How carmakers sell driver data to insurers | Kaspersky official blog

Early in the movie “The Fifth Element”, there is a sequence that shows the dystopian nature of the future world: Korben Dallas’s smart taxi fines him for a traffic violation and revokes his license. Back in 1997, this seemed like science fiction – and it was. Today it’s turning into reality. But first things first.

Not so long ago, we looked at the potential dangers associated with the amount of data modern vehicles collect about their owners. Then, even more recently, an investigation revealed what this might mean in practice for drivers.

It turns out that carmakers, through specialized data brokers, are already selling telematics data to insurance companies, who are using it to raise the cost of insurance for careless drivers. Most alarming of all, however, is that car owners are often kept in the dark about all of this. Let’s investigate further.

Gamification of safe driving with far-reaching consequences

It all started in the US when owners of General Motors vehicles (parent company of the Chevrolet, Cadillac, GMC, and Buick brands) noticed a sharp rise in their auto insurance premiums compared to the previous period. The reason, it transpired, was the practice of risk profiling by data broker LexisNexis. LexisNexis works with auto insurers to supply them with driver information, usually about accidents and traffic fines. But vehicle owners hit by the premium hike had no history of accidents or dangerous driving!

The profiles compiled by LexisNexis were found to contain detailed data on all trips made in the insured vehicle, including start and end times, duration, distance and, crucially, all instances of hard acceleration and braking. And it was this data that insurers were using to increase insurance premiums for less-than-perfect drivers. Where did the data broker get such detailed information?

From General Motors’ OnStar Smart Driver. That is the name of the “safe driving gamification” feature built into General Motors vehicles and the myChevrolet, myCadillac, myGMC, and myBuick mobile apps. The feature tracks hard acceleration and braking, speeding, and other dangerous events, and rewards “good” driving with virtual awards.

The OnStar Smart Driver safe driving gamification feature is built into myChevrolet, myCadillac, myGMC, and myBuick mobile apps by General Motors. Source

What’s more, according to some car owners, they didn’t enable the feature themselves – the car dealer did it for them. Crucially, neither General Motors’ apps nor the terms of use explicitly warned users that OnStar Smart Driver data would be shared with insurance-related data brokers.

This lack of transparency extended to the privacy statement on the OnStar website. While the statement mentions the possibility of sharing collected data with third parties, insurers are not specifically listed, and the text generally aims for maximum vagueness.

Along the way, LexisNexis was discovered to be working with three other automakers besides General Motors – Kia, Mitsubishi, and Subaru – all of which have similar safe driving gamification programs under names like “Driving Score” or “Driver Feedback”.

According to the LexisNexis website, the companies that work with the data broker include General Motors, Kia, Mitsubishi, and Subaru. Source

At the same time, another data broker – Verisk – was found to be providing telematics data to car insurers. Its automotive clients include General Motors, Honda, Hyundai, and Ford.

Another broker, Verisk, lists General Motors, Honda, Hyundai, and Ford in its telematics sales service description. Source

As a result, many drivers found themselves, in effect, locked into a car insurance policy with costs based on driving habits. It’s just that such programs used to be voluntary, offering a basic discount for participation – and even then, most drivers opted out. Now it appears that carmakers are enrolling customers not only without their consent, but without their knowledge.

According to available information, this is currently only happening to drivers in the US. But what starts in the States usually migrates, so similar practices may soon appear in other regions.

How to protect yourself from data-hungry cars

Unfortunately, there is no silver bullet to stop your automobile from harvesting data. Most new vehicles already come with built-in telematics collection as standard. And the number is only going to grow so that in a year or two these cars will make up more than 90% of the market. Naturally, the maker of your car won’t make it easy or even possible to turn off telematics.

If you’re ready to consider the factor of your car collecting data on you for third parties (or, in simple words, spying), then read our post with detailed tips on how you can try to get rid of surveillance by carmakers. Spoiler alert: it’s not easy and requires careful study of the documentation, as well as sacrificing some of the benefits of connected cars, so these tips won’t work for everyone.

