Serge Malenkovich – Kaspersky official blog https://www.kaspersky.com/blog The Official Blog from Kaspersky covers information to help protect you against viruses, spyware, hackers, spam & other forms of malware. Tue, 02 Nov 2021 14:11:31 +0000 en-US hourly 1 https://wordpress.org/?v=6.4.3 https://media.kasperskydaily.com/wp-content/uploads/sites/92/2019/06/04074830/cropped-k-favicon-new-150x150.png Serge Malenkovich – Kaspersky official blog https://www.kaspersky.com/blog 32 32 Why you should not buy a forged Green Pass | Kaspersky official blog https://www.kaspersky.com/blog/whats-wrong-with-forged-green-pass/42728/ Thu, 28 Oct 2021 16:15:23 +0000 https://www.kaspersky.com/blog/?p=42728 Unidentified scammers are selling Green Passes (certificates required for travel and access to many public places and events in the European Union) on hacker forums and in Telegram channels. To demonstrate their capabilities and attract potential customers, they created a Green Pass issued in the name of Adolf Hitler. Perhaps most disturbing, the QR code passes app verification as valid. This raises a number of questions, which we will try to answer in this post.

What is Green Pass?

Green Pass is a certificate that verifies its owner either was vaccinated, recently recovered from COVID-19, or received a negative test result no more than 48 (for rapid test) or 72 (for PCR) hours ago. The certificate contains a QR code that can be validated with an application. Green Pass is a standard document in the countries of the European Union and some others — in Israel (where it was initially developed), Turkey, Iceland, Ukraine, Switzerland, Norway, and some others.

Usually, medical institutions issue Green Pass certificates. Depending on the country, a Green Pass may be required for travel; for visiting bars, restaurants, museums, and public events; in educational institutions; and even for work. The Green Pass also exists in paper form, but most often it is an application that displays a QR code to verify the certificate.

How attackers can sign fake certificates

Some shady traders on the Internet and Telegram channels in particular are selling forged Green Pass certificates apparently issued by health services in Poland or France. Several theories explain how they could succeed. According to one, criminals somehow got a secret cryptographic key enabling them to issue such certificates. If that’s the case, the legitimate Green Pass certificates will probably have to be reissued.

According to another theory, the sellers have accomplices in France’s and Poland’s healthcare systems. In that case, reissuing the cryptographic key is unlikely to help — law enforcement agencies will have to find the insiders.

Updated on November 2, 2021: According to the latest information from European Commission representatives, the incident wasn’t caused by a cryptographic issue with the generation of the certificates, or with the storage of the signing keys. Most likely, “persons with valid credentials to access the national IT systems, or a person misusing such valid credentials,” created the fake certificates.

Is the entire Green Pass system compromised?

For now at least, the Green Passes most EU countries issue remain as legitimate as before. Only certificates issued in Poland and France are under suspicion.

Will Green Pass certificates issued in Poland and France be revoked?

EU authorities are conducting investigations. In the worst case scenario, Poland and France will have to reissue certificates — but not necessarily all of them. If the malefactors cannot manipulate issue dates, then only some will have to be replaced.

Can you buy a fake Green Pass?

Well, there’s nothing stopping you from spending your money. However, visiting EU countries with a fake certificate is not a good idea. First, the fake certificates will be revoked, and although you’d most likely just lose some money, it is also possible customers will be caught in the same law-enforcement net as forgers. With a fake Green Pass, you have a good chance of winning a long conversation with European law enforcement agents.

We have reason to believe this is far from the last fraud scheme regarding the Green Pass system. Various scams will most likely appear quite soon. However, this incident will also draw more attention from law enforcement agencies. For that and other reasons, we do not recommend getting a Green Pass from anywhere but an official European medical institution.

]]>
full large medium thumbnail
Online gaming: 5 most dangerous threats | Kaspersky official blog https://www.kaspersky.com/blog/online-gamer-threats/4474/ https://www.kaspersky.com/blog/online-gamer-threats/4474/#comments Fri, 20 Mar 2020 14:00:30 +0000 https://www.kaspersky.com/blog/?p=4474 Not so long ago, most people regarded gaming as something for kids and maybe teens, nothing adults really needed to worry about. We’re not sure precisely when that changed, but with gaming now reputable and ubiquitous, we all have a new front to guard against cybercriminals.

The chances are good that you play an online game — or more than one — at least occasionally. Whether you use a gaming console, a PC, or your phone, whether you play 10 minutes while commuting or every spare evening and weekend hour is not important. If you play, then you need to know and avert the risks associated with your gaming online.

Specific game exploits and hacks of game developers crop up from time to time, but cheating and other common issues affecting online gaming persist. Here are the five major risks threatening everyone involved in online gaming, and what you can do to stay safe:

1. Phishing

The same tactics scammers use to trick people out of their credit card numbers, bank passwords, and other account logins are also popular with gaming thieves. In this case, instead of mocking up a replica of Chase Bank or the like, criminals may build something that looks like a popular online game website and urge gamers to change their password or validate their account, typically threatening to block the gamer’s account unless they comply. The goal is to take over the account and resell it on the black market.

Solution: Phishing is phishing. Never click a link in an e-mail or text message. Open your Web browser, type in the game website yourself, log in to your account, and perform any checks or confirmations there. Use online protection that prevents your browser from opening fake sites.

