Blog Feed
The Petya Virus: How It All Went
27 June 2017 could be called Ukrainian history’s “black cyber Tuesday”. On that day, the NotPetya (Petya.A, ExPetr) attack began, affecting almost all sectors in the country: communications, energy, banking, media, and transportation. The Petya ransomware is far from the first test of the strength of Ukraine’s infrastructure. Such attacks have been attempted at least three times. The first two attacks didn’t take place on such a large scale, but were highly unpleasant: in late 2015, the BlackEnergy virus, targeting energy company “Ukrenergo”, led to blackouts in some areas. Exactly a year later, in December 2016, some commercial banks and the Ministry of Finance were targeted along with, once again, Ukrenergo. But up to that point, nothing like this had happened. What it was Initially, Petya took the form of a file-encrypting virus which would subsequently demand a ransom. Hackers promised a decryption key to users who sent $300 worth of Bitcoins to their electronic wallet. However, these users received no code after transferring the funds, and decryption of the data remained impossible. Some experts, having analyzed the hackers’ strategy, noted that ransomware doesn’t work that way; receiving the ransom funds was not the goal of this attack’s organizers. As time passes, there is more and more support for the belief that the NotPetya malware was only disguised as ransomware. Its main purpose was another: the destruction of information stored on affected computers’ disks. Based on this, the malware can be categorized as a wiper, rather than ransomware. The encryption-decryption story was there only to divert users’ attention. There is also another version of the story. The alternate story argues that the attackers’ goal was to obtain control over all the infected computers, which would persist even after the removal of the virus and cleaning up of disks. In response to this, though, it can be observed that the method by which the attack was executed was too “loud”, attracting too much attention. A real spy would have attempted to gain a foothold, so to speak, on victims’ computers in the least noticeable way possible, without advertising the infection. Thus, an attempt to cause chaos in large organizations and companies, causing them material losses as well as damaging their image, seems more realistic. How it got in and spread One of the main infection vectors was the accounting software M.E.Doc, used for submission of reports and circulating electronic documents in a majority of Ukraine’s enterprises and organizations. An investigation carried out by Ukraine’s cybersecurity team showed that malicious code was injected into an update for the program. Thus, only the computers on which users downloaded the update were immediately infected. The malware then spread through corporate networks, including to machines on which the notorious M.E.Doc had not been installed. This was possible because back in the spring of 2017, the attackers gained control of an account used by an employee of the developer (Intellect Service), thereby receiving access to the program’s source code. An additional risk factor was the use of outdated software on the company’s server. That very server, in fact, went four years without being updated. Another way the file-encrypting virus arrived on computers was through phishing emails that contained links which triggered a download of the malware. After infection and a spontaneous reboot, access to these...
read moreSocial Engineering: What It Is and Why It Works
What do advanced network hackers have in common with run-of-the-mill scammers lying in wait for unsuspecting victims on the street? Both of them make extensive use of social engineering. …though many of them don’t even know this term. Social engineering refers to a method of acquiring desired information by using psychology; in particular, the weakness of the human factor. The fact that the reaction of Homo sapiens is largely predictable. Knowing this, it’s possible to “program” the behavior of both individuals and groups. Examples of social engineering can be found both online and in everyday life. It’s used in marketing and political campaigns, for which terabytes of information about people’s preferences and habits is gathered in advance. After all, knowing typical behavioral and preferential patterns makes it possible to target advertisements that encourage people to buy something, order something, or vote for a particular candidate. Practices like these certainly aren’t going to please everyone, but at least as far as legal collection of information is concerned, citizens do have the option to not share their data. For example, internet users can prohibit sites from tracking their search and geolocation history. The criminal application of social engineering techniques is first and foremost to obtain some desired confidential information, naturally without any thought as to the victims’ wishes. The standard procedure used by these social hackers consists of several basic steps: Choosing a valuable target. Collecting data on the target in order to find the most vulnerable avenue of attack. Creating a scenario based on the collected data — this scenario should coerce the victim into taking some action desired by the attacker. (On the internet, the goal is usually to facilitate unauthorized access to a computer system, bypassing authentication and other security measures.) Speaking of coercion: it’s important to note that there is no outright force involved; instead, the manipulation is transparent to the target, who thinks they are acting of their own free will. We can model such a situation, in which the victims themselves turn to the attacker for “help”. For example, a flyer with the contact information for a tech support service is left in some conspicuous location in an office, and the attacker remotely creates some sort of problem on an office computer. As a result, the user him/herself turns to the attacker, and in the process of “solving the problem”, they disclose the information desired by the attacker. Basic social engineering techniques Phishing One way to obtain confidential information from the user is through phishing. In this technique, an e-mail is sent to the victims, supposedly from their bank or some other authoritative organization, asking the user to enter some information into a form, such as a username, password, card number, or PIN code. In addition to revealing sensitive information to the attacker, the phishing victims also risk having their devices infected by malware when navigating to the fake website or filling out the form. (We cover the dangers of phishing and how to protect yourself from it in another post.) Trojan Viruses Trojan viruses are a variation on the previous method, typically also distributed through e-mail. Instead of a fake form to fill out, the email features an attachment containing malware which can collect or modify data on the user’s computer at a later...