As for the scenario described in this post of selling driver data to insurers, our advice is to search the in-vehicle menu and mobile app for a safe driving gamification feature and disable it. It may be called “Smart Driver”, “Driving Score”, “Driver Feedback”, or something similar. US-based drivers are also advised to request their data from LexisNexis and Verisk to be prepared for nasty surprises, and to see if it’s possible to delete information that has already been collected.

Kaspersky official blog – ​Read More

Critical vulnerabilities in Telit Cinterion modems | Kaspersky official blog

Several serious vulnerabilities have been discovered in Telit Cinterion cellular M2M modems, including the possibility of remote arbitrary code execution (RCE) via SMS messages. These modems are used in millions of different devices and systems for both the consumer market segment (payment terminals, ATMs, cars) and various industries such as healthcare, financial, telecommunications, manufacturing and so on. We’ll tell you about the detected vulnerabilities and how you can protect yourself from them.

Critical vulnerabilities in Cinterion modems

In total, Kaspersky ICS-CERT experts discovered seven zero-day vulnerabilities in Telit Cinterion modems:

CVE-2023-47610 / KLCERT-23-018: An attacker can achieve remote code execution (RCE) on the system by sending specially crafted SMS.
CVE-2023-47611 / KLCERT-22-216: Allows an attacker with low privileges on the system to elevate them to “manufacturer” level.
CVE-2023-47612 / KLCERT-22-194: An attacker with physical access to the device has the ability to read and write any files and directories on the system, including those that are hidden.
CVE-2023-47613 / KLCERT-22-211: Allows an attacker with low privileges on the system to escape a virtual directory and gain read and write access to protected files.
CVE-2023-47614 / KLCERT-22-210: Allows an attacker with low privileges on the system to disclose hidden virtual paths and filenames.
CVE-2023-47615 / KLCERT-22-212: Allows an attacker with low privileges on the system to gain unauthorized access to sensitive data.
CVE-2023-47616 / KLCERT-22-193: An attacker with physical access to the device has the ability to gain unauthorized access to sensitive data.

The most dangerous is the first vulnerability on this list (CVE-2023-47610). Among other things, it allows attackers to manipulate the modem’s memory and flash drive, ultimately giving them complete control over the system. Furthermore, this attack does not require physical access to the device or authentication.

Which devices have the described vulnerabilities?

All of the vulnerabilities mentioned above, from CVE-2023-47610 to CVE-2023-47616, affect the following list of cellular IoT modems:

Cinterion BGS5
Cinterion EHS5/6/8
Cinterion PDS5/6/8
Cinterion ELS61/81
Cinterion PLS62

Information about the vulnerabilities in these products was communicated in advance to Cinterion, the manufacturer of the modems.

It should be noted that the Cinterion modem line has changed hands several times. Cinterion company was acquired by Gemalto in 2010. In 2019, Gemalto was absorbed by Thales. Finally, in 2023, Thales sold the Cinterion modem line to Telit, resulting in Telit Cinterion.

It’s extremely difficult at this stage to compile a complete list of end products affected by these vulnerabilities. Manufacturers rarely disclose the component base used in their products, and cellular modem chips are often not directly integrated into end devices, but are parts of other components. What you end up with is multistage nesting – one supplier uses another supplier’s solutions in their product, that supplier uses a third, and so on down the chain. As a result, it is not easy even for the manufacturer of the end device to determine which chip performs the modem functions.

In the near future, our experts plan to publish a detailed technical report on the security of Telit Cinterion modems on the Kaspersky ICS-CERT website.

We are now communicating with the manufacturers of those products known to use vulnerable modems.

If you are aware of such products, please notify us at mailto:ics-cert@kaspersky.com. We will try to contact the manufacturers and provide them with a modem vulnerability report so that they can assess the impact of the vulnerabilities on the security of their products and plan mitigation measures.

How to protect yourself from the described vulnerabilities

To protect against the most dangerous of the discovered vulnerabilities (CVE-2023-47610), Kaspersky ICS-CERT experts recommend the following measures:

Disable SMS delivery to affected devices (this can be done by the telecom operator).
Use a private access point name (APN) with strict security settings.