2. Trolls and bullying

Almost every online game includes some form of voice or text-based chatting nowadays. Unfortunately, the feature is also widely abused. In the heat of the online battle, you may hear some cursing, or an insult. That may just be human nature in a highly competitive atmosphere, but inevitably, some players will cross the line into bullying other players. And in some games, especially those dedicated to online characters’ virtual lives, such chats may become uncomfortably personal.

Solution: Immediately block any offender; don’t play or chat with them, and report their user name to the game abuse team. Never reveal your real identity or personal details to your gaming partners. If your kids are playing, teach them to discuss such incidents with you promptly and make sure they are well aware that the “stranger-danger” principle is highly applicable in online games as well as in the real world.

3. Cheats and frauds

Depending on the rules and the type of game, multiple ways to cheat may exist — some considered legitimate, some not. The worst use modified gaming clients, or even bots, to play in better condition (with greater speed or precision, for example) than ordinary players. Also, some players take advantage of errors they discover in the game server’s code to gain an advantage in-game.

Other ways to cheat involve fixing games, using virtual gangs to rob novice players, and virtual fraud. When it comes to in-game economies, centuries-old fraud schemes sometimes arise. You may encounter a person offering you some inventory or an in-game advantage for a discounted price, for example, but typically such offers turn out to be scams.

Trading in-game goods outside of the official game marketplace dramatically increases your chances of being deceived.

Solution:  Don’t accept suspicious offers from strangers. If an offer sounds too good to be true, it probably is. If you notice someone progressing too fast in the game, report it to the support team. Most online games have strict regulations and promptly ban cheaters.

4. Character and inventory theft

Criminals are likely to target in-game resources, well-developed game characters, paid game accounts, or associated credit-card data. The latter is the hardest to target, but others may be stolen from you in multiple ways: phishing, password-stealing malware, in-game fraud and so on. Ultimately, the better your character or account, the greater the chance that criminals will target you specifically. This is especially relevant for well-developed games with large, loyal (and paying) audiences worldwide.

Solution: As you progress in a game, be more and more cautious with your account. Set up two-factor authentication for the account, use complex and unique passwords for your in-game account and your primary e-mail address, use a strong security solution for your device, and watch out for phishing and other attempts to steal your credentials.

The better your in-game character, the more likely criminals are to target you personally.

5. Computer or smartphone compromise

In addition to other tricks that work for a general audience, some hackers target gamers with fake game updates or utilities claiming to customize your game or help speed your game progress. Malicious apps spread through phishing, in-game communications, as attachments on gamers’ forums or chat rooms, and by other, similar means.

In some exceptional cases, malware is even spread through legitimate game update mechanisms. Some of that malware is game-oriented, stealing gamers’ credentials or in-game goods, but some steals bank accounts; adds your PC, Mac, or smartphone to a botnet; or mines Bitcoins.

Solution: The aforementioned malware is why gamers always need fully updated devices with the most recent patches from OS vendors and the strongest Internet security suite available. Some solutions, such as Kaspersky Internet Security, protect you from malware and phishing and also include a special gaming mode, which delays or disables certain features so your security won’t cause any computer slowdowns while you’re kicking butt online.

]]>
https://www.kaspersky.com/blog/online-gamer-threats/4474/feed/ 1 full large medium thumbnail
How to minimize game lags in Windows 10 in 7 steps | Kaspersky official blog https://www.kaspersky.com/blog/windows-10-gaming-tips/34136/ Wed, 18 Mar 2020 09:08:40 +0000 https://www.kaspersky.com/blog/?p=34136 Losing a multiplayer match because your computer suddenly froze for 50 milliseconds can be bitter. The good news is that you can prevent this mishap in the vast majority of cases. In this post we focus on the software-related problems and solutions that are most common for modern gamers. These seven tips will help you minimize performance-related defeats.

1. Rule out Internet issues

Make sure your Internet has stable speed and latency (signal delay). Open your Web browser and navigate to a comprehensive speed testing service such as speedtest.net or dslreports.com. Make sure that Internet speed is adequate (most games will do fine with 10 Mbit/s, but video streaming the whole thing requires 50–100 Mbit/s) and a really small delay (aka ping). Modern fiber optic channels typically get you a 5–50 ms ping, which is fine for most games. A delay in hundreds of millisecond might be a real obstacle to winning a battle royale.

Fixing this issue might involve experimenting with your router’s Wi-Fi settings, moving it closer to your gaming computer, switching to a wired connection between computer and router (keep in mind that pro players use wired connections only) or even changing your Internet provider. We will cover all that in a separate article one day, but for now let’s switch to software issues and tweaks.

2. Optimize your game’s video settings

If your game is too resource-hungry and your graphics card cannot provide enough processing power, the gaming experience could be frustrating. Setting a lower detail level or reducing resolution in the game settings can help a lot. Focus on reducing eye candy while maintaining things such as viewing distance that help you win. Switch on an FPS indicator if it’s supported by the game settings, and fine-tune settings until you can consistently squeeze 30–60 frames per second out of your system. More is better (and gives you some room for graphics enhancements); less is usually considered unplayable for dynamic games such as shooters. For online gaming more than 60 FPS is highly recommended.