read moreMalvertising: Can It Be Stopped?
Yet another threat to users’ safety is becoming increasingly prevalent — malicious advertising or malvertising. Malicious advertising itself isn’t new, but recently, its use has become alarmingly widespread: last year, there have been almost twice as many instances of malicious advertisements than there were in 2015. Of the 80 million sites analyzed by researchers in 2015, 19,000 pages were found to be infected; in 2016, nearly 30,000 such pages have been found. The total number of pages checked was the same for both periods. So, what exactly is malvertising, and what makes it so dangerous? The history of malvertising The first cases of malvertising were discovered around late 2007 to early 2008. At that time, attackers exploited a Flash vulnerability (and even today, Flash is loved by hackers due to a large number of security “holes” in it). In 2009, after the online version of the New York Times had malware posing as advertisements inserted into its pages, the site was forced to suspend the serving of third-party ads, and even published advice to help readers avoid the threat. By 2010, malicious browser advertisements grew to such proportions that an interdisciplinary group was formed to combat them. Since 2015, in addition to desktop and laptop browsers, malvertising has also begun targeting the browsers of mobile devices. Most frequently, attacks target sites with large volumes of daily traffic, enabling attackers to infect as many devices as possible. For example, Huffington Post, The Daily Mail, NYTimes, LATimes, and other major news portals have fallen victim to malvertising attacks at various times. Attackers’ traditional “favorite” targets have been file-sharing sites and BitTorrent trackers. Problems were seen on large forums and at IT help desks. Not even giants like Yahoo and Forbes have been able to escape malvertising attacks. How it works Malvertising refers to the practice by which an attacker hides malicious software in advertisements. Typically, what appears to be a simple banner or text ad actually triggers an exploit, infecting the user’s computer with various kinds of malware. Specialized scripts can filter out and target users running vulnerable software, redirecting them to pages that distribute malicious software. Sometimes, it’s not even necessary to click an infected advertisement to be affected. Scripts inserted into the page are automatically run when the page loads. Attackers have turned to these methods of viruses spread since the traditional methods involving phishing emails, torrent trackers, and pornographic sites have become problematic. First, these methods have begun to arouse suspicion among users; and second, these methods make it more difficult for the attackers to “catch” employees of major companies in their nets, so to speak. After all, these users are obviously not going to download torrents and watch porn on the company-owned computers they use while on the job. How, then, can attackers reach this “audience”, one which is of such high interest to them? They’ve found a solution in advertisements. Tools already exist to facilitate attacks on specific companies that interest criminals. This possibility exists thanks to the precisely targeted advertising platforms offered by search engines. (In the search, one can specify a particular region of users, a field of interest, and/or advertising section.) When an employee of a particular company visits the site, he/she is shown the “correct” advertisement, containing a built-in malicious payload (usually spyware)...
read moreWhat is Online Skimming and How to Avoid It
Card skimming, implemented through card reading slips on ATM machines, is familiar to many. Nowadays this type of credit card fraud is also appearing on the web. Of course, it is improved and adapted according to its new ‘habitat’. But the crux of the matter remains the same: the theft of credit card information for its use in criminal undertakings. On the web, harmful Javascript code effectively replaces the skimmers on the card slots. In order to introduce this code onto the servers of internet shops (it is precisely online stores that turn out to be the most frequent victims of these frauds), hackers exploit vulnerabilities which exist in the websites’ software. After the installation, the spyware reads the data from the credit cards input by clients while making purchases. The information of every credit card payment conducted in the shop is thereby intercepted and sent off to a server under the assailant’s control. After that the thief is able to either sell the card number (on the black market the average price of one “lot” ranges around ten dollars) or use the other person’s credit card himself. All the while protected HTTPS-connection won’t help to protect the data: since the malware is installed on the shop’s server, information leakage takes place even before the process of encryption. Often a break-in will leave no trace not only for the customer, whose data was abducted but even for the owners of the merchant websites. Online skimming at first attracted serious attention to itself at the end of 2015, when researchers found over 3000 internet shops which were “pouring out” client cards’ information. For most of the identified websites, the skimming code worked over the span of a few months, and in certain places even more than half of a year. You don’t even want to imagine how many credit card numbers were compromised during this period. Since then a year has passed. What are the results? Now the number of merchant sites with online skimming has increased significantly. One of the factors which impact the increase of infected stores was that hackers learned to skillfully mask the harmful code, making its detection quite difficult. If a year ago just one type of online skimmer with a few modifications in the code was generally used, then today nine types of JS-scripts related to three different families are revealed. However, the main reason for the spread of online skimming is that the managers of internet stores are not quite concerned to eliminate it. After the detection of the problem, the owners of the resources were at once informed by researchers about vulnerabilities that the data protection systems on their websites had. Unfortunately, the overwhelming majority didn’t react to that with due attention. Some simply did not respond to the warnings of specialists, some doubted the presence of spyware on their sites, claiming their data protection systems to be all in order. Meanwhile, there are certain means allowing not only to escape these harmful “additions” but moreover to prevent reinstallation. This is a special software for scanning websites for the presence of vulnerabilities and changes in code able to exercise daily monitoring and report arising problems. Insofar as the store owners are clearly not aware of serious problems, it is worthwhile for potential customers to...
read moreHow to Make a Profit out of Voice Call Based 2FA
You thought all hackers are bad? It’s not so simple: in IT circles there has long been a distinction between “black hat” and “white hat” code crackers. The first are easily understood: they are using their skills to deprive users and companies of money, and also prey on other valuable information for the purposes of identity theft. But there are those who engage in hacking, not for gain, but with humanitarian and scientific motives. Such “good guys” are called white hat hackers. The main point of their work is to find vulnerable websites and services, and then notify the administrators of such resources. With the help of white hat hackers, administrators have eliminated a lot of bugs, and data protection in the network space becomes a more tractable problem. Sometimes experts manage to find a “hole” even in those functions that were designed to protect against hacking. That’s exactly what happened with two-factor authentication. The Belgian white hat hacker A. Swinnen has found a clever way to earn extra cash by means of voice call-based 2FA. How can this be possible? One of the main tasks of information security is to establish the legitimacy of the person requesting access to his or her account on a website, online bank, or payment system. To solve this problem, there exist numerous (often quite exotic) ways to authenticate users. The most reliable among them today is recognized as two-factor authentication using one-time passwords. The most common way of one-time passwords delivery is SMS authentication. But some companies use its modified version – voice calls to the number tied to the user’s account. This is the option used by A. Swinnen. He set up experimental accounts in Instagram, Microsoft Office 365 and Google using phone numbers, calling and messaging which are not free. Unfortunately, the systems of these services could not determine that these were paid numbers. As a result, after each call, the companies were billed. The researcher found a way to make the robots used by Google, Microsoft and Instagram make calls to premium rate numbers as often as possible. Swinnen calculated that for a year he would have been able to get somewhere between 2000 to 670 000 dollars, depending on the service targeted (the least promising was Instagram, and the most – Microsoft). The white hat hacker told developers about the problems he found at the end of 2015. Admittedly, all three companies have taken steps to eliminate the bugs that had been found in their two-factor authentication. Such problems could be avoided altogether if companies used more robust and modern methods instead of SMS and phone calls. One of such solutions can be hardware or software OTP tokens, which generate one-time passwords offline. These devices do not use the Internet or telephone networks for the transmission of OTP passwords, which eliminates the possibility of fraud or one-time passwords interception. Businesses relying on dual-factor authentication in their interaction with customers should remember that, though this is an excellent tool, it in itself is not a panacea against all threats. To make 2FA truly effective, its implementation should be well thought out. The developers should take into account all possible risks (which are often hidden in the most unexpected places). Don’t want fraudsters to find another loophole in your two-factor...
read moreThe Risks and Perils of Pokemon GO
This summer it seems the world has gone crazy over Pokemon. The characters who first gained fame in the animated series from the early 2000s have returned triumphantly and are again earning millions – now in the form of the game Pokemon GO. Its popularity is such that even serious IT-themed internet publications are writing articles about the rules of the game and advice about how to download and install it in countries where the app is not officially released yet. However, the game has drawn more than just praise. Even though it is a very recent phenomenon, the app has already caused several incidents. In some, it has played the role of victim, and in others, that of villain. For example, on Google Play there have been three viruses masquerading as Pokemon GO. Of particular concern was one called “Pokemon GO Ultimate”. This “app” from hackers promised access to the game in countries where it had yet to be officially released, but then completely paralyzed smartphones, frequently without the possibility to reboot them. Even after hard reboots, the virus would continue to work in the background. It would also redirect browser traffic to pornographic websites. Two more pieces of malware displayed ads on the screens of the affected devices or threatened the owners of the smartphones into signing up for paid services. The offending apps were detected and removed from the store, but a large number (more than 50 thousand) of users managed to download the app before that and infect their gadgets. And this happened in the official Google play store! Imagine what is taking place in less regulated app repositories, where there are practically no checks on the available programs. It turns out that these are not the only problems one can encounter after downloading Pokemon GO. Widely circulated posts worry about the game’s capability to spy on gamers and pass their personal data on to third parties. Few apps have drawn so much criticism for violating the confidentiality of their users. Some talk of the dirty PR tactics of the company (to attract interest in its product), others hint about a conspiracy of the “hidden world” or about the direct participation of the surveillance state in making the game. Whether or not to believe these extreme versions is a private choice. However, there is a perfectly official source that makes it possible to find out exactly which information is being collected. On the website of the company Niantic in the section dedicated to Pokemon GO, one can find the publicly-available confidentiality policy. It’s a shame that people rarely read the EULA – such agreements are not always as boring and useless as they seem. Let’s Refer to the Source Writing this article, we used the most recently published Pokemon GO confidentiality policy. We provide here a short summary of the contents of this document: To register for the game, in addition to going directly through the service, you can use a Facebook or Google account. All users will need to provide an email address. You also need to provide your age and a name (not necessarily your real one). For children 13 years and younger, the permission of a parent or guardian is required in order to register for the game. If a child is discovered to...
read moreWhich messaging apps are trustworthy?
Last time we analyzed the question of what makes for secure messaging apps. Now we’ll take a look at the level of security provided by several of today’s popular message exchange programs. Facebook Messenger and Google Hangouts These apps are built into their respective social networks. For this reason alone, they’re certainly not in the running to win “most secure messaging apps of 2016”. The lion’s share of these companies’ profits comes from targeted advertisements. As such, these companies are always trying to gather more data about their customers. It would be naive to think that they don’t use the same methods with their own messaging apps. In short: it’s inadvisable to discuss business or confidential information through Google Hangouts or Facebook Messenger. Viber Viber is rich in functionality – besides the usual options, it even allows users to send money through Western Union. In the past, Viber has had weak security, but recently its developers have been working hard to turn it into a real, secure messaging app by, for example, adding hidden chats and end-to-end encryption. However, this is not yet available in all countries. Another issue is that messages are stored on company servers (which means they can be read by people other than their sender and intended recipient). The app also lacks password protection. Skype The reputation of this truly mighty yet warmly loved communications juggernaut is somewhat compromised by its belonging to Microsoft, which, naturally, collects users’ data. The elderly among us internet users might remember a time when Skype was an independent program and was, if not the most secure messenger, then certainly among the best. Telegram Pavel Durov’s project was fated for success: it came out at the same time as Edward Snowden’s revelations showed people that privacy online isn’t a luxury, but a necessity. Telegram has always supported end-to-end encryption, but for some reason this function isn’t enabled by default. It also supports automatic deletion of messages. Data that has not been destroyed is stored on company servers in an encrypted format. Every cluster is encoded with a separate key. Many experts, however, have questions about the encryption protocol this company uses. It was developed in-house and is not used by anyone else. Who knows whether it’s adequate? Signal Secure messengers for iOS are old news. Apple has always placed a large, and from a user’s point of view, perhaps excessive, emphasis on security. This secure messenger was first designed for iPhones and iPads. It now has an Android version too. The best testimony for Signal comes from Edward Snowden – he stated on his Twitter account that he prefers it. Everything is as it should be: end-to-end encryption, impossibility of server side access, and open-source. The only thing lacking is that messages can’t self-delete after being read by their addressee. WhatsApp This is the world’s most popular messenger, for many reasons. One of them is its security. Although WhatsApp belongs to Facebook, it’s developed by a separate, independent entity. It’s based on an open-source code base, supports end-to-end encryption as of this year, and does not allow the service provider to read messages. It uses the same encryption protocol as Signal – Open Whisper Systems. This can be safely called a secure messenger. Threema This app is little known but...
read moreWhat Makes for a Secure Messaging App?
The pace of modern life leaves no time for long, thought-out messages. Perhaps that’s why today’s answer to the wordy correspondences of yesteryear is text messaging. Practically everyone has at least one messaging app on their smartphone, and many of us use several. But what factors do people consider when choosing messaging apps? Is security one of those factors? Recently a team of experts led by a group of Google employees surveyed more than 1500 users to discover what causes them to choose different apps. Unfortunately, the security of messaging apps was the least important feature for most users. The greatest factor turned out to be how many of the user’s friends themselves used the app. The survey also showed that users value free messengers — especially those preinstalled on their devices. Very few respondents said that they care about secure messaging apps. However, the problems of privacy and online security remain urgent. In fact, they’ve grown ever more serious with the mass adoption of smartphones, which are more prone to hacking than stationary computers and laptops. A large number of vulnerabilities in Android devices is especially well-known, but hackers actively target iPhones as well. Taking into consideration that messaging apps are widely used for the transmission of confidential data in both personal and professional spheres, attackers who have gained access to such apps can quickly find interesting information. We often think that hackers only want logins, passwords, and bank account numbers. But any information can be of use for fraudsters, for example, for phishing, or for social engineering. Government agencies also attempt to monitor private communications. The recent scandal over the FBI’s attempt to break into an iPhone is an example of this. But how can we tell that one program or another can actually provide privacy online? Experts look for a few particular functions, the presence or absence of which is important to consider when choosing “your” secure messaging app. End-to-end encryption Clearly, any secure messaging app must rely on the encrypted exchange. But there are different types of encryption. Typically, messengers send texts in an encrypted format, so they cannot be compromised while in transit. End-to-end encryption includes not only messages, but all information exchanged by users – files, photos, video, and music. Secure messaging app is open source app The majority of popular messaging programs rely on closed proprietary architecture. So even tech savvy users have a tough time verifying whether the encryption and security are really as good as the developers claim. Access to messages for the service provider Last February’s scandal between Apple and the FBI, when federal agents demanded that the company unlock the smartphone of a suspected terrorist, is a vivid, memorable example. But one doesn’t need to be a criminal to interest the FBI. Information about completely law-abiding citizens might also be of interest to government agencies for a variety of reasons. To obtain such information, the government most often subpoena service providers – not all of which can offer opposition as strong as giants like Apple. It’s much simpler if the developers of a messaging app don’t have access to their users’ data in the first place. There are two ways to accomplish this: either the app must use an encryption algorithm that cannot be decrypted from the server, or simply the...
read moreProtectimus’ 2FA Solution Compatible with Citrix NetScaler Gateway
The Protectimus Solutions LLP team is happy to announce that our two-factor authentication solution has been successfully integrated with Citrix NetScaler Gateway and that Protectimus has been certified as a Citrix Ready Partner. The Citrix Ready program exists to verify the compatibility of third-party software solutions with Citrix products. This allows users of Citrix to be confident in the reliability and compatibility of third-party software solutions with their existing systems. Protectimus’ two-factor authentication solution has demonstrated its compatibility with Citrix NetScaler Gateway 10.1, NetScaler Gateway 10.5, and NetScaler Gateway 11.0. Citrix Access Gateway is a program used for secure remote connection to key applications and data, and for detailed control of these applications. More often than not, software like this is used in large enterprises with many employees and, sometimes, numerous affiliates. Such companies store large sets of data, such as documentation, important corporate documents, and users’ personal information. Thus, they require hardened security systems. One crucial element of an advanced and reliable data protection system is two-factor authentication. Protectimus is an expert in this area, offering complex 2FA solution available as both a cloud service and a stand-alone platform, as well as the ability to implement custom solutions at clients’ demand. Protectimus can generate one-time passwords using software or hardware tokens, as well as by distribution through SMS or e-mail. We offer physical tokens working on the TOTP and OCRA algorithms, and also reprogrammable TOTP NFC-compatible tokens. Protectimus offers its clients additional functionality that may be of interest: data signing or CWYS (Confirm What You See), temporal and geographical filters, and intelligent identification. These possibilities enable us to reach a high level of reliability and protect our clients’ systems from most of today’s known threats – phishing, Trojan viruses and other malware, data breaches, and “man in the middle”...
read moreSelf-Driving Cars: New Cybersecurity Challenge
Sometimes there is a feeling that we live in a science fiction novel. Kitchen appliances cook dinner when we return from work. TVs remember viewers’ preferences. Smart cars suggest a way to bypass traffic jams and adjust the temperature in the cabin… Yet people have a place in this high-tech chain. We manage smart devices – give orders and monitor their execution. But it seems that very soon smart devices will be able to do without our participation. And one of the first areas where we will see these changes may be transport. Self-driving cars are already passing the “field” testing. Cars that drive themselves are a new idea. Google launched the first driverless vehicles in 2009 and since 2014 its self-driving cars are being tested in a real urban environment. Several traffic accidents have been recorded with the participation of the Google self-driving cars. But as it turned out in the course of investigations these are cars driven by people to blame for these accidents, not the driverless cars. This fact proves a fairly high level of driverless car technology achieved by the smart cars’ developers. Other leading companies are not far behind. Moreover, not only the traditional leaders of the automotive industry but also large IT companies are involved in the creation of fully computer-controlled cars. Along with such companies as Volvo and Daimler, East Asian giants Samsung and Baidu are also working on their own self-driving cars. If to consider the speed of economic and technological development of Asian countries, it is not clear now who will be the first to release a fully efficient self-driving vehicle. It seems that the first field to use the self-driving vehicles will be cargo transportation. Driverless vehicles will naturally fit into the production chain of dispatch and transfer of goods from the warehouse to the customer. Many links in this chain have already been automated: the release of the goods is managed by the warehouse programs; many companies already have computer-controlled loading machines. If we add self-driving trucks, connected to a certain centralized network, to this system, we will get a fully automated production cycle. Such organization of work can significantly reduce the costs of cargo transportation, as well as simplify the delivery and calculations. The US transport concern Daimler is working on a practical implementation of these ideas. The company’s fully computer-controlled trucks have recently been allowed by law to drive in the state of Nevada. The Russia’s company KamAZ is also working on the same project. Company’s experts promise to release an efficient version of the self-driving truck by 2020. However, the benefits from the use of self-driving cars may be nullified by the risks they incur. And it’s not just about traffic safety, as it is only one of the vulnerable points. Another major cause for concerns may be data protection. When driving a modern car (not driverless yet) we use not only the control computer system of the car but also different radars, onboard computers, media centers, GPS systems, stereo cameras, etc. What is especially dangerous in this situation is that data exchange is carried out via existing platforms and communication channels (Wi-Fi, GSM, and so on). Any of these components can be hacked and compromised. Today we already have the precedents of successful cyber...
read more