For the other vulnerabilities (from CVE-2023-47611 to CVE-2023-47616), Kaspersky ICS-CERT experts advise doing the following:

Enforce application signature verification to prohibit installation of untrusted MIDlets on the device.
Strictly control physical access to the vulnerable devices.
Install updates and perform regular security audits.

Kaspersky official blog – ​Read More

Defending against popular cyberattack techniques in 2024

Recent reports by Kaspersky experts on the statistics of Managed Detection and Response (MDR) and Incident Response (IR) services for 2023 reveal that most observed cyberattacks employ a handful of techniques that are repeated time and again. These techniques are seen both in attacks that are fully executed and cause damage, as well as in incidents that are stopped in their early stages. We decided to list these techniques based on the ATT&CK framework and summarize expert recommendations for neutralizing them. The frequency of use for each technique and specific examples can be found in the reports themselves.

Exploiting public-facing applications

ATT&CK Technique: T1190, Tactic: TA0001 (Initial Access)
What it is: Exploiting vulnerabilities in one of the organization’s applications that is accessible from the internet. Web servers, Exchange servers, database servers, and VPN access points are the most popular targets. Attackers also actively seek out and exploit publicly accessible IT infrastructure control panels – from SSH servers to SNMP.

How to protect yourself: Prioritize updating software at the network perimeter and use additional security measures for perimeter services. Close control ports to external access. Regularly scan the external perimeter for vulnerabilities and for applications that have accidentally been granted external access, and revoke it. Install EDR agents and security tools, including on application servers.

Phishing

ATT&CK Technique: T1566, Tactic: TA0001 (Initial Access)
What it is: Mass or targeted distribution of messages via email, SMS, and messaging apps designed to trick company employees into disclosing their credentials or downloading malicious content via a link.

How to protect yourself: Raise awareness among all company employees, conduct training sessions, use the latest security solutions for mail servers, and deploy EMM/UEM solutions to protect employees’ mobile devices, including personal ones.

Valid accounts compromised by attackers

ATT&CK Technique: T1078, Tactics: TA0001, TA0003, TA0004, TA0005 (Initial Access, Persistence, Privilege Escalation, Defense Evasion)

What it is: One of the most effective techniques employed by attackers. During initial network penetration, attackers use employee credentials obtained through purchased leaks or phishing. They then use domain and local accounts found on the compromised computer to develop the attack.

How to protect yourself: Implement phishing-resistant multi-factor authentication (MFA) methods, especially for privileged accounts. Adopt the principle of least privilege. Deactivate default accounts (such as “guest”), and for local administrator accounts, set a unique password for each computer. Use SIEM and XDR to detect anomalous user actions.

Brute force

ATT&CK Technique: T1110, Tactic: TA0006 (Credential Access)

What it is: Attackers can discover passwords for accounts of interest through brute-force attacks or password guessing based on known hashes. A variation of this attack is password spraying, where the same popular passwords are applied to a number of accounts in the hope of finding a user who chose such a weak password.

How to protect yourself: Implement password policies that prevent brute-force attacks and apply stricter policies to accounts where MFA cannot be enabled. Limit the number of login attempts across all systems and block the account if the number of attempts is exceeded. Configure SIEM monitoring rules to detect an overall increase in failed authentication attempts.

Trusted relationship

ATT&CK Technique: T1199, Tactic: TA0001 (Initial Access)

What it is: Compromising an organization through its partners and contractors. If a partner is hacked, attackers can use the discovered access points and tools to infiltrate the organization. In practice, hackers most often target IT subcontractors (MSPs, authentication providers, technical support specialists) with administrative access to the organization’s systems.

How to protect yourself: Regularly audit external access, revoke outdated permissions, apply the principle of least privilege to them, and implement strict password policies and MFA for such accounts. Use network segmentation to restrict external contractors to only the resources they need.

