’s super confidence in the absence of malware for Android, perhaps, the Android N development team might have skipped Security in the major feature enhancement list.

Even though the Android malware landscape has not thrown up too much to write home about in the last few months, it is understood that as there is always a malware threat for any popular OS, and hopefully Google is continuing to take security seriously. Note, apparently not all the features have been revealed in the preview versions of Nutella so let us wait for the release candidate of Android N to have a clear picture of any major security feature changes. The proof will be in the eating…

Image courtesy:
nutella.com

V.Dhanalakshmi
Senior Threat Researcher, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed/

Serve in India? Store in India! Please…

Friday, April 22nd, 2016

The Union Home Minister Rajnath Singh recently requested the likes of Google, Facebook and WhatsApp to base their servers in India for security reasons.

WhatsApp has launched end-to-end encryption which makes snooping on WhatsApp traffic via, say, a Man-in-the-Middle very difficult, thus maintaining high levels of privacy. However, the events in parts of the country over the past few days are a reminder of the power of social media in disinformation campaigns.

Such social media services are regularly abused by terrorist groups to communicate amongst themselves as well as to spread propaganda. Therefore security agencies require access to communication content as per the provisions of the Information Technology Act. Since encrypted traffic makes it difficult to monitor the activities of suspects, it is important that content on the servers is made available when lawfully requested.

Such requests would be acquiesced to more readily if social media services for Indian citizens were hosted on servers within India’s jurisdiction, instead of typically in the US as is the case currently. The high-profile battle between the FBI and Apple in the US demonstrates the difficulties Indian security agencies could face in obtaining data from outside of India’s jurisdiction.

As I had mentioned a couple of years ago, the public’s opposition to the government imposing on their privacy is based on their prevailing threat perception. Given India’s history, geography and an unenviable record of victimhood, one would suggest that the threat perception in India is rather high.

Let us see if and how the social media giants bend to the government’s will.

Image courtesy of gadgets.ndtv.com.

Samir Mody
Senior Manager, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed

There is an I,o,T in Monetize

Friday, April 15th, 2016

Following part I of the blog series that describes the security problems in IoT, here is the second part of the series that explains technically how the information stolen from IoT users can be monetized.

risk.top_.jpg

The IoT security challenges described in part I give rise to unprecedented risks. Mischievous parties could remotely trigger havoc inside an IoT user’s physical environment: Burning down houses by hacking microwave ovens, or remotely turning off home security systems, or for the sake of fun, just causing devices to work in an irregular manner. These are just a few examples of IoT hacking which can be used by cyber criminals. The possibilities are endless, almost left to one’s imagination.

The associated risks would also extend to the internet used by the  common man. On a daily basis, websites already violate  user privacy by tracking a user’s activity: what you search for, what links you click on, what websites you visit; this valuable data can be sold off to commercial companies. These companies, in turn, use analytics to build user profiles to serve targeted ads to their audience. However, with the data generated by IoT products, these profiles would contain not only cyber-activity logs but also physical activity data for the user. A person using a pacemaker could now be targeted by insurance companies with specific schemes, even though he/she wouldn’t like others to know about their medical condition.

On the Dark Internet, a major chunk of content is based upon selling stolen credit card information and user credentials. The Dark Internet provides services for DDoS attacks and hacking accounts/websites for a fee. With the increasing adoption of IoT, we might see the rise of a new kind of data on these sites. Data stolen from IoT products would provide an entirely new set of data to be used for malicious purposes. There could be malware and viruses written specifically for IoT products which may go on to cause physical damage to life and property. Consider a botnet, capable of infecting a pacemaker device. It requires only a single command to cause irregularities in the pacemaker’s functionality thereby giving malicious parties the nefarious power to carry out mass murder.

We, as a security concern, believe that industry  can definitely reduce the risks associated in using IoT devices by tackling the afore-mentioned known security problems in the IoT ecosystem at different stages such as  manufacturing and custom-designed security quality assurance testing to ensure the maximum security of the IoT devices at the software level, up until the device reaches the user.

Image credits:
www.vipinkhandelwal.com

Priyal Viroja, Vulnerability Researcher, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed/

Problems (In)Securing IoT Ecosystem

Thursday, April 7th, 2016

Here is the first part of a two-part blog that covers the security problems in the Internet of Things (IoT) in more technical terms than our previous series .

Imagine that you are on your way back home in a self-driven car, browsing the internet on your mobile. As you come within a 2-mile radius of your house, the air-conditioner switches itself on at the temperature of your choice. You enter your garage, the doors opening automatically, and walk into your room. The lighting dynamically adjusts according to the weather outside, and the lasagna that was in the oven is now all warmed up.

Twenty years ago, if somebody told me such a tale, I’d have laughed and said “you watch too much science fiction”. But today, this scenario is within the scope of modern reality. The IoT revolution is finally here, and it is supposedly bringing joy and comfort to people. But there’s a downside to IoT: it is increasingly becoming an attractive target for cybercriminals. The increase in the sheer number and variety of connected devices has opened up possibilities for coming up with new and more diverse attack techniques.

