Blog Feed
Protectimus Report at the OWASP KNURE Conf
Last Saturday Denis Shokotko, the Chief Innovation and R&D Officer at Protectimus, became one of the speakers at the second conference on WEB-security OWASP KNURE Students Chapter. Denis told about the main mechanisms of protection of web-applications and modern trends in two-factor authentication. His presentation touched on the smart identification and data signature functions. The listeners learned about the new generation of hardware tokens – reprogrammable tokens supporting the NFC technology. The participants also learned how to protect themselves from the widespread mobile viruses, intercepting the one-time passwords from the SMS, applications, and even from the voice calls. OWASP (Open Web Application Security Project) is a non-profit international organization, the main goal of which is to analyze and increase the reliability of the software. OWASP organization is dedicated to the development of innovative tools and technologies for data protection. Besides it regularly publishes different tutorials, articles, and documentation in this area. Among the OWASP members are commercial companies, educational institutions, and individuals from all over the world. Recently the Kharkiv National University of Radio Electronics (KNURE), on the basis of which the conference took place, also joined the OWASP...
read moreVideo: A Card Skimmer Was Installed in 3 Seconds
Not so long ago we wrote about tricks the fraudsters use for credit card frauds or identity thefts (and then, of course, for stealing money). But it is one thing to read, and quite another – to see. Thanks to the video record, recently put on the Internet by the Miami police, we can estimate the high “professionalism” of the crooks installing a card skimmer on the POS terminal. The video was recorded in a store at the petrol station. The fraudsters worked in tandem. While one was distracting a seller, another installed an ATM skimmer on a payment terminal at a cash register. His speed is particularly striking as it took him only 3 seconds! The skimming was not successful only by sheer luck. A pad on the terminal was placed a bit askew, an employee noticed it and called the police. We would like to remind that the credit card skimming is a way to steal money placing a special pad on the ATM or a POS terminal. Usually, it is a copy of the ATM keypad fixed on a top of the original one. When a credit card is inserted into the ATM or POS-terminal with a skimmer, the skimmer records the credit card data. The owner of the card doesn’t notice anything. For him, the transaction is carried out in a regular mode. After that, the fraudsters withdraw the credit card data. They take a skimmer away or use a remote reader. Further developments can move in two main scenarios. The fraudsters either use the compromised bank card data to pay for Internet purchases or make a copy of this card and withdraw money from the victim’s account using the...
read moreWas the NASA Hack Real and What It Has Taught Us
Like everyone, hackers are looking for their moment of glory. Perhaps, this explains their constant interest in the well-known and big names: CIA, Pentagon, White House… And not so long ago the NASA’s turn has come. Apparently, not for the first time. The group of hackers AnonSec, which includes representatives of different countries, states that the hack occurred as far back as spring 2015. But they’ve managed to get this information across general public network only last February. If to believe hackers, the NASA server had been infected with the Trojan virus Gozi since 2013. AnonSec simply bought the access rights from the virus developers. The authentication security of the server turned out to be so weak that the brute force password cracking software found the first combination to get root-access in 0.32 seconds. It must be noted that the AnonSec is a fairly widespread category of ideological hackers rather than regular cyber-crooks who hack different resources just to earn some money. In particular, the purpose for hacking NASA servers was to obtain information on the weather control projects. According to the hackers, these projects are actively supported by the US government. The problem is that such experiments can do a great harm to the health of people in the entire region and affecting the quality of crops. This is due to the fact that in the conditions of the climate changes some native plants start growing poorly. Thus, the farmers are forced to use genetically modified seeds. And the negative influence of the genetically modified plants on the health has been proven long ago. Although previously NASA actually worked on the development of the climate change programs, the AnonSec hackers failed to find any evidence that it’s being done now. But en route, the hackers got access to the control over an intelligence drone Global Hawk. In this case, a drone is not a small amateur toy to play with. It is a large aircraft able to carry out flights all day long. Such a toy costs more than $220 million. However, the data protection at the Global Hawk appeared to be not up to par. The hackers nearly drowned the drone in the Pacific Ocean, but having noticed the change of the course an engineer of the flight control center switched the drone into manual control and thus prevented an accident. AnonSec team seeded a 276 GB Torrent archive that includes hundreds of videos from the UAV and weather radars, more than 2 thousand logbooks, real names, and email addresses and phone numbers of about 2.5 thousand NASA’s employees. Although the incident occurred about a year ago, the agency has not provided any official confirmation on it: large security-guarded organizations do not like to admit their mistakes. Moreover, the mass media, which the hackers addressed in order to spread information about hacking the NASA’s holy of holies, refused to publish it. Just last February the InfoWars published a report by the AnonSec. Only after these publications broke out in the network, NASA started responding. But, of course, it has not confirmed their servers have been hacked. According to the official commentary, it was the NASA’s choice to put all the above-mentioned data for public access. They even provided the addresses of the sources the data had been...