Command and scripting interpreter

ATT&CK Technique: T1059, Tactic: TA0002 (Execution)

What it is: In the vast majority of attacks, attackers need to execute their own code on compromised computers. To avoid attracting attention and using specialized malware, they often use legitimate scripting tools that are already installed on most corporate systems. The most popular of these is Microsoft PowerShell, but there are also attacks using scripts in Visual Basic, Python, and AutoIT, as well as basic Windows and Unix shells (cmd and sh/bash/zsh).

How to protect yourself: Use allowlisting to restrict the launch of applications not required on specific computers. Track the launch of script interpreters using XDR and EDR, but keep in mind that the detection logic must be continuously adjusted to the specifics of the organization’s IT infrastructure.

Account manipulation

ATT&CK Technique: T1098, Tactics: TA0003, TA0004 (Persistence, Privilege Escalation)

What it is: A wide range of changes that attackers make to accounts they have access to. These changes can include adding an account to privileged groups, enabling deactivated accounts, changing passwords, and modifying permissions for accounts and groups.

How to protect yourself: Apply the principle of least privilege, perform regular account inventories, revoke outdated permissions, and block or delete unnecessary accounts.

Exploitation of remote services

ATT&CK Technique: T1210, Tactic: TA0008 (Lateral Movement)

What it is: After compromising one of the computers on the network, attackers scan it for vulnerable applications in order to infect additional computers or gain elevated privileges on them. In 2023, old vulnerabilities in SMB v1 and Exchange Server were quite popular, confirming that IT services are not paying enough attention to fixing vulnerabilities.

How to protect yourself: Update client and server applications promptly, disable unnecessary services on all computers, and use network segmentation and the principle of least privilege to limit attackers’ capabilities even if they manage to exploit a vulnerability. Use security solutions that can detect and block attempts to exploit vulnerabilities.

Launching system services

ATT&CK Technique: T1569, Tactic: TA0002 (Execution)

What it is: In addition to using command shells, attackers often use the launch of system services to execute malicious tasks and establish persistence in the system. The undisputed leader here is PsExec, which can be used to execute a desired task on a remote Windows computer.

How to protect yourself: Use XDR or EDR systems that can track anomalous behavior of system services, configure policies to restrict low-privileged users from launching privileged services and installing system software.

Bonus track: LOLBins

In most stages of an attack, attackers try to use legitimate IT administration tools to blend in with normal network activity and avoid detection. Some cases have already been described above (PowerShell, PsExec), but in a significant number of attacks, attackers also use AnyDesk for management and control, Advanced IP Scanner and SoftPerfect Network Scanner for network scanning, and security testing tools: Mimikatz for privilege escalation, and Cobalt Strike and Metasploit for lateral movement within the network. You can read about protection against the use of LOLBins in this post.

Kaspersky official blog – ​Read More

Human body pose recognition using Wi-Fi signal | Kaspersky official blog

To find a (honest) man, Diogenes famously used a lantern – the philosopher relied solely on optical recognition methods. Today, however, scientists suggest using Wi-Fi signals for this purpose. More specifically, the method developed by three researchers at Carnegie Mellon University uses the signal from an ordinary home Wi-Fi router to not only pinpoint a person’s location in a room, but also to identify their pose.

Why Wi-Fi? There are several reasons for this. Firstly, unlike optical recognition, radio signals work perfectly in the dark and aren’t hindered by small obstacles like furniture. Secondly, it’s cheap, which can’t be said for lidars and radars – other tools that could potentially do the job. Thirdly, Wi-Fi is already ubiquitous – just reach out and grab it. But just how effective is this method? And what can you do with it? Let’s dive in.

DensePose: a method for recognizing human poses in images

To get started, however, we need to back up a bit – first, we need to understand how to accurately recognize the human body and its poses in general. In 2018, another group of scientists presented a method called DensePose. They successfully used it to recognize human poses in photographs – that is, two-dimensional images with no additional data for depth.

