Fresh Off The Block


Dec
02
2017

UK joins US in warning about #Kaspersky Antivirus and Russian software

Britain’s main cyber security agency on Friday warned British government agencies to avoid using anti-virus software from Russian companies, the latest in a series of moves targeting Moscow-based security software maker Kaspersky Lab.

The product box for Kaspersky Anti-Virus, as seen on Kaspersky's website.

Box image courtesy Kaspersky’s web site.

Who are Kaspersky?

Kaspersky Labs is a multinational corporation that provides cybersecurity services worldwide. The company does a lot of work in identifying threats to computers, the internet and governments that could damage computers or lead to information getting out that shouldn't be made public; and helps to find solutions. As well as internet security, password management and many other security tools, one of the products Kaspersky is most well-known for developing and selling is its own Antivirus product, Kaspersky Anti-Virus (and also Kaspersky Internet Security), which is used by governments and individuals alike to help protect computers from being compromised or damaged by malicious attacks.

Kaspersky Labs is headquartered in Moscow, Russia – a country known to have strict laws over control of data in and out of its borders. Russia lately has been in a lot of hot water with the United States over longstanding allegations that the country attempted to rig the 2016 Presidential Election and has too close ties to current president Donald Trump; and may be secretly attempting to influence America.

What's going on?

The United States have expressed concerns that Kaspersky have "close ties to intelligence agencies in Moscow and that its software could be used to enable Russian spying". In response, Kaspersky has offered to share source code showing how parts of their software works, in order to supposedly prove that Kaspersky does not hand any data over to Russia. This hasn't alleviated the US Government's concerns, however, and Kaspersky’s anti-virus software was banned from US government networks earlier this year.

Now, the UK has decided to follow suit.

In the United Kingdom, the government organisation responsible for computer security is the UK National Cyber Security Centre. On Friday, its director, Ciaran Martin, penned a letter to departmental permanent secretaries asking them to stop using Kaspersky software, saying that Russian-made software should "not be used in systems containing information that would harm national security if it was accessed by the Russian government."

The wording of the letter makes clear that the UK agrees with the US that there are significant concerns that Kaspersky software could be leaking data to Russian governments that would be dangerous if it got out. Martin added that his agency is "in talks with Kaspersky Lab to develop a system for reviewing its products for use in Britain."

”We are in discussions with Kaspersky Lab … about whether we can develop a framework that we and others can independently verify,” Martin said in the letter, which was publicly released.

What is Kaspersky's reaction?

Kaspersky Labs allege their organisation has become a scapegoat in the midst of the rising tensions between America and Russia; and say that it looked forward to working with the NCSC on the issue in a statement released following the NCSC announcement.

Should I be worried?

At this point in time, there is no real proof that Kaspersky DOES send data that passes through its systems on to the Russian government; or what that data entails. However, the fact the company does dealings with government, corporate and military organisations worldwide, and is itself based in Moscow, makes the possibility impossible to ignore.

The NCSC's statement only refers to matters of "national security", saying that Kaspersky software should only be avoided if the possibility of Russians getting ahold of it "poses a significant risk". For most at-home users, therefore, there is nothing to worry about. However, if you are a user of Kaspersky Antivirus, Internet Security or any of their other products; and you find the revelations discomforting or are concerned for your privacy, it may well be worth looking into alternative products just for your own peace of mind.

What Our Visitors are Talking About


Latest CommentsOn Twitter Right Now
  • “Unlock” Dialogue for Clone System tool in Aomei Backupper 2.5 by William Sims
  • Microsoft gets 561 million euro fine for missing browser ballot “oversight” by Gamer Repulic's Dorthea
  • Microsoft gets 561 million euro fine for missing browser ballot “oversight” by Sherman Moya
  • Microsoft gets 561 million euro fine for missing browser ballot “oversight” by Microsoft gets 561 million euro fine for missing browser ballot “oversight” | The Sanitarium.FM
  • Valve’s Steam Gaming Computer: What we know so far by Valve's Steam Gaming Computer: What we know so far | The Sanitarium.FM
  • Tweet to @TMWeb to have your comments appear here!

    Previous Articles


    Apr
    19
    2016

    Ditch QuickTime on Windows – Apple Drop Support for Vulnerable Plugin

    A recent version of the Quicktime logo.

    A recent version of the Quicktime logo.

    Apple are dropping support for Quicktime, a plugin for viewing and streaming video, on Windows on account of no longer being useful.

    The Wall Street Journal reports that Apple has confirmed it'll no longer update or support Quicktime 7 for Windows.

    Way back when, QuickTime was a requirement to run iTunes, as the Quicktime code was used in part to provide the music streaming capabilities of the software, which resulted in many people who had iPods – and later, the iPhone – installing the plugin to their Windows PCs when they wanted them to properly work with their computers. As Apple notes on its support page, however, this situation changed in later versions of iTunes, and Quicktime has not been a requirement to run iTunes since October 2011.

    Despite not being relevant for iTunes any more, Quicktime continued to be useful to serve up video on the web. However, with HTML5 encouraging browsers to support video directly as part of the standard language of the internet, having a separate plugin for the ability now appears redundant. The combination of these two factors appears to have encouraged Apple to have made the decision to no longer support the plugin on Windows.

    The announcement comes a week after the Department of Homeland Security recommended Windows users uninstall Quicktime because of potential security holes, making Quicktime potentially vulnerable and use of it on Windows PCs a major security risk (these flaws do not affect the Mac OS version, which remains in support). Given its status as a potential security threat and the lack of any updates coming from Apple, many sources, including us at Technically Motivated, now recommend that Quicktime is removed from all Windows PCs as soon as possible.

    For those who are unsure how to, Apple's official support pages offer a guide for how to remove Quicktime from Windows PCs. Apple have been reached for comment to confirm the Wall Street Journal's report.

    Digiprove sealThis informative article has been Digiproved © 2016
    Acknowledgements: Quicktime and The Quicktime Logo is a more...
    Some Rights Reserved
    Jun
    16
    2015

    LastPass Hacked: Users Encouraged to Change Master Passwords

    What happens when a service designed to keep your passwords safe gets hacked itself?

    LastPass Logo

    Password-management service LastPass announced today that it “discovered and blocked suspicious activity” on its network on Friday that caused user email addresses, authentication hashes, password reminders and server per user salts to be compromised.

    While the news suggests that some user’s email addresses may now be known to criminals and that hackers may now have useful hints to passwords for other sites you may be using, LastPass says that there is no evidence that any data from any user’s vault was taken; or that any accounts were logged into illegitimately before the hack was detected. This means that any of the passwords actually stored on the server have not fallen into the wrong hands, so there should be no need to reset passwords for every site you stored data for. LastPass is confident that its encryption is strong enough to make attacking those stolen hashes with any speed difficult.

    Nevertheless, when it comes to LastPass itself, it is highly recommended you change your Master Password right now to ensure those vaults can’t potentially be accessed later. Although the company’s official recommendation is that you only need to change your master password if it’s weak or use that password on multiple sites, in any case of hacking, being paranoid is often the best approach. The company also recommends that users who don’t have two-factor authentication enabled on their accounts do so now, which sounds like sound advice.

    Mar
    10
    2014

    How to check your Antivirus is properly working

    Some of the worst viruses to hit Windows – and even a few not-so-bad ones – make every attempt to make cleaning your computer difficult, through methods such as disabling your antivirus, interfering with opening the Security Centre or any cleaning or security tools your computer may be running, and even in some cases modifying your computer's HOSTS file so even going on the internet can either be blocked or have you redirected from real sites to illegitimate ones. This is why it's important to block viruses before they spread.

    Most competent anti-malware programs contain real-time protection shields to block viruses and other malware as soon as they crop up; and a fair few even include internet shields to stop downloads and take you away from infected sites that are likely to give you a virus. But what if you're ALREADY compromised? If there's already a virus on your computer that's changing the websites you visit and disabling your antimalware shields, etc. – then you might not even know you're infected and your computer could even be open to further infections, without you knowing they're coming in. Fortunately, there's an easy way to find out if your security is working as expected.

    Most companies working in computer security are members of, or are regulated by, various institutes across the globe who want to make sure every threat is being properly dealt with and every anti-malware does a competent job in keeping users safe. In Europe, the main one of these is the European Institute for Computer Antivirus Research, or EICAR for short. EICAR do a lot of research into computer viruses; and their research is shared with the makers of anti-malware products to improve detections, identify new viruses and basically keep the security you're using in working order. One of the ways they do these is by releasing test files, which contain specific messages not found in most ordinary programs. The test files are not viruses, but antivirus and antimalware programs are asked to treat them as one; and because the messages are unique to the test file, if the product DOES warn about the test file when it sees one, it's probably a good sign you're properly protected.

    You can make one of the EICAR Test Files yourself through a simple text editor like Notepad, allowing you a quick way to test your security is in working order. Just do the following:

    • Launch Notepad on your computer
    • Copy and paste the following line into the Notepad file:

      X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
       

    • Save the File. In the Save Dialog, change "Save As Type:" to "All Files". Then save the file with any name ending ".com" – for example eicar.com

    If your antivirus is working and capable, during or within a few seconds of the file being saved, your antivirus should block and warn about the new file. You may even be told the file has been automatically deleted or moved to the quarantine / virus chest. Any of these messages is a good sign your antivirus is working.

    If your antivirus also includes an on-demand scanner, you can also use this file to test that. First, restore the file from quarantine if your antivirus moved it earlier (check your antivirus product's documentation on how to do this). Then run a scan. If the antivirus product finds an infection in the file you saved using the steps above, you can be assured everything is in proper working order.

    If you didn't get warned about the file when you saved it; and it wasn't found in a scan – then it may be time to investigate as your computer may have been compromised and your security is under threat.

    The EICAR Test File is a great way to ensure your antivirus' protection and scanning routines are working exactly as they should be, without damaging the security of your computer. And you can easily delete the file once you're done to stop being warned about it again; and re-create it later if you want to test another time.

    Feb
    16
    2014

    Hackers steal Usernames, addresses, encrypted passwords and more details of Kickstarter users, change your password now!

    An undisclosed number of Kickstarter users have been emailed with advice to reset their passwords after the company was made aware of a data breach that may have led to the disclosure of personal information.

    Some time in the last 24 hours, Kickstarter updated their website to display a banner on the top of its site for logged-in users, advising them to change their password and providing a link to do so. The advice comes following a statement by Kickstarter – which was emailed to an undisclosed number of users – stating the company was made aware “by law enforcement officials” of hackers breaching their servers to steal account-related information. The advice also recommended users consider using tools such as 1Password or LastPass, which as well as offering storage to let you remember all your passwords, also include password generators to come up with randomised, highly-secure passwords (might I also recommend KeyPass, which does the same but also contains a meter telling you how “secure” any password you type in is likely to be?)

    The following is the full text of the email as sent out by Kickstarter – I’ll leave the explaining to them as it puts it better than I could myself:

    “On Wednesday night, law enforcement officials contacted Kickstarter and alerted us that hackers had sought and gained unauthorized access to some of our customers’ data. Upon learning this, we immediately closed the security breach and began strengthening security measures throughout the Kickstarter system.

    No credit card data of any kind was accessed by hackers. There is no evidence of unauthorized activity of any kind on your account.

    While no credit card data was accessed, some information about our customers was. Accessed information included usernames, email addresses, mailing addresses, phone numbers, and encrypted passwords. Actual passwords were not revealed, however it is possible for a malicious person with enough computing power to guess and crack an encrypted password, particularly a weak or obvious one.

    As a precaution, we strongly recommend that you change the password of your Kickstarter account, and other accounts where you use this password.

    To change your password, log in to your account at Kickstarter.com and look for the banner at the top of the page to create a new, secure password. We recommend you do the same on other sites where you use this password. For additional help with password security, we recommend tools like 1Password and LastPass.

    We’re incredibly sorry that this happened. We set a very high bar for how we serve our community, and this incident is frustrating and upsetting. We have since improved our security procedures and systems in numerous ways, and we will continue to do so in the weeks and months to come. We are working closely with law enforcement, and we are doing everything in our power to prevent this from happening again.

    Kickstarter is a vibrant community like no other, and we can’t thank you enough for being a part of it. Please let us know if you have any questions, comments, or concerns. You can reach us at accountsecurity@kickstarter.com.

    While it’s disappointing to hear of any type of hack where data is stolen – and a sad reflection of the state of the world today that not even a website that exists to give those with ideas but no money to make them real, the chance to connect with their potential market and get the funding they need, is safe from being hacked – it’s reassuring to see a company own up to the breach so quickly and waste no time in attempting to secure their service better and protect their users. I hope more companies learn from this example.

    Digiprove sealThis informative article has been Digiproved © 2014
    Acknowledgements: Quoted Portions come from a Kickstart more...
    Some Rights Reserved
    Jan
    26
    2014

    Microsoft: “Don’t live in the US? Would you like to not store your data there?”

    That is the question Microsoft are now asking all its non-American users, after implementing a new feature that will allow users of Microsoft services who registered as outside the United States to opt to have their data stored only on non-American soil.

     

    Microsoft have become what appears to be the first United States-based company to offer those outside the US the option to store their data off of American soil; and it isn’t too surprising given how vocal they’ve been against lack of user privacy in the United States. They’ve been very unhappy with the revelations given to us thanks to Edward Snowden over the fact that the NSA have been spying on American citizens. They are also unhappy with the fact that their own networks have been used to monitor citizens in countries like Brazil and all over Europe as well. It’s also possible that the move may perhaps have an additional role as a subtle middle-finger to the Syrian Electronic Army, who have repeatedly hacked their American servers in recent months.

     

    So far, Microsoft is the only major company offering explicitly non-US data storage, despite evidence that the NSA has also broken into the private networks of both Google and Yahoo.

     

    While there’s no guarantee the NSA won’t be able to reach servers outside US borders, the move would offer an additional layer of protection, as local law enforcement is likely to respond more aggressively to agents of a foreign country. This of course assumes that Microsoft are serious about their commitment to protect the interests of their customers globally; and not just an act to maintain loyalty with customers outside of the US. There’s also still the unanswered question of what happens when data is transit – data may not be STORED on US servers, but could it still pass through one or more of them when the data is transit – for example, whenever you use a different Microsoft service?

     

    We shall see… soon enough.

    [Cross-posted to Sanitarium.FM]

    May
    23
    2013

    Twitter is introducing new security measures in light of recent hackings

    Micro-blogging site Twitter says it is bringing in an optional two-step login process for its users to improve the security of each account, following recent high-profile breaches within the social network.

    The news comes after a number of high-profile Twitter accounts were illegitimately accessed, including those of major news organisations such as the Financial Times and the Associated Press (AP), the latter causing widespread panic when hackers sent a fake news tweet claiming US President Barack Obama had been injured. This followed an attack against Twitter itself in February, which led to 250,000 users having their passwords stolen.

    Mr. Jim O'Leary (product security head of Twitter) explained the new two-factor authentication system thusly:

    "You'll need a confirmed email address and a verified phone number. After a quick test to confirm that your phone can receive messages from Twitter, you're ready to go."

    A message containing a verification code would then be sent to the account holder's mobile phone that can be used to log in. However, he also reminded Twitter users of the importance of strong passwords:

    "Of course, even with this new security option turned on, it's still important for you to use a strong password and follow the rest of our advice for keeping your account secure."

    However, Kim Dotcom – owner of Mega.co.nz file sharing site, itself the spiritual successor of the controversial former file upload website MegaUpload – is threatening a patent lawsuit over the Social Network's newfound use of two-factor authentication. Extending the threat to Google, Facebook, Twitter, Citibank and other companies that have implemented the system, he claims the use of mobile devices to offer a second layer of security for website logins infringes a patent describing an SMS-based two-step-authentication process he filed with the US Patent Office in 1998 and was granted in 2000; with Dotcom claiming registrations also exist in twelve other countries.

    "I never sued them. I believe in sharing knowledge & ideas for the good of society. But I might sue them now cause of what the US did to me."

    The BBC reports that he is not alone in these claims, however:

    A New Jersey-based firm called Strikeforce is currently suing Microsoft over its use of two-factor authentication tech based on a patent it filed in 2004.

    And another British company, SecurEnvoy, recently announced it had been granted patents for a "business grade" SMS-based two-factor authentication process.

    However, let's look beyond the arguments and focus on the security. Will you be turning on two-factor authentication for your Twitter account?

    Digiprove sealThis informative article has been Digiproved © 2013
    Acknowledgements: Quoted segments: BBC, Jim O'Leary, @ more...
    Some Rights Reserved
    Jan
    15
    2012

    VirusTotal gets updated, file size limit increased to 32 MB and new interface

    This article was not written by the team at Technically Motivated. It was quoted heavily from a similar post from dotTech.org; which itself was based on a posting from the VirusTotal blog; and has been reprinted here under the terms permitted by the Creative Commons Attribution-Noncommercial license the original work was licenced under. Technically Motivated makes no claim of ownership for this article.

    VirusTotal is an awesome website. If you don't know about it already, you have been missing out on life — VirusTotal allows users to scan a file with 40+ anti-virus/anti-malware engines. VirusTotal recently introduced an update to the website. This update brings many goodies. Let's take a look at what they are:

    • New interface. VirusTotal has a new interface; it is more modern and streamlined.
    • New file size limit. In the past VirusTotal only accepted files that were 20 MB or smaller in size. That limit has now been increased to 32 MB. Oh happy days.
    • New back-end engine. VirusTotal has now been migrated to Google Apps Engine. This basically means VirusTotal runs on Google's cloud services. For most of us normal users, it makes no difference if VirusTotal is running on Google Apps Engine or some other cloud service. However Google Apps Engine allows VirusTotal to scale better when the need arises, ensuring a better service level; plus scans and analyzes should now be faster thanks to Google's infrastructure.
    • Other changes. Aside from the major changes mentioned above, other changes include:
      • Thanks to HTML5, VirusTotal now computes the hash of files locally thus if you are looking to scan a file that has already been scanned by VirusTotal, you don't have to upload the file before you are given the ability to view the older scan results.
      • The URL scanner uses more engines now, bringing the total to 19.
      • Releasing version 2 of the public API, improving responsiveness among other things.
      • And more.

    Hit up the link below to check out the new VirusTotal yourself:

    VirusTotal homepage

    [via VirusTotal Blog]

    Oct
    29
    2011

    Major Privacy Flaws found in Dolphin Browser for iOS and Android

    The below post borrows heavily from a similar article posted on dotTech.org; which was in turn was a more up-to-date post based on a report from Ars Technica. Both sources have received credit for the below works and Technically Motivated makes no claim of ownership for non-original content.

    Dolphin is an extremely popular third party browser that is much loved by many users of modern smart-phones. Available in many forms – Dolphin Browser HD and Dolphin Browser Mini on Android; and Dolphin Browser on iOS – the browser is generally considered to be sleek and feature filled and constantly receives updates. However, one recent new feature introduced to the browser has caused much controversy.
    MoboTap, the developer of Dolphin, were recently discovered to have introduced a major breach of privacy with their Webzine feature.

    Webzine is an attempt by MoboTap to make web browsing on mobile devices more pleasant. What happens is MoboTap teams up with websites to configure them to be Webzine compatible. (Actually I am not sure if MotoTap teams up with websites or if websites do it themselves; the point is websites are made to be Webzine compatible, one way or another.) Then when a user visits a Webzine compatible website in Dolphin, the mobile-friendly Webzine version is shown. That doesn’t sound too bad does it? The privacy issue is not with Webzine itself but rather how Dolphin identifies Webzine compatible websites.

    Reports – thanks to the ever-vigilant people at XDA-Developers – have emerged that on Dolphin Browser HD [Android] and Dolphin Browser [iOS] every website users visit is being sent – in plain text – to Webzine’s server to check to see if the website is Webzine compatible. (If the website is, the Webzine version is shown; if it isn’t, the normal version is shown.) In other words, any URL you visit – may that be HTTP or HTTPS – is being sent to MoboTap’s server to be checked for Webzine compatibility. (These reports are mainly around Dolphin Browser HD [Android] but there has been some confirmation that Dolphin Browser [iOS] also behaves like this; Dolphin Browser Mini [Android] seems to be unaffected.)

    Now, in their defense, MoboTap has come out and clarified Webzine does not store any user data; URLs are transmitted to Webzine server only to make a check for Webzine compatible websites, nothing more nothing less. However, even if what MoboTap says is true, stealthily introducing such functionality is a major breach of user trust and a huge privacy issue. Many people have mentioned there are better ways to check for Webzine compatible websites (such as storing hashes locally of compatible URL and doing local checks instead of sending URLs to Webzine’s server); but even if MoboTap wants to continue this method of checking of Webzine compatibility, they need to be crystal clear on what is happening and they need to give users a way to opt out. To its credit, MoboTap claim they ARE working on an opt-out feature; and the company also has quickly updated Dolphin Browser HD on Android to temporarily disable Webzine for the present time. (v7.0.2 is the version with Webzine disabled — update if you use Dolphin Browser HD but don’t have v7.0.2.)

    Since there wasn’t as much noise about Dolphin Browser on iOS behaving like this, it appears Dolphin Browser on iOS has not yet been updated to disable this behavior. (Someone correct me if I am wrong.) However, if I were a Dolphin user – which I am not and now never will be – my confidence in MoboTap would now be eroded thanks to this incident. What’s to keep them from doing something similar – or worse – in the future?

    Sep
    23
    2011

    All your information are belong to them: Researchers claim they can crack secure web connections (read: HTTPS has been cracked)

    The following post was originally published by Ashraf, founder of dotTech.org, on the dotTech website. It has been reprinted here – with only minor edits as required for compatibility with the software used by Technically Motivated – under the terms of the Creative Commons Attribution-Noncommercial licence – the licence attached to the original work at the time of our redistribution. Technically Motivated make no claim of ownership to the below content nor make any guarantee for its validity or accuracy.

    A pair of security researchers claim to have written a JavaScript tool, named Browser Exploit Against SSL/TLS or BEAST, that allows them to access the information being passed behind SSL/TLS encryption. Yeah, you read that properly. These two geeks claim they have the ability to crack HTTPS.

    Without going into too many technical details (because, well, I myself don't understand all the technical wand waving behind this specific exploit and I need to save face by using the excuse of not wanting to go into too many technical details), BEAST "cracks HTTPS" using a two step process. The first step involves sniffing network to gather enough blocks of plaintext data; the second step involves injecting the data back into the secure stream to decrypt the secure connection. Or something like that.

    BEAST uses JavaScript to do all its evil stuffs, so it can be injected to your browser via malicious ads, hidden iframes, or any other component of a website that executes JavaScript code. Original estimates said it takes about a half-hour to break content encrypted with 1,000 character long keys, but some refinement of the code by the researchers have that time estimate down to ten minutes. Ten freaking minutes.

    Read the rest of this entry »