read moreThe Evolution of Two-Step Authentication
With the advent of computer technologies in everyday life, the protection of data transmitted and stored in the network has become a necessity. Along with the hardware and software components, the data protection systems must include authentication tools that can prevent unauthorized access to the accounts. At first, the usual reusable passwords seemed a quite sufficient protection means. But, it soon became clear that this way of user’s authentication is extremely unreliable. The passwords may be guessed, stolen or accidentally disclosed. This is where the time of two-step authentication has come. The main problems the 2FA is trying to tackle today boil down to making the two-step authentication process more user-friendly not depriving it of security and reliability. What steps have already been done in this direction, and which are still to come? The cards with the list of codes (TAN-codes) At first, the one-time passwords were sent to the users in a quite primitive way. A list of codes was either delivered in person (for example, together with a credit card at the bank) or e-mailed. Each combination of symbols on the card went off only once, and the next time the user had to choose a different temporary password from the list. Of course, sooner or later, all the passwords on a list were used, and the user had to get a new card with TAN-codes for two-factor authentication. Pros: no pros except for a low price. Thus, the TAN-code cards have almost gone out of use. Cons: a possibility of theft, a need to update the list from time to time. Two-step authentication code via SMS When the cell phones just appeared, they were expensive and only a few could afford such gadget. But over time, the cost of the devices, as well as the tariffs for mobile communications decreased significantly thus increasing the number of the cell phones owners. The temporary passwords and TAN-codes were sent via SMS. SMS authentication is still a fairly common means of the OTP passwords delivery. Pros: convenient for both a system and a client. Cons: mobile communication is not always stable, SMS can be intercepted, as well as it’s quite expensive for the company to send messages to its users. Hardware OTP tokens Hardware OTP token is currently one of the most secure 2-factor authentication means. There are contact and contactless OTP tokens. The first type requires a connection to the computer’s USB-port. The second type runs free from the Internet and public telephone networks. Thus, contactless OTP tokens are protected from any malicious software and the one-time passwords cannot be intercepted. Lately, there appeared the USB-tokens, which, although inserted into the connector, activate only at the touch of a button (eg, Yubikey). Even if there will be a virus on the computer, the latter will fail to infect this token and use it to intercept one-time passwords. Recently, Protectimus has introduced a new type of hardware tokens – reprogrammable OTP tokens in the form of the plastic cards of two sizes. Protectimus Slim token of the standard size ISO/IEC 7810 ID-1 (85.6 × 53.98 × 0.76 mm) and Protectimus Slim mini only 64×38 mm in size. These tokens can be easily reflashed with the help of the NFC technology that turns these hardware tokens into the universal one-time password generators, which...
read moreMobile Banking Trojan Acecard – All You Need to Know About a New Threat
The smartphone has a wide range of functions. Despite its main feature of being a phone, this gadget allows you to listen to the music, read, surf the Internet, pay bills, work with documents, etc. A huge part of personal and business life of our contemporaries is tied to this smart device. Realizing this, the hackers began to concentrate their efforts on creating mobile malware programs. Many of them have already been discovered: Android.Bankosy, Asacub, Facetoken… Yet, we haven’t seen such a powerful and multi-functional mobile banking Trojan as the Acecard. Though, Acecard didn’t become so strong in a moment. The first “harmless” version of this virus appeared in early 2014. At that time, it did not perform any harmful actions. It just infected the smartphones – absolutely inconspicuously for the users. It took one and a half years for the Acecard to turn into a full-fledged threat. After growing in strength in May 2015, Trojan took to serious attacks. Today, it has about 10 types, each of which is strong and dangerous. Acecard actions are not localized in one country. It has already been spotted in Germany, France, Australia, Russia, and Austria. Mobile banking Trojan Acecard can imitate over 50 applications of banks and payment systems, chat rooms (including Viber, WhatsApp, Skype), PayPal and Gmail. Some experts name the Acecard the most serious today’s threat to mobile data protection. And this opinion appeared not without the reason. The mobile banking Trojan Acecard is able to bring a smartphone owner a lot of troubles in many different areas. Its main “specialization” is phishing – the substitution of different sites and services. The range of the websites and apps it can substitute is wide. Over 50 financial applications of banks and payment systems, chat rooms (including Viber, WhatsApp, and Skype), and even such “monsters” as PayPal and Gmail, where data protection has always been considered a strong point. Besides, the virus can steal any information – from the SMS to the credit cards data. It can redirect the calls, “replace” a bunch of applications and even install new ones (for example, cryptowares) on the infected device. The mobile banking Trojan Acecard may also block the window of any application itself and demand a ransom for returning functionality to the smartphone. The virus can steal any information – from the SMS to the credit cards data. It can redirect the calls, “replace” a bunch of applications and even install new ones (for example, cryptowares) on the infected device. Usually, Trojan viruses are sent in the form of phishing emails or spam. Acecard differs even here: it can disguise itself as the important system applications. Not so long ago it put on a mask of the Adobe Flash Player. Regular users who are not IT-specialists didn’t know the production of this player for Android was stopped in 2012 and the hackers took advantage of it. As a result, those who have downloaded the fake Flash Player on the smartphone received a mobile banking Trojan and a player icon on the desktop instead. How to protect yourself against the Acecard If the Acecard has already infected the device, it is difficult to do something with it. The only thing you can do to protect yourself against this mobile banking Trojan is simply to prevent the infection. You...