Here’s how it works: first, the DensePose model searches for objects in the images that are recognized as human bodies. These objects are then segmented into distinct areas, each corresponding to a specific body part, and analyzed individually. This approach is used because body parts move very differently: for example, the head and torso behave very differently from the arms and legs.

DensePose can accurately recognize the poses of human bodies in photographs and even create UV maps of their surfaces. Source

As a result, the model has learned to correlate a 2D image with the 3D surface of the human body, obtaining not only image annotations corresponding to the recognized pose, but also a UV map of the body depicted in the photo. The latter makes it possible, for example, to overlay a texture on the image.

Most impressively, this technique can accurately recognize the poses of multiple people in group photos, even those chaotic “prom night” pictures where people are huddled together and partially obstruct each other.

DensePose accurately recognizes the positions of individual figures in group photos. Source

What’s more, if the images presented in the paper and the videos published by the researchers are to be believed, the system can confidently handle even the most unusual body positions. For example, the neural network correctly identifies people on bicycles, motorcycles, and horseback, and also accurately determines the poses of baseball players, soccer players, and even breakdancers, who often move in unpredictable ways.

The DensePose model works well even for highly unusual poses. Source

Another advantage of DensePose is that it doesn’t demand extraordinary computing power to work. Using a GeForce GTX 1080 – hardly a top-of-the-line graphics card, even at the time the study was published – DensePose captures 20-26 frames per second at a resolution of 240×320 and up to five frames per second at a resolution of 800×1100.

DensePose over Wi-Fi: radio waves instead of photos

Basically, the Carnegie Mellon researchers’ idea was to use the existing high-performance body recognition AI model, DensePose, but feed it Wi-Fi signals instead of photographs.

For their experiment, they constructed the following setup:

Two stands with standard TP-Link home routers, each equipped with three antennas: one served as a transmitter, the other as a receiver.
The recognition scene positioned between these stands.
A camera mounted on a stand next to the receiver router, capturing the same scene that the researchers were aiming to recognize using Wi-Fi signals.

General diagram of the test bench for recognizing human poses using Wi-Fi. Source

Next, they ran DensePose, which identified body positions using the camera installed next to the receiver router, and tasked it with training another neural network that worked with the Wi-Fi signal from the receiving router. This signal was preprocessed and modified for more reliable recognition – but these are minor details. The point is that the researchers were indeed able to create a new Wi-Fi-DensePose model that accurately reconstructs the spatial positions of human bodies using Wi-Fi signals.

In good conditions, the model can recognize human poses very well. Source

Limitations of the method

However, let’s not rush to write headlines like “Scientists Learn to See Through Walls Using Wi-Fi” just yet. First of all, the “seeing” here is quite abstract – the model doesn’t actually “see” the human body, but can predict its location and pose with a certain probability based on indirect data.

Visualizing anything with intricate detail using Wi-Fi signals is a complex challenge. This is demonstrated by another, similar study in which researchers experimented with objects much simpler than human bodies – and the results were, to put it mildly, far from ideal.

Visualizing objects using a Wi-Fi signal: the less pronounced the edges, the worse it turns out. Source

It’s also important to note that the model built by the Carnegie Mellon University researchers is significantly less accurate than the original method of recognizing poses in photographs, and also exhibits quite serious “hallucinations”. The model has particular difficulty with unusual poses or scenes involving more than two people.

The Wi-Fi-DensePose model does not do a good job of handling non-standard poses or large numbers of human bodies in a single scene. Source

In addition, the test conditions in the study were meticulously controlled: a simple, well-defined geometry, a clear line of sight between the transmitter and receiver, minimal radio signal interference – the researchers set up everything so they could easily “penetrate” the scene with radio waves. This ideal scenario is unlikely to be replicated in the real world.

So if you’re worried about someone hacking into your Wi-Fi router and monitoring what you do at home, relax. If there’s anything to be concerned about in your home, it’s household appliances. For example, smart pet feeders or even children’s toys have cameras, microphones, and cloud connectivity, while robot vacuum cleaners even have lidars that work flawlessly in the dark, as well as the ability to move around.