IoT.security.JPG

Security flaws in IoT products have been brought to light by hackers and security researchers. Some of the hacks which made security news were: Smart home, Surveillance cameras, Jeep car (accessed remotely and its engine killed remotely). In addition an airplane’s cockpit controls were accessed via the in-flight entertainment system. As if these weren’t enough, even pacemakers and insulin pumps were demonstrated as being hackable.

If one were to take a closer look into these hacks, a bunch of recurrent fundamental security problems with the IoT ecosystem come forth. Let’s take a look at some of those problems.

Communication Channels

IoT devices mostly communicate wirelessly using protocols like LTE Advanced, Cellular 4G/LTE, 3G GPS/GPRS, 2G/GSM/EDGE, CDMA, EVDO, WIMAX, Weightless, Wifi, Bluetooth, UWB, Z-Wave, Zigbee, 6L0wpan, NFC and RFID. There are known security flaws associated with these protocols, and yet they continue to be widely used. This leaves us with two non-trivial choices:

  1. Fix the issues with these protocols
  2. Come up with better and more secure protocols

Both of the above choices are non-trivial to execute.

Authentication and Authorization

Credentials/tokens are essential in the traditional authentication and authorization approach. However, IoT has added new modes: biometrics, sensors, NFC, RFID, and sometimes, surprise surprise: no authentication at all! All these years industry has been struggling with securely storing credentials in one way or another. But now we have a whole new array of authentication and authorization approaches to take care of.

End-to-End Encryption

Mobile apps, messaging apps in particular, first encrypt the user’s data on the device using state-of-the-art industry-standard encryption algorithms. Then anti-snooping, end-to-end encryption techniques are deployed. However, the same approach can’t be taken with IoT devices as the modes of communication are fundamentally different. Here, the communication is not one-to-one but, one-to-many or many-to-many. Data travels through many communication channels and nodes. Also, the security protocols used by devices might vary.

Minor faults in end-to-end encryption may lead to exposure of credentials, tokens, and other sensitive informations. Imagine that you have a router using a state-of-the-art encryption algorithm. This router then communicates with a thermometer, which stores the network password in plaintext. Now, to break into the network, all one would need to do is target the thermometer, thereby bypassing the entire robust network security framework.

Insecure Web/App Interface

Web/App interfaces are infamous for being targets of choice for hackers. This can be attributed to the bugs/defects present in the underlying frameworks that these interfaces run on. A vulnerable interface could provide a hacker with access to the server or to the cloud itself. The common problems associated with this are:

  1. A lack of robust password recovery mechanisms
  2. No protection against cross-site scripting (XSS), code/SQL injections, etc.,

Hardware Failures

Preoccupied with creating a sleek and minimalistic design, some manufacturers tend to neglect hardware bugs. These bugs, in turn, can allow attackers to reboot the device(s) and their corresponding hotspots. It is not possible to deliver hardware patches over the air.

Unprotected Client Devices

IoT users’ use of desktops, laptops, tablets, mobiles, etc to operate IoT devices, in turn, opens a remote door to devices. All these devices have a long and notorious history of severe vulnerabilities. Consider a scenario of a company building a smart bulb with all these fancy remote control features. They have a highly compatible, secured mobile app, web interface and embedded hardware. But what if customers have a weak wireless setup, outdated mobile operating system, vulnerable desktop applications? On whom are we going to pin the blame for a breach??!

Image credits:
www.eweek.com

… to part II: risks from stolen user’s information

Priyal Viroja, Vulnerability Researcher, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed/

(Frau)Duly Digi-Signed

Thursday, March 24th, 2016

This is the seventh part of our series on cyber security, and the second part on Digital Signing. This blog post aims to inform readers about the misuse and exploitation of digital signatures.

The previous installment on Digital Signing discussed the security role of digital signatures in today’s era of internet communication and computerisation. Though designed for authentication and tamper-proofing of digital content, digital signatures and certificates are also exploited and misused to a fair extent.

Consider the case of Stuxnet (2010) wherein the device drivers of the rootkit component were digitally signed, and were actually loaded without any notification on infected systems. These drivers were signed by certificates which were actually stolen, and which were ultimately revoked by the CA which issued them.

The signed malware trend has been on the rise since then. To give some insight on the scale of the issue, let us consider a scenario in our own K7TCL. We pulled out data that represents the total number of malware signatures released over certain discrete chunks of time.

Graph 1: Ratio between signed malware and unsigned malware

The above graph depicts that on average at least one-tenth of automated detections released are for files carrying a valid digital signature. The signing certificates could either have been stolen or legitimately acquired for mala fide purposes. Unwanted Programs/Applications/Adware are examples of those that use “legitimately acquired” certificates. It is widely acknowledged that the Potentially Unwanted Programs (PUP)/Potentially Unwanted Applications (PUA) have been posing a serious problem in the AV community for some time.