read moreThe Most Prominent Data Leaks of 2015
In 2015, we faced many ambitious and controversial data leaks. Thus, we can mace a conclusion: hackers are becoming more sophisticated while users are still imprudent and careless. The recollection of the most striking cases of information security breaches can help us to understand the most common ways of data leaks. As well as how to organize our data protection systems to avoid material and reputation losses. Large-scale data leaks The hack of the insurance giant Anthem is an indisputable leader of 2015. The personal data of almost 80 million people has been compromised during this information security breach. The hackers stole the names, addresses, dates of birth, and social security card numbers of the Anthem’s users. Yet, hackers failed to get medical information and credit card numbers. Twitter‘s shares have fallen in price by 18% since the financial activities of the company has been published in open access ahead of time. In monetary terms, the company’s losses amounted to 5 billion dollars. High officials are on the first cast Senior government officials appeared in the most high-profile reports on data leaks. The interest in this category of users is clear. But not always the personal data leakages are caused by the hackers. Here are a few examples: The passport data of almost all (164 of 170) members of the Russian Federation Council were stolen and released. But in this case, not the fact of the data leak but the reaction of the victims is notable. One of the senators said, that it is … unpleasant, but it can be explained in the information age. A brother of the former US President Jeb Bush has published on his website about 300 thousand letters the voters sent him. But by mistake together with the letters, the politicians’ staff has also published the personal data of the authors of these letters, including their social security numbers. Hackers are to blame for the data breach in the United States Office of Personnel Management. They compromised 4 million accounts of the current and former state employees. Since the organization handles the selection of the staff for various ministries and departments, the data leak caused a grave scandal. As it turned out while holding the post of the Secretary of State, Hillary Clinton, the former Secretary of State, President’s wife, and a Presidential candidate (all in one), used an unprotected email account for official correspondence and it was finally hacked. Now, when Mrs. Clinton is running for the presidency, this fact can significantly reduce her chances. The US state officials are obliged to use only a secure official mail to prevent data breaches. It is unlikely that the neglect of the legislation will add awards to the candidate. Indian high-ranking officials from the Ministry of Finance (one of whom was the Deputy Minister) also distinguished themselves in 2015. They have stolen the foreign capital investment plans for the Indian economy and tried to sell them for half a million dollars. But finally, they were seized along with their intermediaries. Why do we pay spies? The protection against the data leaks will not work unless the duty-bound people who own this or that information stop boasting it in social networks. Here, hacks and breaches are of no need: the secrets are divulged for free. South...
read moreTwo-Factor Authentication in Cloud Security
Today, cloud services are incredibly popular both among users who store their personal data there and among the companies that use cloud services for a successful business. We shouldn’t underestimate the importance of the cloud, as a means to store the employees’ personal data and the necessary corporate information, which is available to an employee at any time and at any place. But we shouldn’t forget about cloud security because cloud services are not only convenient but also quite risky. Cloud Security – the main risks Clouds services are real “tidbits” for the hackers since they store large amounts of data. If cloud security solutions turn out to be not enough reliable and the users’ data are compromised, not only the users will suffer, but the providers of the cloud services as well since their reputation will be endangered. Unfortunately, today new and new vulnerabilities are being found in the cloud services. Recently one of the experts in the information security has posted an article on the Virtual-Strategy Magazine website saying he has discovered a shocking fact – a brand new server, hosted on Azure or Amazon Web Services, can be hacked in 30 minutes with the automated attack scripts that are capable of finding the smallest vulnerabilities in the cloud security system. This ultimately makes it possible to further use the server for malicious acts, for example, to spread malware. The attackers are constantly looking for the new ways to hack and use every available resource. Thus, to protect information in the cloud, both providers and users should unite their efforts. Reject simple passwords, regularly correct errors and use multi-factor authentication – a functional and reliable data protection system. Strong authentication as an indispensable element of the cloud security Strong authentication is the multi-factor authentication that uses two or more factors during user authentication in the cloud. When using this authentication method to log in, the user must take two following steps: Enter the login and password (the knowledge factor). Confirm his identity with an OTP (one-time password), generated with the help of an OTP token, a special smartphone application or sent through SMS, Push message or in an e-mail (the ownership factor). To understand the importance of the two-factor authentication to cloud security, let’s imagine the worst course of events. Having hacked an administrator password and gained an access to your server, the fraudster manages any information stored in the cloud in his own discretion. The attacker will probably play hard – change the passwords, publish corporate confidential information on the network, copy user’s personal data, or vice versa delete all the information you need and all the backups. And after all, he can even extort money from you if you want to regain an access to your server. A frightening prospect, isn’t it? We do not know what kind of scenario the hacker may choose. The only clear thing is that there is no limit to attackers’ flight of fancy. Conclusions To protect the users of cloud services from hacking tricks, we must restrict access to the admin panel by IP address, as well as use complex passwords and two- or multi-factor authentication. The owners of the cloud services should also make sure that their clients have an opportunity to implement a reliable system of server protection or...
read moreRansomware Virus Paralyzed the Hospital Work Once Again on Healthcare Information Security
The more computer technologies pervade all areas of human life, the more important the user data protection becomes. Earlier the hackers could only steal your e-mail address to send the spam messages from it. But today the World Wide Web stores much more comprehensive information about all us. You even don’t need to share this information on the Internet for hackers to get it. It is enough to open a bank account, or seek medical help. It is the healthcare information security that recently has been growing concern among cybersecurity experts. After all, as we have already written here, the information from the electronic medical records is enough for the full identity theft. The personal information security in healthcare organizations is still in its infancy. The recent accident with the Hollywood Presbyterian Medical Center confirmed that even large treatment centers can be paralyzed with the hackers attack. In early February, the cyber criminals hacked the Hollywood Presbyterian Medical Center. All the computers were infected with a ransomware virus that blocked their work. The medical data were encrypted, and the computer-based medical equipment ceased operating. The health and life of more than 400 inpatients were under the threat. The administration had to transfer them to other hospitals while the staff had to use the good old piece of paper and a pen to register the information. As it turned out the attack was not even targeted. The security system of the medical center appeared to be so imperfect that it was just an accidental attack. One affected computer quickly spread the virus to the others via a local hospital network. Being quick on the uptake, the owners of the virus demanded a ransom of $3.6 million. After 10 days, the administration decided to pay the extortionists to regain access to the medical records. But, it paid a much smaller sum than the hackers initially wanted: 40 Bitcoins (about 17 thousand dollars). Due to a special danger of this incident, it was investigated not by the local police, but the FBI and a forensics team that specialized in cybercrime. But, according to the recent data, they have failed to track down the fraudsters. This case is not the first example of hacking the medical institutions. Within the same year close to 80 million customers of one of the largest US insurance companies Anthem fell prey to hackers. There were others, less notable, but also unpleasant incidents. What conclusions can be made? The conclusion is obvious – it is time for every medical institution not just to think about strengthening their healthcare information security systems, but to start taking actions. It is quite difficult to get protected from the ransomware viruses. In this case, the only thing that can help is instructing the personnel on the rules of information security in healthcare. But we should not forget about other types of attacks the health centers are exposed to day after day. In 2015, hackers managed to get the data of more than 100 million customers of medical institutions. The number is impressive! Perhaps this would not have happened were the fundamental rules of the healthcare information security followed. One of them is to use two-factor authentication to protect the confidential information. A common belief that it is hard to use such data protection...
read moreHackers Are Adopting Espionage Techniques
A year ago, a prominent hacker group Carbanak became famous for being the first to break into the banking system with the help of the methods previously used only by hackers engaged in cyber espionage for the governments of different countries. Carbanak adapted these techniques to attack financial institutions (in most cases banks). And the security systems of these institutions succumbed under the pressure of new hacking techniques. An important feature of Carbanak attacks is the use of legal software. This minimizes the risk of attack detection by antivirus programs. Besides, it saves time on the development of special hacking software. Carbanak hackers robbed hundreds of financial institutions in 30 countries around the world. They stole millions of dollars. Such strong authentication tools as one-time passwords and PIN-codes, which are used to protect the money and data from being stolen, failed to stop the fraudsters. Hackers used a direct access to the bank systems which make money transactions. And thus, they had no need in OTP passwords. This example was contagious. And not so long ago, two other similar groups have showed up – GCMAN and Metel. Their attacks in the majority of cases aimed at Russian financial institutions. In both cases, the hacking attacks started with the targeted phishing emails deliveries. The phishing emails contained RAR-archives, which penetrated the banking systems after being opened. When the hackers took control over the processing systems of the banks, the further action scenario of the groups was different. In the case of Metel, the main trick was to cancel the transaction after withdrawing cash at ATMs. Thus, the balance on the debit cards of the victims did not change. They discovered the loss of money only when hackers have already curtailed their activities. One these operations gave an opportunity to steal several million rubles. GCMAN worked in a different manner. They used cron for their attacks. Cron software is legal and allows starting the user programs in Unix OS at a specified time. Thus, the hackers used the cron-script to continually withdraw $200 from infected users’ bank accounts. $200 is the limit for anonymous transactions in Russian banks. Later, the hackers transferred money to the encrypted accounts of ‘money mules’. These are the people hired specially for cashing the stolen money. If hackers can overcome such strong bank security systems in such a deft manner, is there any way to stop them? Of course, the cyber-security services can strengthen the security of the servers and databases. They can use the newest software and hardware equipment. But, the experience has proven that these are only temporary measures. As the saying goes “It is easier to pull down than to build.” Sooner or later the hackers will find a way to bypass the most sophisticated technical barriers. Thus, these methods are not enough for reliable protection. Let’s think, how does any hack begin? The fraudsters need to get access to only one computer of an aimed company. And it is quite impossible to do this without a human interference. An employee installs a file, follows a link and opens an attachment with the spyware. Thus, teaching the employees the information security rules is one of the most important data protection measures. It can prevent you or your employees from swallowing the cyber fraudsters’...
read moreTwo-Step Authentication Is Already in Instagram
Few days ago it became known that Instagram starts rolling out two-factor authentication. At first, a beta version of 2FA was tested by a small number of selected users. But now two-step authentication becomes available to everyone. But what is the most surprising about this news is that the popular social network has moved to it so slowly. After all, two-factor authentication has long been an integral part of data protection of all its ‘colleagues’ – Facebook, Twitter, LinkedIn, etc. Why does Instagram need two-step authentication? Instagram has many accounts, which bring their owners a lot of money. Often, the income from these accounts can be compared with a full-fledged business. For many celebrities, it is one of the most important channels of communication with their fans. For many companies, Instagram is one of the key platforms for advertising and looking for potential customers. Imagine how upset Taylor Swift will be if her account with more than 67.9 million followers gets hacked. The accounts with a large number of followers have been hacked more than once. And every time it harmed the owner’s reputation and income. Thus, 2-factor authentication with the help of one-time passwords can be a real way out for those users who have an extreme need for data protection. How does two-factor authentication on Instagram work? At this moment, the OTP (one-time passwords) on Instagram are delivered only via SMS. But, frankly speaking, this way of one-time passwords delivery is a thing of the past. Modern two-step authentication technologies offer a much more convenient and reliable way to confirm the user’s rights to log in. The two-step authentication can be performed either by biometric methods or tokens – one-time password generators. The first method is faster and easier, and the second is much better immune to the influence of random (and non-random) factors. Many people think that tokens are necessarily the separate and expensive devices more suitable for data protection of the bank or office accounts. But there is another kind of tokens that are secure, easy-to-use and free of charge. The best solution for Instagram, where people usually log in from the smartphones, is a software token, which is installed on the same device. Many have heard of Google Authenticator, but it is not the only possible type of the software tokens. Protectimus has created an application that surpasses a software OTP token from Google. We are talking about Protectimus Smart application for Android/iOS smartphones. The benefits of Protectimus Smart OTP token This application, as well as its hardware ‘brothers’, is PIN-protected. So, even if the smartphone is lost or stolen, the thieves won’t be able to use Protectimus Smart for getting access to the account protected with it. The application can be connected with the Android Wear smartwatch. This facilitates and simplifies the process of one-time passwords generation. Thus, two-step authentication becomes more convenient. The company has thought trough even such details as the visual representation of the generated OTP password. Unlike Google Authenticator and most other software tokens the numbers here are divided into short groups that eases their entry. The application allows using different one-time passwords generation algorithms. Time-based (TOTP), event-based (HOTP), and ‘challenge-response’ (OCRA). Of course, the service for sharing pictures is not a banking institution. There is no need for strong authentication...
read more