And just outside, another spy is waiting for you – a four-wheeled one. In terms of the amount of information they collect, today’s cars are miles ahead of smartwatches, smart speakers, and other everyday gadgets.

Kaspersky official blog – ​Read More

Transatlantic Cable podcast episode 346 | Kaspersky official blog

For the 346th episode of the Kaspersky Transatlantic Cable Podcast, Jag and I dive into a handful of stories that tie back to disinformation, privacy, people persisting, before ending with the WTF story of the week (and perhaps year).

We kick things off discussing WhatsApp and encryption, but more importantly how the app’s boss understands that it is being used – even in countries where there are bans on the popular messenger app. From there, we jump into the story from last week that impacts users of DropBox. After covering what it is, we discuss some safety measures that can be used by people using the service.

For our third story, we dive into the world of TikTok. While the US ban may be top of mind, we are actually crossing the world to discuss a recent phenomenon on the app that ties back to North Korea. It isn’t a hack, but rather an odd case of a propaganda song from the country going viral on the popular platform. Who would have thought that disinformation could go viral? But hey, I guess the beat slaps (as the kids say).

After that bit of head scratching, we head back to the US where recent research has shown that phishing sites impersonating the USPS are getting almost as much traffic as the real site. To close things out, we dive into AI and porn. More specifically, a new app being advertised on PornHub that allows anyone with the app to see any person neked, with the help of AI and without consent.

If you liked what you heard, please consider subscribing.

Tens of millions secretly use WhatsApp despite bans
Dropbox says hackers stole customer data, auth secrets from eSignature service
Why North Korea’s latest propaganda bop is a huge TikTok hit
US Post Office phishing sites get as much traffic as the real one
Pornhub’s Nonconsensual ‘Nudify’ Ad

Kaspersky official blog – ​Read More

How to protect yourself from phishing and malware on GitHub and GitLab | Kaspersky official blog

One of the oldest security tips is: “Only download software from official sources”. “Official sources” are usually the main app stores on each platform, but for millions of useful and free open-source apps, the most “official” source is the developer’s repository on a dedicated site such as GitHub or GitLab. There, you can find the project’s source code, fixes and additions to the code, and often a ready-to-use build of the app. These sites are familiar to anyone with even the slightest interest in computers, software, and programming. That’s why it was an unpleasant discovery for many (including IT security specialists and the developers themselves) that a file accessible at a link like github{.}com/{User_Name}/{Repo_Name}/files/{file_Id}/{file_name} could be published by someone other than the developer and contain… anything.

Of course, cybercriminals immediately took advantage of this.

Breaking down the problem

GitHub and its close relative GitLab are built around collaboration on software development projects. A developer can upload their code, and others can offer additions, fixes, or even create forks – alternative versions of the app or library. If a user finds a bug in an app, they can report it to the developer by creating an issue report. Other users can confirm the issue in the comments. You can also comment on new versions of the app. If necessary, you can attach files to the comments, such as screenshots showing the error or documents that crash the application. These files are stored on GitHub servers using links of the type described above.

However, GitHub has one peculiarity: if a user prepares a comment and uploads accompanying files, but doesn’t click “Publish”, the information remains “stuck” in the draft – and it’s invisible to both the application owner and other GitHub users. Nevertheless, a direct link to the file uploaded in the comment is created and fully operational, and anyone who follows it will receive the file from GitHub’s CDN.

A download link for a malicious file is generated after the file is added to an unpublished comment on GitHub

Meanwhile, the owners of the repository where this file is posted in the comments cannot delete or block it. They don’t even know about it! There are also no settings to restrict the upload of such files for the repository as a whole. The only solution is to disable comments completely (on GitHub, you can do this for up to six months), but that would deprive developers of feedback.

GitLab’s commenting mechanism is similar, allowing files to be published via draft comments. The files are accessible via a link like gitlab.com/{User_Name}/{Repo_Name}/uploads/{file_Id}/{file_name}.

However, the problem in this case is mitigated somewhat by the fact that only registered, logged-in GitLab users can upload files.

