Blog Feed
How to Set Up Two-Factor Authentication on Luno with Protectimus Slim NFC
Learn more about Protectimus Slim NFC token or order one here: Protectimus Slim NFC The best 2FA token to protect your Luno account! How to enable two-factor authentication with hardware OTP token Protectimus Slim NFC in Luno cryptocurrency exchange. Download the Protectimus TOTP Burner application. Login to your Luno account and initiate the enrolment of software token: Go to the account settings -> Enable two-factor authentication -> Read important information before proceeding further -> You will see the QR code with the secret key (seed). Use it to program the Protectimus Slim NFC token. Program the Protectimus Slim NFC token by scanning the QR code. Learn how to program Protectimus Slim NFC token here. Write down or print your recovery code to use it as a backup in the future if needed. To finish the token enrollment enter the one-time password from Protectimus Slim NFC in the field “Code” and press the “ENABLE” button. Enjoy reliable and convenient protection for your Luno...
read moreHow to Set Up Two-Factor Authentication on Livecoin with Protectimus Slim NFC
Learn more about Protectimus Slim NFC token or order one here: Protectimus Slim NFC The best 2FA token to protect your Livecoin account! How to enable the Livecoin two-factor authentication with Protectimus Slim NFC hardware OTP token. Make sure that your Android smartphone supports NFC technology and download the Protectimus TOTP Burner application. Log in your Livecoin account and initiate the enrolment of the software token: Go to the Livecoin account settings -> Choose the “Security” section -> Choose advanced security level “Leven 2: advances” and click the “Change security level” button -> You will see the QR code with the secret key (seed). Use it to program the Protectimus Slim NFC token. Program the Protectimus Slim NFC token by scanning the QR code. Learn how to do this here. After programming the Protectimus Slim NFC token click “Continue” button -> To finish the token enrollment enter the one-time password from Protectimus Slim NFC token, as well as confirmation code from the e-mail and your PIN code. Then press “Continue”. Enjoy reliable and convenient protection for your Livecoin account — make hackers’ lives...
read moreHow to Set Up Two-Factor Authentication on Nintendo with Protectimus Slim NFC
Learn more about Protectimus Slim NFC token or order one here: Protectimus Slim NFC The best 2FA token to protect your Nintendo account! How to enable the Nintendo 2-step verification with hardware OTP token Protectimus Slim NFC. Make sure that your Android smartphone supports NFC and download the Protectimus TOTP Burner application. Log in your Nintendo account and initiate the enrolment of the software token: Go to the Account Settings -> Choose “Sign-In and Security Settings” section -> Click the “Edit” button for 2-step Verification settings -> Start 2-Step Verification setup -> Verify your e-mail address -> Then you’ll see the QR code with the secret key (seed) -> Program the Protectimus Slim NFC token by scanning the QR code. Learn how to program Protectimus Slim NFC token here. Enter the one-time password generated with the help of Protectimus Slim NFC token in the field “Code”. Enjoy reliable and convenient protection for your Nintendo account with Protectimus Slim...
read moreHow to Set Up Two-Factor Authentication on Poloniex with Protectimus Slim NFC
Learn more about Protectimus Slim NFC token or order one here: Protectimus Slim NFC The best 2FA token to protect your Poloniex account! How to enable two-factor authentication with hardware OTP token Protectimus Slim NFC in Poloniex cryptocurrency exchange. Download the Protectimus TOTP Burner application. Login to your Poloniex account and initiate the enrolment of software token: Go to Settings and choose “Two-Factor Authentication” -> You will see the QR code with the secret key (seed). Use it to program the Protectimus Slim NFC token. Program the Protectimus Slim NFC token by scanning the QR code. Learn how to program Protectimus Slim NFC token here. Save the backup codes. To finish the token enrollment enter your password and the one-time password from Protectimus Slim NFC and press the “Enable 2FA” button. Enjoy reliable and convenient protection for your Poloniex...
read moreThe Petya Virus: How It All Went
27 June 2017 could be called Ukrainian history’s “black cyber Tuesday”. On that day, the NotPetya (Petya.A, ExPetr) attack began, affecting almost all sectors in the country: communications, energy, banking, media, and transportation. The Petya ransomware is far from the first test of the strength of Ukraine’s infrastructure. Such attacks have been attempted at least three times. The first two attacks didn’t take place on such a large scale, but were highly unpleasant: in late 2015, the BlackEnergy virus, targeting energy company “Ukrenergo”, led to blackouts in some areas. Exactly a year later, in December 2016, some commercial banks and the Ministry of Finance were targeted along with, once again, Ukrenergo. But up to that point, nothing like this had happened. What it was Initially, Petya took the form of a file-encrypting virus which would subsequently demand a ransom. Hackers promised a decryption key to users who sent $300 worth of Bitcoins to their electronic wallet. However, these users received no code after transferring the funds, and decryption of the data remained impossible. Some experts, having analyzed the hackers’ strategy, noted that ransomware doesn’t work that way; receiving the ransom funds was not the goal of this attack’s organizers. As time passes, there is more and more support for the belief that the NotPetya malware was only disguised as ransomware. Its main purpose was another: the destruction of information stored on affected computers’ disks. Based on this, the malware can be categorized as a wiper, rather than ransomware. The encryption-decryption story was there only to divert users’ attention. There is also another version of the story. The alternate story argues that the attackers’ goal was to obtain control over all the infected computers, which would persist even after the removal of the virus and cleaning up of disks. In response to this, though, it can be observed that the method by which the attack was executed was too “loud”, attracting too much attention. A real spy would have attempted to gain a foothold, so to speak, on victims’ computers in the least noticeable way possible, without advertising the infection. Thus, an attempt to cause chaos in large organizations and companies, causing them material losses as well as damaging their image, seems more realistic. How it got in and spread One of the main infection vectors was the accounting software M.E.Doc, used for submission of reports and circulating electronic documents in a majority of Ukraine’s enterprises and organizations. An investigation carried out by Ukraine’s cybersecurity team showed that malicious code was injected into an update for the program. Thus, only the computers on which users downloaded the update were immediately infected. The malware then spread through corporate networks, including to machines on which the notorious M.E.Doc had not been installed. This was possible because back in the spring of 2017, the attackers gained control of an account used by an employee of the developer (Intellect Service), thereby receiving access to the program’s source code. An additional risk factor was the use of outdated software on the company’s server. That very server, in fact, went four years without being updated. Another way the file-encrypting virus arrived on computers was through phishing emails that contained links which triggered a download of the malware. After infection and a spontaneous reboot, access to these...
read moreSocial Engineering: What It Is and Why It Works
What do advanced network hackers have in common with run-of-the-mill scammers lying in wait for unsuspecting victims on the street? Both of them make extensive use of social engineering. …though many of them don’t even know this term. Social engineering refers to a method of acquiring desired information by using psychology; in particular, the weakness of the human factor. The fact that the reaction of Homo sapiens is largely predictable. Knowing this, it’s possible to “program” the behavior of both individuals and groups. Examples of social engineering can be found both online and in everyday life. It’s used in marketing and political campaigns, for which terabytes of information about people’s preferences and habits is gathered in advance. After all, knowing typical behavioral and preferential patterns makes it possible to target advertisements that encourage people to buy something, order something, or vote for a particular candidate. Practices like these certainly aren’t going to please everyone, but at least as far as legal collection of information is concerned, citizens do have the option to not share their data. For example, internet users can prohibit sites from tracking their search and geolocation history. The criminal application of social engineering techniques is first and foremost to obtain some desired confidential information, naturally without any thought as to the victims’ wishes. The standard procedure used by these social hackers consists of several basic steps: Choosing a valuable target. Collecting data on the target in order to find the most vulnerable avenue of attack. Creating a scenario based on the collected data — this scenario should coerce the victim into taking some action desired by the attacker. (On the internet, the goal is usually to facilitate unauthorized access to a computer system, bypassing authentication and other security measures.) Speaking of coercion: it’s important to note that there is no outright force involved; instead, the manipulation is transparent to the target, who thinks they are acting of their own free will. We can model such a situation, in which the victims themselves turn to the attacker for “help”. For example, a flyer with the contact information for a tech support service is left in some conspicuous location in an office, and the attacker remotely creates some sort of problem on an office computer. As a result, the user him/herself turns to the attacker, and in the process of “solving the problem”, they disclose the information desired by the attacker. Basic social engineering techniques Phishing One way to obtain confidential information from the user is through phishing. In this technique, an e-mail is sent to the victims, supposedly from their bank or some other authoritative organization, asking the user to enter some information into a form, such as a username, password, card number, or PIN code. In addition to revealing sensitive information to the attacker, the phishing victims also risk having their devices infected by malware when navigating to the fake website or filling out the form. (We cover the dangers of phishing and how to protect yourself from it in another post.) Trojan Viruses Trojan viruses are a variation on the previous method, typically also distributed through e-mail. Instead of a fake form to fill out, the email features an attachment containing malware which can collect or modify data on the user’s computer at a later...
read moreMalvertising: Can It Be Stopped?
Yet another threat to users’ safety is becoming increasingly prevalent — malicious advertising or malvertising. Malicious advertising itself isn’t new, but recently, its use has become alarmingly widespread: last year, there have been almost twice as many instances of malicious advertisements than there were in 2015. Of the 80 million sites analyzed by researchers in 2015, 19,000 pages were found to be infected; in 2016, nearly 30,000 such pages have been found. The total number of pages checked was the same for both periods. So, what exactly is malvertising, and what makes it so dangerous? The history of malvertising The first cases of malvertising were discovered around late 2007 to early 2008. At that time, attackers exploited a Flash vulnerability (and even today, Flash is loved by hackers due to a large number of security “holes” in it). In 2009, after the online version of the New York Times had malware posing as advertisements inserted into its pages, the site was forced to suspend the serving of third-party ads, and even published advice to help readers avoid the threat. By 2010, malicious browser advertisements grew to such proportions that an interdisciplinary group was formed to combat them. Since 2015, in addition to desktop and laptop browsers, malvertising has also begun targeting the browsers of mobile devices. Most frequently, attacks target sites with large volumes of daily traffic, enabling attackers to infect as many devices as possible. For example, Huffington Post, The Daily Mail, NYTimes, LATimes, and other major news portals have fallen victim to malvertising attacks at various times. Attackers’ traditional “favorite” targets have been file-sharing sites and BitTorrent trackers. Problems were seen on large forums and at IT help desks. Not even giants like Yahoo and Forbes have been able to escape malvertising attacks. How it works Malvertising refers to the practice by which an attacker hides malicious software in advertisements. Typically, what appears to be a simple banner or text ad actually triggers an exploit, infecting the user’s computer with various kinds of malware. Specialized scripts can filter out and target users running vulnerable software, redirecting them to pages that distribute malicious software. Sometimes, it’s not even necessary to click an infected advertisement to be affected. Scripts inserted into the page are automatically run when the page loads. Attackers have turned to these methods of viruses spread since the traditional methods involving phishing emails, torrent trackers, and pornographic sites have become problematic. First, these methods have begun to arouse suspicion among users; and second, these methods make it more difficult for the attackers to “catch” employees of major companies in their nets, so to speak. After all, these users are obviously not going to download torrents and watch porn on the company-owned computers they use while on the job. How, then, can attackers reach this “audience”, one which is of such high interest to them? They’ve found a solution in advertisements. Tools already exist to facilitate attacks on specific companies that interest criminals. This possibility exists thanks to the precisely targeted advertising platforms offered by search engines. (In the search, one can specify a particular region of users, a field of interest, and/or advertising section.) When an employee of a particular company visits the site, he/she is shown the “correct” advertisement, containing a built-in malicious payload (usually spyware)...
read moreWhat is Online Skimming and How to Avoid It
Card skimming, implemented through card reading slips on ATM machines, is familiar to many. Nowadays this type of credit card fraud is also appearing on the web. Of course, it is improved and adapted according to its new ‘habitat’. But the crux of the matter remains the same: the theft of credit card information for its use in criminal undertakings. On the web, harmful Javascript code effectively replaces the skimmers on the card slots. In order to introduce this code onto the servers of internet shops (it is precisely online stores that turn out to be the most frequent victims of these frauds), hackers exploit vulnerabilities which exist in the websites’ software. After the installation, the spyware reads the data from the credit cards input by clients while making purchases. The information of every credit card payment conducted in the shop is thereby intercepted and sent off to a server under the assailant’s control. After that the thief is able to either sell the card number (on the black market the average price of one “lot” ranges around ten dollars) or use the other person’s credit card himself. All the while protected HTTPS-connection won’t help to protect the data: since the malware is installed on the shop’s server, information leakage takes place even before the process of encryption. Often a break-in will leave no trace not only for the customer, whose data was abducted but even for the owners of the merchant websites. Online skimming at first attracted serious attention to itself at the end of 2015, when researchers found over 3000 internet shops which were “pouring out” client cards’ information. For most of the identified websites, the skimming code worked over the span of a few months, and in certain places even more than half of a year. You don’t even want to imagine how many credit card numbers were compromised during this period. Since then a year has passed. What are the results? Now the number of merchant sites with online skimming has increased significantly. One of the factors which impact the increase of infected stores was that hackers learned to skillfully mask the harmful code, making its detection quite difficult. If a year ago just one type of online skimmer with a few modifications in the code was generally used, then today nine types of JS-scripts related to three different families are revealed. However, the main reason for the spread of online skimming is that the managers of internet stores are not quite concerned to eliminate it. After the detection of the problem, the owners of the resources were at once informed by researchers about vulnerabilities that the data protection systems on their websites had. Unfortunately, the overwhelming majority didn’t react to that with due attention. Some simply did not respond to the warnings of specialists, some doubted the presence of spyware on their sites, claiming their data protection systems to be all in order. Meanwhile, there are certain means allowing not only to escape these harmful “additions” but moreover to prevent reinstallation. This is a special software for scanning websites for the presence of vulnerabilities and changes in code able to exercise daily monitoring and report arising problems. Insofar as the store owners are clearly not aware of serious problems, it is worthwhile for potential customers to...
read moreHow to Make a Profit out of Voice Call Based 2FA
You thought all hackers are bad? It’s not so simple: in IT circles there has long been a distinction between “black hat” and “white hat” code crackers. The first are easily understood: they are using their skills to deprive users and companies of money, and also prey on other valuable information for the purposes of identity theft. But there are those who engage in hacking, not for gain, but with humanitarian and scientific motives. Such “good guys” are called white hat hackers. The main point of their work is to find vulnerable websites and services, and then notify the administrators of such resources. With the help of white hat hackers, administrators have eliminated a lot of bugs, and data protection in the network space becomes a more tractable problem. Sometimes experts manage to find a “hole” even in those functions that were designed to protect against hacking. That’s exactly what happened with two-factor authentication. The Belgian white hat hacker A. Swinnen has found a clever way to earn extra cash by means of voice call-based 2FA. How can this be possible? One of the main tasks of information security is to establish the legitimacy of the person requesting access to his or her account on a website, online bank, or payment system. To solve this problem, there exist numerous (often quite exotic) ways to authenticate users. The most reliable among them today is recognized as two-factor authentication using one-time passwords. The most common way of one-time passwords delivery is SMS authentication. But some companies use its modified version – voice calls to the number tied to the user’s account. This is the option used by A. Swinnen. He set up experimental accounts in Instagram, Microsoft Office 365 and Google using phone numbers, calling and messaging which are not free. Unfortunately, the systems of these services could not determine that these were paid numbers. As a result, after each call, the companies were billed. The researcher found a way to make the robots used by Google, Microsoft and Instagram make calls to premium rate numbers as often as possible. Swinnen calculated that for a year he would have been able to get somewhere between 2000 to 670 000 dollars, depending on the service targeted (the least promising was Instagram, and the most – Microsoft). The white hat hacker told developers about the problems he found at the end of 2015. Admittedly, all three companies have taken steps to eliminate the bugs that had been found in their two-factor authentication. Such problems could be avoided altogether if companies used more robust and modern methods instead of SMS and phone calls. One of such solutions can be hardware or software OTP tokens, which generate one-time passwords offline. These devices do not use the Internet or telephone networks for the transmission of OTP passwords, which eliminates the possibility of fraud or one-time passwords interception. Businesses relying on dual-factor authentication in their interaction with customers should remember that, though this is an excellent tool, it in itself is not a panacea against all threats. To make 2FA truly effective, its implementation should be well thought out. The developers should take into account all possible risks (which are often hidden in the most unexpected places). Don’t want fraudsters to find another loophole in your two-factor...
read moreThe Risks and Perils of Pokemon GO
This summer it seems the world has gone crazy over Pokemon. The characters who first gained fame in the animated series from the early 2000s have returned triumphantly and are again earning millions – now in the form of the game Pokemon GO. Its popularity is such that even serious IT-themed internet publications are writing articles about the rules of the game and advice about how to download and install it in countries where the app is not officially released yet. However, the game has drawn more than just praise. Even though it is a very recent phenomenon, the app has already caused several incidents. In some, it has played the role of victim, and in others, that of villain. For example, on Google Play there have been three viruses masquerading as Pokemon GO. Of particular concern was one called “Pokemon GO Ultimate”. This “app” from hackers promised access to the game in countries where it had yet to be officially released, but then completely paralyzed smartphones, frequently without the possibility to reboot them. Even after hard reboots, the virus would continue to work in the background. It would also redirect browser traffic to pornographic websites. Two more pieces of malware displayed ads on the screens of the affected devices or threatened the owners of the smartphones into signing up for paid services. The offending apps were detected and removed from the store, but a large number (more than 50 thousand) of users managed to download the app before that and infect their gadgets. And this happened in the official Google play store! Imagine what is taking place in less regulated app repositories, where there are practically no checks on the available programs. It turns out that these are not the only problems one can encounter after downloading Pokemon GO. Widely circulated posts worry about the game’s capability to spy on gamers and pass their personal data on to third parties. Few apps have drawn so much criticism for violating the confidentiality of their users. Some talk of the dirty PR tactics of the company (to attract interest in its product), others hint about a conspiracy of the “hidden world” or about the direct participation of the surveillance state in making the game. Whether or not to believe these extreme versions is a private choice. However, there is a perfectly official source that makes it possible to find out exactly which information is being collected. On the website of the company Niantic in the section dedicated to Pokemon GO, one can find the publicly-available confidentiality policy. It’s a shame that people rarely read the EULA – such agreements are not always as boring and useless as they seem. Let’s Refer to the Source Writing this article, we used the most recently published Pokemon GO confidentiality policy. We provide here a short summary of the contents of this document: To register for the game, in addition to going directly through the service, you can use a Facebook or Google account. All users will need to provide an email address. You also need to provide your age and a name (not necessarily your real one). For children 13 years and younger, the permission of a parent or guardian is required in order to register for the game. If a child is discovered to...
read more