3. Optimize your power settings

This one is critical for laptops but relevant for other computers too. Make sure you’re playing on AC power and have the best performance mode enabled. The easiest way to adjust that is to click the battery icon in the task bar and move the slider to the far right, where the “Best performance” setting is located.

Adjusting power settings can help improve gaming performance

4. Halt unnecessary applications

Any apps that compete for resources with the game can introduce that dreaded lag. It may help to close all browser windows, unneeded chat apps, and everything else that is not system-level and not related to the game you’re playing. This small trick alone can solve the issue with lags.

To get an idea of what apps consume the most memory and processing power, use Windows’ Task Manager app. If you click the “More details” button in the lower part of its window, it will flood you with details on all processes running. Sort this table by the “Memory” and “CPU” columns and consider closing the hungriest processes. You may also find some additional offenders, like a messenger client you didn’t even realize was running in the background, or some other unobtrusive app.

5. Set up antivirus properly

Many gamers think an antivirus or Internet security solution is the app worth stopping. Some go as far as uninstalling it permanently. In reality, this approach is outdated and unhelpful. In fact, it can even make your games run slower!

Consider two things: First, in Windows 10 you can’t have no antivirus at all — if you turn off a third-party solution, Windows Defender automatically jumps into action. Second, not all antiviruses are created equal. Some security solutions have a dedicated gaming mode that minimizes their impact on PC performance, but Windows Defender doesn’t provide such a luxury.

Keep in mind that you probably have one more “bonus” antivirus that you’re not aware of. It’s hidden inside … Google Chrome! That AV also has very limited settings, and nothing particularly useful for gamers. That’s another reason to close browser windows when you’re trying to optimize your computer speed.

That said, the right approach to the AV question is to install one of a few security solutions that have both a proven minimal impact on speed and a dedicated gaming mode to reduce lag and disable any pop-ups, additional scans, and so forth. We will demonstrate with Kaspersky Internet Security and Kaspersky Security Cloud, which have consistently received top marks for performance and efficiency for quite a few years already.

  • Make sure that any scheduled scans or updates are set for times when you’re not gaming:

Set up the antivirus scan schedule so that it doesn't interrupt your gaming sessions

  • Use gaming mode. This mode turns on automatically whenever a full-screen app is running, and in this mode the security solution will not run full scans or update databases so as not to disturb you.

Make sure that Gaming mode in your Kaspersky Internet Security or Kaspersky Security Cloud is turned on, minimizing the security solution's impact on performance

6. Set up Windows Update properly

Certain Windows 10 subsystems’ background operations can be the cause of sudden delays. Most notably, when Windows Update is downloading and installing something, it hits performance substantially. That’s why it helps to set the update schedule for times when you’re not gaming: Open Windows 10 settings, navigate to Windows Update, and click “Change active hours.” The description states that active hours affect restart times only, but this setting actually informs other update tasks as well.

Specify the hours when Windows Update should not be running so that it doesn't affect gaming performance

7. Keep your computer tidy

As time goes by, almost every computer shows some speed degradation. The major reason for this slowdown is the accumulation of junk files and apps. To help your computer run faster, you should clean out temporary files, archive or delete unneeded documents, and uninstall the games you don’t play anymore. Many dedicated apps do this maintenance for you, and Kaspersky Total Security and Kaspersky Security Cloud also perform cleanup functions.

Periodically cleaning junk files out of your PC helps keep its performance high

With all of the steps above taken, your computer should be a failure-proof gaming rig — and winning the game becomes a matter of tactics, training, and teamwork.

]]>
full large medium thumbnail
Encryption in the quantum era | Kaspersky official blog https://www.kaspersky.com/blog/rsa-postquantum-howto/33906/ Wed, 04 Mar 2020 17:42:10 +0000 https://www.kaspersky.com/blog/?p=33906 As they emerge from labs and enter the real world, quantum computers will doubtless prove very useful to humankind. They will not replace ordinary machines, but when it comes to tasks reducible to optimization and number crunching, they will leave their predecessors eating dust. Unfortunately, the revolution will not be confined to searching for new medicines and developing more advanced aircraft, but will include cracking computer encryption. It may take five or twenty five years for such hacks to become feasible, but rest assured, there is encrypted data out in the world now that needs to remain protected over that time span and beyond. That is why large companies and government agencies need to start planning for the quantum future today.

The main obstacle to that planning is the absence of clear standards. The global community of cryptographers has already developed several promising algorithms that will be resistant to quantum attacks; however, these algorithms have to pass multistage testing and verification. The algorithms must be demonstrably resistant not only to quantum attacks, but to attacks of the classical sort as well. The fastest and most resource-efficient have to be determined so that they can be used in devices, such as IoT devices, with limited computing power, and the parameters (key length, etc.) will have to balance reliability and performance optimally.

But that is far from the end of it. Existing communication standards (for example, TLS) will have to integrate the algorithms, and we will have to establish rules for the new ciphers to coexist with the old. Clearly, this work will take years. What should app and platform developers, makers or autonomous cars, and strategic data custodians do in the meantime?

A roundtable of cryptography experts at RSAC-2020 sees the solution in “cryptographic agility.” Simply put, if you are currently developing or supporting a data encryption or hashing system, do not set tight restrictions. Ensure that the algorithms in use are updateable, and allow for generous adjustment to the key and buffer sizes — in short, give the system plenty of growing space. This is especially important for embedded or IoT solutions, because such technologies take a long time to implement and decades to modernize. So, if you buy a new system, ask the developers about cryptoagility.

Cryptography lifetime: Algorithm strength over time.

Cryptography lifetime: Algorithm strength over time. Source.

If they ignore it, it will be very painful later to uproot the obsolete encryption algorithms and implant new ones. A good example comes from Microsoft’s Brian LaMacchia. When it became clear that the MD5 hash could be cracked, and was no longer suitable for generating digital signatures, Microsoft decided to pull the plug on it. A long audit showed that company’s products contained about 50 (!) independent versions of MD5-calculation code, and each would have to be removed separately. As a result, the process took about two years to complete.

Another potential problem likely to become more acute as traditional algorithms get replaced by quantum-resistant ones is lack of memory for storing keys. If your system developers decided at some point that a 4096-bit buffer was enough key storage space for any encryption algorithm, then you will run into serious difficulties when implementing post-quantum encryption — even if the system supports the addition of new algorithms.

To check the cryptoagility of your systems, try deploying cryptographic solutions that are based on those algorithms vying for the title of official post-quantum encryption standard. Many budding algorithms and protocols are already available via the Open Quantum Safe project. In addition to the source code of the algorithms themselves, the site offers ready-made builds of popular software products such as OpenSSL and a post-quantum version of OpenVPN, made by Microsoft.

]]>
full large medium thumbnail
How to set up a smartphone for a child | Kaspersky official blog https://www.kaspersky.com/blog/smartphone-for-your-kid/20323/ Wed, 22 Jan 2020 14:00:05 +0000 https://www.kaspersky.com/blog/?p=20323 These days, it seems like younger and younger kids are getting smartphones. Even parents who would prefer to wait longer may be tempted, wanting to know that their child is safe during the day — or pressured, wanting their children to fit in.

We can’t forget, though, that smartphones are fun, portable touch-screen computers. Left to their own devices (no pun intended), children may spend hours playing games and watching YouTube videos. And kids will be kids, perhaps more likely than an adult to break or lose the smartphone.

The good news is that we can reduce the risks. As with so many things, it’ll mainly take a bit of time and ongoing attention, but parental peace of mind is worth it.

How to set up your child’s smartphone right

The settings I’ll go through are easy to tweak to your own preferences — you can make them as tough or easy as you like, once you know where they are. Let me start with a few basic assumptions, however:

  1. Kids play, and that’s OK (with limits).
  2. The Internet is like the ocean — enticing but also dangerous.
  3. Everyone is entitled to a measure of privacy.

Choose Google or Apple

The two most popular mobile platforms, Apple’s iOS and Google’s Android, both have built-in parental control tools, but Android lets users adjust more settings than iOS does. Android phones have another attractive quality: They’re less expensive and therefore easier to replace.

Some people prefer iOS, which may be better for households that have other Apple devices — and for parents who aren’t concerned about the price. You can read here about how to set up iOS for kids, although it’s in the context of tablets and for younger children.

Set up Google accounts (individual)

Using an Android smartphone requires a Google account, but the terms and conditions stipulate that only a person who is 13 or older can create an account. If you don’t already have a second account that you can use for this purpose, you’ll have to create one.

The child does not need to know the password for their new account, and enabling two-factor authentication for it is advisable. Needless to say, the authentication should be linked to your smartphone, not to your child’s.

Note: You can create an account for your child on devices running Android 7.0 and above by using the Family Link feature, but it is currently available only in the United States.

Now, power up the smartphone, add your existing Google account information in the setup wizard, enter your desired e-mail address and other data, enter your age and your phone number, and accept the terms and conditions.

If it is not the first time you’re starting up the smartphone, you set up the new account here: SettingsAccountsAdd accountsGoogle. In the new window, tap Or create a new account.

At this point, skip entering payment details for the Google Play store. I’ll come back to that issue a bit later, but for now I’ll say that payment information should be linked to an adult’s account.

An account is required if you want to synchronize contacts and pictures and use the Google Play app store. That said, we’re talking about elementary-school-age children, who are unlikely to need e-mail on their phones. A Gmail account is more likely to collect spam than useful communications, so I recommend not enabling it on the smartphone: Open Settings, go to Google account settings, and uncheck the Sync Gmail option.

Set up Google accounts (family)

If a parent is using an Android device too, then creating a family account may make sense. Using a family account lets family members share paid purchases across all of its devices as well as letting a child pay for purchases from their smartphone (using the parent’s payment information — and only with the parent’s explicit consent).

You can create a family account in Google Play from your own smartphone. Launch the Google Play app, open up the menu, and tap on Settings → Account → Family → Manage family members. You can invite your significant other and your children by entering their Gmail addresses on this screen.

The invitation has to be accepted from the family member’s smartphone. After that, take your smartphone, go to the family group’s settings, open the child’s profile, and select one of the following modes for purchase approvals: All content, Only paid content, Only in-app purchases, or No approval required.

Anything that requires approval will now require either your password entered on the child’s device or approval from your device.

Filter Google Play apps and media

You can prevent your child from downloading adult games or songs with explicit lyrics using Google Play’s parental controls. To do so, launch Google Play on your child’s smartphone, open up the menu, and tap on Settings → Parental Controls.

Enter a PIN — something easy for you to remember but hard for your child to guess. The requirement to enter a PIN prevents your child from disabling the controls. After entering the PIN, you can select age restrictions for games, films, and music separately.

Control Internet use

To prevent unsupervised Internet use — and gain better control over mobile data usage — start by disabling mobile data use both in the settings of your child’s smartphone and using your mobile service provider’s self-service options. After that, use the smartphone’s settings to join your home Wi-Fi network. Now it’s up to you to monitor that use inside the home, of course.

Disabling mobile data should help keep the child online only at home. True, free Wi-Fi can be had in a library or at a friend’s home, but I’ll address that later in the post.

By the way, when buying a SIM card for your child, ask the carrier about special plans and options for children — these plans and options usually include additional features for keeping children safe.

Limit time and restrict content

Sure, the games installed on your child’s smartphone are intended for children, but still, stay alert. Children can spend endless time mine crafting and launching angry birds. Limiting gaming duration with Android’s built-in tools is problematic; therefore, look to dedicated apps such as Kaspersky Safe Kids.

The Safe Kids app’s many features include location and social-network controls, but here we are interested mainly in defining restrictions on launching apps and making the Internet safe to use. To use it, install Safe Kids on both a parent’s and the child’s smartphones. Set the modes, child mode for the child’s smartphone and parent mode for yours.

The child’s app has almost no settings for you to worry about — just install the app according to the instructions and grant it administrator rights.

You’ll have a bit more to do for the app on your own smartphone — you will need to set up a PIN for Safe Kids, check its settings, and enable options. The crucial ones are the ability to filter unwanted websites and app restriction by category and age, which are located on the Internet and Applications subsections respectively.

Now, let’s restrict the amount of time the child can spend at the display. You can allot, for example, 15 minutes, 1 hour, 2 hours, or more. After that, the smartphone will be able to make and receive calls, but most of the other apps will be blocked with a notification that time is up.

If your child doesn’t tend to spend too much time on pictures and SMS messages, then we can take the opposite tack and assign an amount of time allowed in specific apps, such as games. At the same time, we can completely block access to some apps, such as any browser other than Google Chrome and Android’s built-in browser (which are protected by Safe Kids’ content filter; other browsers may have access to unwanted websites).

Set up additional security

Safe Kids provides comprehensive parental control, including protection against its own deletion, and the recent update has brought one more useful feature — restricting access to smartphone’s own settings. It’s worth doing to make sure your child will not be able to connect to unknown Wi-Fi networks, reset the system time, or mess with settings in some other way you didn’t predict.

I personally used to recommend an app called Smart Applock for that purpose, but now that Safe Kids has this feature I suggest using it and not installing additional software to execute this task.

One last setting: the lock screen. Enable a lock screen to protect the smartphone from classmates and others who might find it. You can do that through Settings → Security or Settings → Lock screen. Work with your child to ensure he or she is comfortable entering the PIN or pattern that unlocks the phone. Also, set the lock screen to display a simple contact message or just your phone number in case it goes missing and a stranger finds it.

Software and settings aren’t a substitute for ongoing parental guidance. Get involved with your child’s smartphone usage. Talk about surfing, gaming restrictions, and all that, but expect that your child will find ways around your “smartphone usage plan” — and adapt as needed.

]]>
full large medium thumbnail
GPS spoofing: What it is and how to stay protected | Kaspersky official blog https://www.kaspersky.com/blog/gps-spoofing-protection/26837/ Fri, 03 May 2019 13:00:47 +0000 https://www.kaspersky.com/blog/?p=26837 Driving downtown, you glance at your navigation app and see that it thinks that you are at the airport. A bit unsettling, no doubt. This is not a made-up situation; it’s a real example of GPS spoofing — that is, the shift of GPS coordinates using a fake (but stronger) GPS signal from the ground that drowns out the one from the satellite.

Who’s doing it and why is a bit of a mystery, but this trick has numerous practical uses — from hijacking drones to interfering with yacht and tanker navigation systems. The only good news is that protection solutions are beginning to appear, albeit slowly.

For those in a hurry, here are the basic facts of GPS spoofing:

  • GPS spoofing involves an attempt to deceive a GPS receiver by broadcasting a fake GPS signal from the ground. All navigators in the vicinity start showing the wrong location.
  • GPS spoofing can be used to hijack UAVs and cars, or confuse taxi drivers, drones, and sailors.
  • GPS spoofing tools are quite affordable — a few hundred dollars will buy everything required.
  • Anti-GPS spoofing technology is being developed, but mainly for large systems, such as maritime navigation.
  • The simplest (if inconvenient) way to protect your smartphone or tablet is to switch it to “battery-saving location mode,” whereby only Wi-Fi and cellular networks are used to determine your location, and GPS is disabled (this mode is unavailable on some devices).

And now some details for those wishing to dig a little deeper.

How GPS spoofing works

To understand why GPS can be faked at all, recall the general principles of satellite navigation. Here’s how it works: Suspended above the Earth in geostationary orbit are several satellite systems. They are American GPS, European Galileo, Russian GLONASS, and Chinese BeiDou.

Each satellite transmits a continuous radio signal containing the satellite code and the precise signal transmission time. Your phone or other navigator does not transmit anything at all, but simply receives these radio signals from space. By analyzing the exact receipt time of each signal, it is possible to calculate the distance from the GPS receiver to each of the satellites.

With a bit of math and a comparison of several such signals (at least three, but the more the merrier), the receiver can determine its precise location relative to the satellites. And because the coordinates of the satellites are known and unvarying, doing this calculation makes it possible to work out the location of the GPS receiver on the Earth’s surface.

The problem is that the satellite signals are attenuated by the time they hit terra firma — and the antennas of most receivers are not particularly sensitive. Therefore, just by siting a fairly powerful radio transmitter nearby and broadcasting a fake but technically sound GPS signal from it, it is easy to drown out the satellites and cause all GPS receivers in the area to compute the wrong coordinates.

At the same time, the receivers lack the technical means to determine the direction of the signal, so they do not know that the signal is coming from a completely different source. Even worse, GPS spoofing equipment is very inexpensive (about $300), and all of the programs needed are generally free. In other words, it’s not some complicated stuff accessible only by military or special services — almost anyone can do it.

Do-it-yourself GPS spoofing equipment

Stephan Gerling talks about DIY equipment for GPS spoofing at the Security Analyst Summit

Who needs to spoof GPS — and why?

Some known cases of hacking GPS systems are linked to research projects (for example, yacht hijacking — how do you like that?), poaching, and, most likely, military operations. As autonomous systems such as drones and unmanned vehicles develop, the list will undoubtedly grow. There have also been media reports on the hijacking of military UAVs, which suggests that the situation with civilian drones is unlikely to be any better.

How to protect against GPS spoofing

Although the problem has been known for some time, there is a major obstacle to developing protection measures — the key equipment is in space and will not be replaced right away. GPS satellites emit what they emit, and no one can add standard protection tools, such as encryption and certificates, to the signals. Security measures so far have been more experimental in nature and not for large-scale application.

One approach (which in addition to working against spoofing also provides more stable signal reception) is based on the use of multiantenna receiver configurations (2×2) and beamforming technology. This combination not only filters out noise and interference, but also can be used to determine the direction from which a signal is coming.

This technique makes it easier to distinguish a fake satellite signal from a real one. So far, such installations for GPS exist only as relatively large experimental prototypes, but going forward they could be implemented in more compact equipment. This will not be as difficult or costly as it seems; similar technologies are already used in 4G and 5G cellular networks.

Another approach uses a commercial solution that is already available but deployed only for fairly large GPS receivers (for example, on sea vessels): the so-called GPS firewall. This device is installed between the GPS receiver and its external antenna. It continuously matches the GPS signal against a set of rules to try to cut out false signals, so that only the true one reaches the receiver.

Makers of smartphone chips may someday be able to embed something like a GPS firewall directly in devices’ sat nav receivers, but it will be a few more years before it happens. Some high-profile hijackings may unfortunately be necessary to create hype and thus market demand.

In the meantime, if at some point you find your sat nav app stubbornly insisting that you are at the airport when in fact you are stuck in traffic downtown, try the following life hack: Switch the device to “battery-saving location mode.” In this mode, satellite navigation is not used at all and geolocation is based on Wi-Fi networks and cellular base stations. The accuracy is poor, but it’s better than nothing. There is no such mode in iOS, unfortunately, but Android users can usually activate it by going to Settings → Security & Location → Location → Mode → Battery saving.

Battery saving location mode in Android 8

]]>
full large medium thumbnail
WhatsApp for Android and chat backups | Kaspersky official blog https://www.kaspersky.com/blog/whatsapp-backup-google-drive/23627/ Tue, 28 Aug 2018 11:05:52 +0000 https://www.kaspersky.com/blog/?p=23627 On November 12, WhatsApp and Google will delete Android users’ old WhatsApp chat backups stored in Google Drive. Chat history and backups in the phone memory will not be affected — those are safe. WhatsApp users on iOS don’t need to worry; their backups are stored in iCloud.

WhatsApp for Android will back up your chats to Google Drive free of charge, but it may hurt older backups. Here we answer key questions on WhatsApp backups security and privacy.

1. What does Google store?

WhatsApp for Android can back up its data to Google Drive on a regular basis. These copies may include just text, or text, photos, and videos, depending on the setup. The feature is nothing new; backup has been working like this for years. Take a look in Menu -> Settings -> Chats -> Backup to check if you have backup to Google Drive configured.

2. What changes on November 12?

Any file takes up space in Google Drive, reducing your remaining storage quota. However, Facebook, which owns WhatsApp, and Google have agreed not to count WhatsApp backups toward the quota. So, you will be able to store more data in your Google Drive.

3. And what is getting removed?

If you haven’t backed up to Google Drive for a long time, and automatic backup is off in your WhatsApp, your old (two years and older) copies will be removed automatically. To stay safe, you need to back up your WhatsApp data manually at least once before November 12.

4. What happens if I lose my WhatsApp chat history backup?

If you install WhatsApp on a new phone, you will still be able to chat with your friends, and you will retain membership in your chats, but you will not be able to see your chat history.

5. What are the risks?

Some risk has always been there and will remain. Chats stored in WhatsApp are encrypted, and only chat members can read them, whereas backups on Google servers lack that protection: The data stored there is openly accessible. Therefore, that kind of backup is a potential threat to your privacy.

6. I want to have a backup of my chats, but not in Google! What should I do?

WhatsApp can back up to a phone’s memory. That backup can be used for transferring your chats to a new phone or restoring after WhatsApp is reinstalled. You will lose it, though, if you lose your phone. So, you would have to copy data manually from your memory card (sdcardWhatsApp) to a computer or encrypted cloud service.

7. Isn’t there an easier way?

Google Play offers dozens of apps for backing up WhatsApp data. Unfortunately, none of them are made by well-known app developers, and many require root access. These apps may not be safe to install; you could easily let in a nasty Trojan disguised as a backup app. At the very least, we recommend you download highly rated, frequently downloaded apps only. We also advise you to take care of your smartphone's malware protection.

]]>
full large medium thumbnail
Free coffee, taxi spying, and an airport security hole | Kaspersky official blog https://www.kaspersky.com/blog/small-hacks-sas2018/21606/ Tue, 20 Mar 2018 15:10:22 +0000 https://www.kaspersky.com/blog/?p=21606 News websites often feature stories about computer errors and vulnerabilities used to perpetrate sophisticated large-scale incidents like last year’s WannaCry and NotPetya attacks. But experts know that most successful hacks and cracks are the result of very basic blunders by system developers or installers.

Incorrectly configured systems are everywhere, and only a few hours separate the moment when a hacker first sniffs out such a system and its total surrender to the human intellect. Speaking at the Security Analyst Summit 2018, Israeli researcher Inbar Raz gave a host of examples confirming this sad fact.

Free coffee

Many coffee shop loyalty cards work as follows: the customer receives a card, tops it up like a bank card, and then uses it to pay in the café, earning bonuses for large or frequent purchases. The customer can check the balance on the coffee chain’s website by entering the card number.

Having got hold of such a card for himself, Inbar Raz noted that the website lets users check cards with any number as many times as they like. So, using a tiny program that took him half an hour to write, Raz went through a bunch of different card numbers and identified ones that were topped up with plenty of cash.

Next, after reading the magnetic strip of his card with a cheap USB reader, Raz found that the number had been written to the card in unencrypted form, and the only security was a control bit that was quite easy to compute. The task of replacing the number on the card’s mag stripe with one of the numbers found in the previous step and using someone else’s funds was child’s play.

Ethically minded, Raz proved the concept in practice by buying another card, topping it up, and writing its number to the first card. It worked. In theory, an eagle-eyed café employee could still spot the deception by comparing the number printed on the card with the one on the receipt. But in practice, that ain’t gonna happen. So, it’s basically unlimited free coffee for the hacker — and perhaps a muffin for good measure.

Uber-style tracking

A while back, Uber was hit by a scandal involving claims that employees had misused the mobile app to track high-profile passengers.

It turns out that other taxi services let you do it without the hassle of having to work for them. Inbar Raz discovered that when a taxi is booked online, its status can be tracked using the contact phone number — and as in the free coffee case, there is no protection against brute-force searches.

He wrote a small number-busting program and ended up with a handy map indicating the addresses of all recent taxi orders for this service.

Airport (in)security

Standard free Wi-Fi sometimes harbors hidden surprises. In the business lounge of one East European airport, Inbar Raz decided to check out the configuration of the local access point.

The router settings, he found, could be opened at the standard Web address with no need for an administrator password. Having studied the settings, Raz realized it wasn’t simply a guest access point, but the airport’s main router with vital dispatch and security systems hooked up to it. These services could be disabled by anyone with a laptop or even a smartphone.

Programmers and system administrators, take heed. Don’t assume that your little café (or taxi service, or airport) is too niche for hackers. Standard settings, simple passwords like “admin” or “12345,” and no CAPTCHA or other measures against automated attacks are the most common security faux pas, and the simplest way in for intruders. Even lowly hackers can exploit them. And guys like Inbar Raz — people who responsibly disclose vulnerabilities to you instead of exploiting them for their own profit — are few and far between.

]]>
full large medium thumbnail
Microsoft services as a weapon | Kaspersky official blog https://www.kaspersky.com/blog/services-as-a-weapon/17971/ Mon, 14 Aug 2017 17:06:24 +0000 https://www.kaspersky.com/blog/?p=17971 Hackers have gone big with the exploitation of legitimate software. Several reports at the Black Hat 2017 conference demonstrated that Microsoft enterprise solutions could be quite useful in an attacker’s hands.

Companies that use hybrid clouds need to adopt different security considerations than those that use traditional cloud systems. However, in practice they are not updating fast enough, and that results in numerous security blind spots that attackers can exploit, as was demonstrated in July at the hacker conference Black Hat 2017. Studies showed how a typical office infrastructure can actually help attackers remain invisible to the majority of security solutions.

Once financially motivated hackers have infiltrated a corporate network, their greatest difficulty is achieving covert data exchange among infected machines. Essentially, their goal is to have infected machines receive commands and transmit stolen information without alerting intrusion detection systems (IDS) and data loss prevention (DLP) systems. Helping such attackers, Microsoft services sometimes do not work under security zone restrictions, so the data transmitted by these services is not scanned deeply enough.

A study by Ty Miller and Paul Kalinin of Threat Intelligence shows how bots can communicate through Active Directory (AD) services on a corporate network. Because all clients — including mobile ones — on a network, and the majority of servers, must access AD for authentication, an AD server is the “central communication point,” which is very convenient for managing a botnet. Moreover, the researchers say that integration of Azure AD with an enterprise AD server grants direct access to a botnet from the outside.

How can AD assist in managing a botnet and extracting data? The concept is very simple. By default, each client on the network can update its information — for example, the user’s telephone number and e-mail address — on the AD server. The write-enabled fields include high-capacity ones that can store up to a megabyte of data. Other AD users can read all of this information, thus creating a communication channel.

The write-enabled fields include high-capacity ones that can store up to a megabyte of data.

Researchers recommend monitoring AD fields for periodic, unusual changes and disabling users’ ability to write to most fields.

Researchers recommend monitoring AD fields for periodic, unusual changes and disabling users' ability to write to most fields.

A study by Craig Dods of Juniper Networks sheds light on another technique for covert data extraction, using Office 365 services. The most popular among the techniques employs OneDrive for Business, which almost 80% of Microsoft Online Services clients use. Hackers like it because corporate IT guys usually trust Microsoft servers, allowing high-speed connections to them and skipping decryption for uploads. As a result, a hacker’s task comes down to connecting a OneDrive disk on a targeted computer by using other, non-enterprise-user credentials. In that case, copying data to OneDrive is not considered an attempt to leave the perimeter, so security systems assume that the connected disk is an enterprise one. The disk can be connected in invisible mode, lowering the chances of detection. The attacker needs two more Microsoft tools for that, namely Internet Explorer and PowerShell. As a result, a bot can freely copy data to “its own” disk, and the attacker can simply download if from OneDrive.

According to Dods, to stay protected against such an attack, users need to restrict access to allow only enterprise Office 365 subdomains that belong to the company. Running a deep inspection of encrypted traffic and analyzing the behavior of PowerShell scripts in a sandbox is also recommended.

Do take into account that both of these threats are still only hypothetical. To use the technologies, cybercriminals have to start by infiltrating a victim’s infrastructure — somehow. Once they do that, however, their activity will be undetectable not only to the majority of up-to-date security solutions but to the unprepared observer as well. That is why it makes sense to analyze IT infrastructure for vulnerabilities periodically. We, for example, have a whole set of expert services for analyzing what goes on in your infrastructure from the perspective of information security — and, if necessary, checking the system for intrusion.

]]>
full large medium thumbnail
Chief security officer of Facebook: Solving real security problems and avoiding the fancy ones | Kaspersky official blog https://www.kaspersky.com/blog/stamos-on-security/17935/ Tue, 08 Aug 2017 13:00:00 +0000 https://www.kaspersky.com/blog/?p=17935 During his opening talk at the Black Hat 2017 conference, Alex Stamos, Facebook’s chief security officer, talked about preventing actual damages and being OK with compromises — things that every information security specialist should be doing. This CSO at Facebook is no slouch: His team has been protecting a really complex IT system and 2 billion users’ worth of data.

According to Stamos, the security industry suffers from several adolescent problems, the main one being nihilism. That means specialists prefer to focus on “fancy,” technically complex security problems and vulnerabilities, not on the ones that cause real damage and jeopardize a large number of people. Those specialists also tend not to accept any compromises and make information security their only goal, at the same time assuming everyone will fall victim to the most dreadful attacks from the most dangerous threat actors.

One of the most remarkable examples Stamos gave was the WhatsApp “backdoor” that wasn’t actually a backdoor. To make secure encryption available to 1 billion WhatsApp users, the development team made a reasonable decision on how to inform chat partners that one of them has just received a new encryption key. In this situation, an additional notification appears in chat, and no action is required from the chat partners to carry on with their conversation.

Information security nihilists assumed that this was a backdoor created for special services so that they could attack the chat and get access to the conversation history. However, its purpose is actually the opposite, allowing people to continue their conversation after one chat partner changes their smartphone or reinstalls WhatsApp. And this way it’s used a lot more often than by spec ops.

The WhatsApp example brings together all of those nihilistic aspects: assuming all users are supposed to study the encryption system and compare encryption keys between conversation partners and that each of the users will be closely watched by special services, which will certainly attack their Internet traffic with a complex variation of a man-in-the-middle attack. The paranoiameter just went off the scale.

The attention to the most complex attacks and the most labor-intensive security measures distracts specialists from problems that cause real damage. Stamos presented a “threat pyramid” diagram with a barely visible point at the top representing zero-day vulnerabilities and complex government-sponsored attacks. The rest of the pyramid is taken up by “mundane” problems related to password and personal-data theft (including banking data), phishing, financial threats, and social engineering.

Stamos recommends not being afraid of trade-offs when solving these problems. If a solution is imperfect or partially effective but 10 times as many people will implement it, then it is much better than the solution that protects just a few of the most advanced users, leaving the rest completely unprotected.

Great minds think alike, and that’s why we at Kaspersky Lab have been following these recommendations since before Stamos’ talk. Thanks to our recently announced free antivirus, Kaspersky Free, high-quality protection against phishing, banking Trojans, and other “boring” threats has become available for everyone who has a computer. At the same time, Kaspersky Internet Security for Android, which is also available free, will protect the billion users who will become part of the Internet population during the next decade and will be primarily using mobile devices.

]]>
full large medium thumbnail