To understand this better we further refined our stats data and found that it is PUP/PUAs that dominate the number of digitally-signed-file detections at more than 90%.

Graph 2: Ratio between signed PUP/PUAs and signed malware

These PUP/PUAs can more easily circumvent the security policies of recent versions of Windows that restrict unsigned executables from loading into memory. Thus digital signatures, though they make it possible to keep tabs on what gets executed, they can also lend themselves to nagging PUP/PUAs. There has been a huge increase in signed PUP/PUAs over the past couple of years, indicating a potential dilemma faced by CAs. This is apart from the very serious issues that are caused by malware authors signing their creations with paid-up, as well as stolen, digital certificates. Thus the automatic trust factor associated with digital signatures is being eroded on a daily basis.

The CAs also feel the heat since they are required to revoke or blacklist certificates that have been misused. CAs update what is called a Certificate Revocation List (CRL), wherein revoked certificates are published on a regular basis, but the CRL method had its own shortcomings. Hence Online Certificate Status Protocol (OCSP) was deployed, such that it overcame the difficulties that the CRL scheme had with respect to PKI standards.

Nevertheless, Digital Signing, plays a major role in securing digital content, despite the above-described shortcomings.

K7 Threat Control Lab

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed/

IoT: What the Future Holds

Thursday, March 17th, 2016

Here is part six of the the blog series on the Internet of Things following on from IoT: How are We Going to Protect Ourselves? that concludes the blog series with a brief idea on how we, as a security company, foresee the future of IoT security.

The problems that an IoT consumer user might face is applicable to enterprises as well, on a large scale. The risks could be even higher in the case of enterprises because the devices in industry, e.g. in a nuclear power facility or water plant, cameras in data centres, medical devices in hospitals, etc., could very well also be part of IoT.

Data from millions of credit cards stolen…, hackers stealing passwords from billions of customers…, cyber-criminals stealing intellectual property from world famous XYZ company… these are the subjects of breaking security news over the last couple of years.

In the future it would be awful to hear news like  “Hackers stole billions of IoT data records”, “Cyber-criminals got access to trillion IoT devices”,  “Almost all the household appliances from XYZ country stopped working after a reported attack from ABC group”, etc. As a security company, we would consider such scenarios as possibilities but we would hate to see them manifest themselves.

The next generation of spam messages are not going to be based on assumption but will be purely and precisely based on the user’s IoT device usage and data, as it is now happening with web search items.

There could be a possibility of a new era of cyber war and cyber terrorism, but at the same time, we would like to welcome you all to the new world of cyber security protection!

http://devicebar.com/wp-content/uploads/2015/05/What-Is-Internet-of-Things-IoT-e1432593113423.png

Remember, the objective of this blog series was not to make users paranoid about IoT or to spread panic. Rather, it was to create and spread awareness on being secure in a more challenging world of IoT! So, by following simple, but important, protection steps, we should be able to protect ourselves better from IoT security dangers.

Here at K7 we have been protecting our customers and their information systems for more than two decades, and we intend to protect even their IoT devices, at home and elsewhere! We would like to witness the ‘Internet of Things’ turning into the ‘Internet of Secure Things’.

Image credits:
devicebar.com

Senthil Velan
Manager,Vulnerability Research

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed/

Don’t Read That Ransomware Spam Script! Seriously Bad Story.

Wednesday, March 9th, 2016

Beware of two aggressive ransomware spam campaigns which have been active for the past few weeks.

The above screenshot of my own spam folder exemplifies the typical theme used by the new ransomware kid on the block, “Locky”, and the latest version of an established ransomware called “TeslaCrypt“.

Although both ransomware spam runs pretend to be an “Invoice”, the next stage of the infection vector for Locky and TeslaCrypt differ significantly from each other. Locky spam mails contain an attachment such as ‘scan_<number>.doc’, whereas the current TeslaCrypt spam contains a ZIP archive wrapping a JavaScript file, e.g. ‘invoice_<random alphanumeric>.js’.

The Locky DOC file contains a password-protected macro VBA script. Please note, since macros can contain malicious code they are disabled by default in Microsoft Word, and should remain so. The objective of the Locky macro script as well as the TeslaCrypt JavaScript is to download and execute the respective ransomware payload EXE.

Typical malicious spam campaigns deliver the payload directly in a ZIP attachment containing an EXE. However such attachments are easier to block at the email gateway level since they are considered “high risk”. It is more difficult to block non-EXE files at the gateway as a matter of policy, hence the Locky and TeslaCrypt attachments are more likely to get past gateway filters onto the local computer. Thereafter, given their script context rendered by standard interpreting applications, the download and execution of the ransomware payload is less likely to be blocked by behavioural protection mechanisms such as HIPS and the firewall.

K7 has robust protection at multiple levels against both ransomware campaigns, however, as always, prevention is much better than cure. In the case of spam, it is best to completely avoid emails from unknown sources, especially those which expect one to open an attachment or click on a link.

Samir Mody
Senior Manager, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed