Blog Feed
A Wrong Lesson on Information Security
Recently, the CNBC news website gave a quite controversial lesson on information security. The author of the article, indirectly related to the information security issue (it said about the confrontation between Apple and the FBI), decided to add a text box for the passwords strength check. Most likely, this form was included as a “salt” to attract more attention. The author of the publication didn’t aim to improve the computer literacy of the readers. And it should be said the publication called more than enough attention, especially among the information security specialists. After all, this text box called the readers to violate the key information security rule. The password can be entered only in the text box of official authorization on the website for which it is intended. The author, who added this text box to his article, made a small caption (probably to avoid possible lashing) saying that this tool was designed for educational purposes only and that the passwords entered in the text box are not saved. worried about security? enter your password into this @CNBC website (over HTTP, natch). what could go wrong pic.twitter.com/FO7JYJfpGR — Adrienne Porter Felt (@__apf__) 29 марта 2016 г. Struck with such illiteracy, several information security experts decided to take a closer look at the “educational” text box. And, as it turned out, the passwords were not only saved in unencrypted form in Google Docs but were also transmitted to the CNBC partner companies. And then a scandal broke out. The representatives of the information security community required removing the text box from the website immediately. However, the CNBC’s reaction was quite strange. They didn’t reply to the criticism and simply deleted the ill-fated article – together with the text box, of course. The publication cleaned up all references to this article on Twitter and the personal page of the author of the article suddenly became private and closed. As you can see, neither the victims nor the online community will get any apologies from the CNBC administration. We don’t know how many users fell victims to this provocation and entered their passwords in the text box. But if to consider the popularity of the CNBC website (more than 6 million visitors per month) there should be quite a lot of them. The information security specialists (real) recommend everyone who entered their passwords in this text box to change them quickly. Despite this apparent failure, the CNBC’s “lesson” can teach us a lot. First of all, it gives a reason to remind once again: the data protection is the user’s matter. Even the most perfect data protection system cannot substitute simple caution and a certain amount of healthy skepticism. In order not to find yourself in the situation of people who sent their passwords to the unknown direction, we should remember a few simple rules: Any account password should be entered only on the official website. Avoid the third-party resources and the links in the innocuous-looking letters. It doesn’t take much time to manually type the name of the website you need in the address bar or open a saved bookmark. But similar precautions can protect you from phishing. In general, you should not disclose your secret combination to outsiders – either orally or in a written form Even the most carefully...
read moreProtectimus Team at IT Spring Forum
Last week was very active for the Protectimus team. In addition to the participation in OWASP KNURE conference, we attended another event – IT Spring Forum held in Dnipropetrovsk. The participants of the IT Spring Forum discussed international trends in the development of the software industry, the Internet of things (IoT), the development of IT-solutions for the healthcare institutions, and modern tools for users’ data protection in the context of the above-mentioned areas. Last year the healthcare industry came out on top by the volume of the users’ data leakages. The confidential data of more than 100 millions of Americans leaked on the Internet in the result of hacking the databases of some hospitals and insurance companies. In other countries, the situation was similar. Only a lazy one has not heard about the vulnerabilities that are regularly found in modern household items, belonging to the Internet of Things. The fraudsters can connect to the surveillance cameras, installed in your house for the safety, or even to the Smart TV, and spy on you. Hackers can seize control of the car as it has been demonstrated on the Jeep Cherokee example. And it is not a problem for them to get connected to a “smart” refrigerator or even a coffee machine. Two-factor authentication can help us solve many of the current safety problems. Especially if you use the additional 2FA features like smart identification, data signature, reprogrammable OTP tokens, etc. Below you can see a small photo report on the event and the pictures of the wonderful city of Dnipropetrovsk, which we have visited for the first...
read moreProtectimus Report at the OWASP KNURE Conf
Last Saturday Denis Shokotko, the Chief Innovation and R&D Officer at Protectimus, became one of the speakers at the second conference on WEB-security OWASP KNURE Students Chapter. Denis told about the main mechanisms of protection of web-applications and modern trends in two-factor authentication. His presentation touched on the smart identification and data signature functions. The listeners learned about the new generation of hardware tokens – reprogrammable tokens supporting the NFC technology. The participants also learned how to protect themselves from the widespread mobile viruses, intercepting the one-time passwords from the SMS, applications, and even from the voice calls. OWASP (Open Web Application Security Project) is a non-profit international organization, the main goal of which is to analyze and increase the reliability of the software. OWASP organization is dedicated to the development of innovative tools and technologies for data protection. Besides it regularly publishes different tutorials, articles, and documentation in this area. Among the OWASP members are commercial companies, educational institutions, and individuals from all over the world. Recently the Kharkiv National University of Radio Electronics (KNURE), on the basis of which the conference took place, also joined the OWASP...
read moreVideo: A Card Skimmer Was Installed in 3 Seconds
Not so long ago we wrote about tricks the fraudsters use for credit card frauds or identity thefts (and then, of course, for stealing money). But it is one thing to read, and quite another – to see. Thanks to the video record, recently put on the Internet by the Miami police, we can estimate the high “professionalism” of the crooks installing a card skimmer on the POS terminal. The video was recorded in a store at the petrol station. The fraudsters worked in tandem. While one was distracting a seller, another installed an ATM skimmer on a payment terminal at a cash register. His speed is particularly striking as it took him only 3 seconds! The skimming was not successful only by sheer luck. A pad on the terminal was placed a bit askew, an employee noticed it and called the police. We would like to remind that the credit card skimming is a way to steal money placing a special pad on the ATM or a POS terminal. Usually, it is a copy of the ATM keypad fixed on a top of the original one. When a credit card is inserted into the ATM or POS-terminal with a skimmer, the skimmer records the credit card data. The owner of the card doesn’t notice anything. For him, the transaction is carried out in a regular mode. After that, the fraudsters withdraw the credit card data. They take a skimmer away or use a remote reader. Further developments can move in two main scenarios. The fraudsters either use the compromised bank card data to pay for Internet purchases or make a copy of this card and withdraw money from the victim’s account using the...
read moreWas the NASA Hack Real and What It Has Taught Us
Like everyone, hackers are looking for their moment of glory. Perhaps, this explains their constant interest in the well-known and big names: CIA, Pentagon, White House… And not so long ago the NASA’s turn has come. Apparently, not for the first time. The group of hackers AnonSec, which includes representatives of different countries, states that the hack occurred as far back as spring 2015. But they’ve managed to get this information across general public network only last February. If to believe hackers, the NASA server had been infected with the Trojan virus Gozi since 2013. AnonSec simply bought the access rights from the virus developers. The authentication security of the server turned out to be so weak that the brute force password cracking software found the first combination to get root-access in 0.32 seconds. It must be noted that the AnonSec is a fairly widespread category of ideological hackers rather than regular cyber-crooks who hack different resources just to earn some money. In particular, the purpose for hacking NASA servers was to obtain information on the weather control projects. According to the hackers, these projects are actively supported by the US government. The problem is that such experiments can do a great harm to the health of people in the entire region and affecting the quality of crops. This is due to the fact that in the conditions of the climate changes some native plants start growing poorly. Thus, the farmers are forced to use genetically modified seeds. And the negative influence of the genetically modified plants on the health has been proven long ago. Although previously NASA actually worked on the development of the climate change programs, the AnonSec hackers failed to find any evidence that it’s being done now. But en route, the hackers got access to the control over an intelligence drone Global Hawk. In this case, a drone is not a small amateur toy to play with. It is a large aircraft able to carry out flights all day long. Such a toy costs more than $220 million. However, the data protection at the Global Hawk appeared to be not up to par. The hackers nearly drowned the drone in the Pacific Ocean, but having noticed the change of the course an engineer of the flight control center switched the drone into manual control and thus prevented an accident. AnonSec team seeded a 276 GB Torrent archive that includes hundreds of videos from the UAV and weather radars, more than 2 thousand logbooks, real names, and email addresses and phone numbers of about 2.5 thousand NASA’s employees. Although the incident occurred about a year ago, the agency has not provided any official confirmation on it: large security-guarded organizations do not like to admit their mistakes. Moreover, the mass media, which the hackers addressed in order to spread information about hacking the NASA’s holy of holies, refused to publish it. Just last February the InfoWars published a report by the AnonSec. Only after these publications broke out in the network, NASA started responding. But, of course, it has not confirmed their servers have been hacked. According to the official commentary, it was the NASA’s choice to put all the above-mentioned data for public access. They even provided the addresses of the sources the data had been...
read moreThe Evolution of Two-Step Authentication
With the advent of computer technologies in everyday life, the protection of data transmitted and stored in the network has become a necessity. Along with the hardware and software components, the data protection systems must include authentication tools that can prevent unauthorized access to the accounts. At first, the usual reusable passwords seemed a quite sufficient protection means. But, it soon became clear that this way of user’s authentication is extremely unreliable. The passwords may be guessed, stolen or accidentally disclosed. This is where the time of two-step authentication has come. The main problems the 2FA is trying to tackle today boil down to making the two-step authentication process more user-friendly not depriving it of security and reliability. What steps have already been done in this direction, and which are still to come? The cards with the list of codes (TAN-codes) At first, the one-time passwords were sent to the users in a quite primitive way. A list of codes was either delivered in person (for example, together with a credit card at the bank) or e-mailed. Each combination of symbols on the card went off only once, and the next time the user had to choose a different temporary password from the list. Of course, sooner or later, all the passwords on a list were used, and the user had to get a new card with TAN-codes for two-factor authentication. Pros: no pros except for a low price. Thus, the TAN-code cards have almost gone out of use. Cons: a possibility of theft, a need to update the list from time to time. Two-step authentication code via SMS When the cell phones just appeared, they were expensive and only a few could afford such gadget. But over time, the cost of the devices, as well as the tariffs for mobile communications decreased significantly thus increasing the number of the cell phones owners. The temporary passwords and TAN-codes were sent via SMS. SMS authentication is still a fairly common means of the OTP passwords delivery. Pros: convenient for both a system and a client. Cons: mobile communication is not always stable, SMS can be intercepted, as well as it’s quite expensive for the company to send messages to its users. Hardware OTP tokens Hardware OTP token is currently one of the most secure 2-factor authentication means. There are contact and contactless OTP tokens. The first type requires a connection to the computer’s USB-port. The second type runs free from the Internet and public telephone networks. Thus, contactless OTP tokens are protected from any malicious software and the one-time passwords cannot be intercepted. Lately, there appeared the USB-tokens, which, although inserted into the connector, activate only at the touch of a button (eg, Yubikey). Even if there will be a virus on the computer, the latter will fail to infect this token and use it to intercept one-time passwords. Recently, Protectimus has introduced a new type of hardware tokens – reprogrammable OTP tokens in the form of the plastic cards of two sizes. Protectimus Slim token of the standard size ISO/IEC 7810 ID-1 (85.6 × 53.98 × 0.76 mm) and Protectimus Slim mini only 64×38 mm in size. These tokens can be easily reflashed with the help of the NFC technology that turns these hardware tokens into the universal one-time password generators, which...
read moreMobile Banking Trojan Acecard – All You Need to Know About a New Threat
The smartphone has a wide range of functions. Despite its main feature of being a phone, this gadget allows you to listen to the music, read, surf the Internet, pay bills, work with documents, etc. A huge part of personal and business life of our contemporaries is tied to this smart device. Realizing this, the hackers began to concentrate their efforts on creating mobile malware programs. Many of them have already been discovered: Android.Bankosy, Asacub, Facetoken… Yet, we haven’t seen such a powerful and multi-functional mobile banking Trojan as the Acecard. Though, Acecard didn’t become so strong in a moment. The first “harmless” version of this virus appeared in early 2014. At that time, it did not perform any harmful actions. It just infected the smartphones – absolutely inconspicuously for the users. It took one and a half years for the Acecard to turn into a full-fledged threat. After growing in strength in May 2015, Trojan took to serious attacks. Today, it has about 10 types, each of which is strong and dangerous. Acecard actions are not localized in one country. It has already been spotted in Germany, France, Australia, Russia, and Austria. Mobile banking Trojan Acecard can imitate over 50 applications of banks and payment systems, chat rooms (including Viber, WhatsApp, Skype), PayPal and Gmail. Some experts name the Acecard the most serious today’s threat to mobile data protection. And this opinion appeared not without the reason. The mobile banking Trojan Acecard is able to bring a smartphone owner a lot of troubles in many different areas. Its main “specialization” is phishing – the substitution of different sites and services. The range of the websites and apps it can substitute is wide. Over 50 financial applications of banks and payment systems, chat rooms (including Viber, WhatsApp, and Skype), and even such “monsters” as PayPal and Gmail, where data protection has always been considered a strong point. Besides, the virus can steal any information – from the SMS to the credit cards data. It can redirect the calls, “replace” a bunch of applications and even install new ones (for example, cryptowares) on the infected device. The mobile banking Trojan Acecard may also block the window of any application itself and demand a ransom for returning functionality to the smartphone. The virus can steal any information – from the SMS to the credit cards data. It can redirect the calls, “replace” a bunch of applications and even install new ones (for example, cryptowares) on the infected device. Usually, Trojan viruses are sent in the form of phishing emails or spam. Acecard differs even here: it can disguise itself as the important system applications. Not so long ago it put on a mask of the Adobe Flash Player. Regular users who are not IT-specialists didn’t know the production of this player for Android was stopped in 2012 and the hackers took advantage of it. As a result, those who have downloaded the fake Flash Player on the smartphone received a mobile banking Trojan and a player icon on the desktop instead. How to protect yourself against the Acecard If the Acecard has already infected the device, it is difficult to do something with it. The only thing you can do to protect yourself against this mobile banking Trojan is simply to prevent the infection. You...
read moreThe Most Prominent Data Leaks of 2015
In 2015, we faced many ambitious and controversial data leaks. Thus, we can mace a conclusion: hackers are becoming more sophisticated while users are still imprudent and careless. The recollection of the most striking cases of information security breaches can help us to understand the most common ways of data leaks. As well as how to organize our data protection systems to avoid material and reputation losses. Large-scale data leaks The hack of the insurance giant Anthem is an indisputable leader of 2015. The personal data of almost 80 million people has been compromised during this information security breach. The hackers stole the names, addresses, dates of birth, and social security card numbers of the Anthem’s users. Yet, hackers failed to get medical information and credit card numbers. Twitter‘s shares have fallen in price by 18% since the financial activities of the company has been published in open access ahead of time. In monetary terms, the company’s losses amounted to 5 billion dollars. High officials are on the first cast Senior government officials appeared in the most high-profile reports on data leaks. The interest in this category of users is clear. But not always the personal data leakages are caused by the hackers. Here are a few examples: The passport data of almost all (164 of 170) members of the Russian Federation Council were stolen and released. But in this case, not the fact of the data leak but the reaction of the victims is notable. One of the senators said, that it is … unpleasant, but it can be explained in the information age. A brother of the former US President Jeb Bush has published on his website about 300 thousand letters the voters sent him. But by mistake together with the letters, the politicians’ staff has also published the personal data of the authors of these letters, including their social security numbers. Hackers are to blame for the data breach in the United States Office of Personnel Management. They compromised 4 million accounts of the current and former state employees. Since the organization handles the selection of the staff for various ministries and departments, the data leak caused a grave scandal. As it turned out while holding the post of the Secretary of State, Hillary Clinton, the former Secretary of State, President’s wife, and a Presidential candidate (all in one), used an unprotected email account for official correspondence and it was finally hacked. Now, when Mrs. Clinton is running for the presidency, this fact can significantly reduce her chances. The US state officials are obliged to use only a secure official mail to prevent data breaches. It is unlikely that the neglect of the legislation will add awards to the candidate. Indian high-ranking officials from the Ministry of Finance (one of whom was the Deputy Minister) also distinguished themselves in 2015. They have stolen the foreign capital investment plans for the Indian economy and tried to sell them for half a million dollars. But finally, they were seized along with their intermediaries. Why do we pay spies? The protection against the data leaks will not work unless the duty-bound people who own this or that information stop boasting it in social networks. Here, hacks and breaches are of no need: the secrets are divulged for free. South...
read moreTwo-Factor Authentication in Cloud Security
Today, cloud services are incredibly popular both among users who store their personal data there and among the companies that use cloud services for a successful business. We shouldn’t underestimate the importance of the cloud, as a means to store the employees’ personal data and the necessary corporate information, which is available to an employee at any time and at any place. But we shouldn’t forget about cloud security because cloud services are not only convenient but also quite risky. Cloud Security – the main risks Clouds services are real “tidbits” for the hackers since they store large amounts of data. If cloud security solutions turn out to be not enough reliable and the users’ data are compromised, not only the users will suffer, but the providers of the cloud services as well since their reputation will be endangered. Unfortunately, today new and new vulnerabilities are being found in the cloud services. Recently one of the experts in the information security has posted an article on the Virtual-Strategy Magazine website saying he has discovered a shocking fact – a brand new server, hosted on Azure or Amazon Web Services, can be hacked in 30 minutes with the automated attack scripts that are capable of finding the smallest vulnerabilities in the cloud security system. This ultimately makes it possible to further use the server for malicious acts, for example, to spread malware. The attackers are constantly looking for the new ways to hack and use every available resource. Thus, to protect information in the cloud, both providers and users should unite their efforts. Reject simple passwords, regularly correct errors and use multi-factor authentication – a functional and reliable data protection system. Strong authentication as an indispensable element of the cloud security Strong authentication is the multi-factor authentication that uses two or more factors during user authentication in the cloud. When using this authentication method to log in, the user must take two following steps: Enter the login and password (the knowledge factor). Confirm his identity with an OTP (one-time password), generated with the help of an OTP token, a special smartphone application or sent through SMS, Push message or in an e-mail (the ownership factor). To understand the importance of the two-factor authentication to cloud security, let’s imagine the worst course of events. Having hacked an administrator password and gained an access to your server, the fraudster manages any information stored in the cloud in his own discretion. The attacker will probably play hard – change the passwords, publish corporate confidential information on the network, copy user’s personal data, or vice versa delete all the information you need and all the backups. And after all, he can even extort money from you if you want to regain an access to your server. A frightening prospect, isn’t it? We do not know what kind of scenario the hacker may choose. The only clear thing is that there is no limit to attackers’ flight of fancy. Conclusions To protect the users of cloud services from hacking tricks, we must restrict access to the admin panel by IP address, as well as use complex passwords and two- or multi-factor authentication. The owners of the cloud services should also make sure that their clients have an opportunity to implement a reliable system of server protection or...
read moreRansomware Virus Paralyzed the Hospital Work Once Again on Healthcare Information Security
The more computer technologies pervade all areas of human life, the more important the user data protection becomes. Earlier the hackers could only steal your e-mail address to send the spam messages from it. But today the World Wide Web stores much more comprehensive information about all us. You even don’t need to share this information on the Internet for hackers to get it. It is enough to open a bank account, or seek medical help. It is the healthcare information security that recently has been growing concern among cybersecurity experts. After all, as we have already written here, the information from the electronic medical records is enough for the full identity theft. The personal information security in healthcare organizations is still in its infancy. The recent accident with the Hollywood Presbyterian Medical Center confirmed that even large treatment centers can be paralyzed with the hackers attack. In early February, the cyber criminals hacked the Hollywood Presbyterian Medical Center. All the computers were infected with a ransomware virus that blocked their work. The medical data were encrypted, and the computer-based medical equipment ceased operating. The health and life of more than 400 inpatients were under the threat. The administration had to transfer them to other hospitals while the staff had to use the good old piece of paper and a pen to register the information. As it turned out the attack was not even targeted. The security system of the medical center appeared to be so imperfect that it was just an accidental attack. One affected computer quickly spread the virus to the others via a local hospital network. Being quick on the uptake, the owners of the virus demanded a ransom of $3.6 million. After 10 days, the administration decided to pay the extortionists to regain access to the medical records. But, it paid a much smaller sum than the hackers initially wanted: 40 Bitcoins (about 17 thousand dollars). Due to a special danger of this incident, it was investigated not by the local police, but the FBI and a forensics team that specialized in cybercrime. But, according to the recent data, they have failed to track down the fraudsters. This case is not the first example of hacking the medical institutions. Within the same year close to 80 million customers of one of the largest US insurance companies Anthem fell prey to hackers. There were others, less notable, but also unpleasant incidents. What conclusions can be made? The conclusion is obvious – it is time for every medical institution not just to think about strengthening their healthcare information security systems, but to start taking actions. It is quite difficult to get protected from the ransomware viruses. In this case, the only thing that can help is instructing the personnel on the rules of information security in healthcare. But we should not forget about other types of attacks the health centers are exposed to day after day. In 2015, hackers managed to get the data of more than 100 million customers of medical institutions. The number is impressive! Perhaps this would not have happened were the fundamental rules of the healthcare information security followed. One of them is to use two-factor authentication to protect the confidential information. A common belief that it is hard to use such data protection...
read more