A gift for phishing campaigns

Thanks to the ability to publish arbitrary files at links starting with GitHub/GitLab and containing the names of respected developers and popular projects (because an unpublished comment with a file can be left in almost any repository), cybercriminals are presented with the opportunity to carry out very convincing phishing attacks. Malicious campaigns have already been discovered where “comments”, supposedly containing cheating apps for games, are left in Microsoft repositories.

A vigilant user might wonder why a gaming cheat would be in the Microsoft repository: https://github{.}com/microsoft/vcpkg/files/…../Cheat.Lab.zip. But it’s much more likely that the keywords “GitHub” and “Microsoft” will reassure the victim, who won’t scrutinize the link any further. Smarter criminals might disguise their malware even more carefully, for example, by presenting it as a new version of an app distributed through GitHub or GitLab and posting links via “comments” on that app.

How to protect yourself from malicious content on GitHub and GitLab

While this design flaw remains unfixed and anyone can freely upload arbitrary files to the CDN of GitHub and GitLab, users of these platforms need to be extremely careful.

Do not download files from direct GitHub/GitLab links that you find in external sources – other websites, emails, or chats. Instead, open the project page (github{.}com/{User_Name}/{Repo_Name} or gitlab{.}com/{User_Name}/{Repo_Name}) and make sure that you can actually download the file from there. Official files from developers should be published and visible in the repository.
Make sure you’re on the right developer page – in GitHub, GitLab, and other open-source repositories, typosquatting is common: creating fake projects with names that differ from the original by one or two letters (for example, Chaddev instead of Chatdev).
Avoid downloading applications that have few stars (likes) and have been created recently.
Use protection against malware and phishing on all your computers and smartphones. Kaspersky Premium provides comprehensive protection for gamers and computer enthusiasts.

Kaspersky official blog – ​Read More

What is credential stuffing? | Kaspersky official blog

Millions of accounts fall victim to credential stuffing attacks each year. This method has become so widespread that back in 2022, one authentication provider reported an average of one credential stuffing attempt for every two legitimate account logins. And it’s unlikely that the situation has improved over the past couple of years. In this post, we’ll discuss in detail how credential stuffing works, what data attackers use, and how you can protect your organization’s resources from such attacks.

How credential stuffing attacks work

Credential stuffing is one of the most effective ways to compromise user accounts. Attackers leverage vast databases of pre-obtained usernames and passwords for accounts registered on various platforms. They then try these credentials en masse on other online services, hoping that some will work.

This attack preys on the unfortunate habit that many people have of using the same password for multiple services – sometimes even relying on a single password for everything. As a result, attackers inevitably succeed in hijacking accounts with passwords that victims have used on other platforms.

Where do these databases come from? There are three main sources:

Passwords stolen through mass phishing campaigns and phishing sites.
Passwords intercepted by malware specifically designed to steal credentials – known as stealers.
Passwords leaked through breaches of online services.

Data breaches provide cybercriminals with the most impressive number of passwords. The record holder is the 2013 Yahoo! breach that exposed a whopping 3 billion records.

It’s important to note that services typically don’t store passwords in plain text but use so-called hashes instead. After a successful breach, attackers need to crack these hashes. The simpler the password, the less time and resources it takes to crack it. Therefore, users with weak passwords are most at risk after a data breach.

However, if cybercriminals really need it, even the strongest password in the world is likely to be cracked eventually if its hash was exposed in a leak. So no matter how strong your password is, avoid using it across multiple services.

Not surprisingly, stolen password databases continue to grow and accumulate new data. This results in colossal archives containing entries far exceeding the population of the Earth. In January 2024, the largest password database known to date was discovered, containing a staggering 26 billion records.

Protecting against credential stuffing attacks

To shield your organization’s resources from credential stuffing attacks, we recommend implementing the following security measures:

Educate your employees on cybersecurity best practices, emphasizing the dangers of password reuse.
Develop and enforce a sensible password policy.
Encourage the use of password managers to generate and store strong and unique character combinations. The application will also monitor for data breaches and recommend changing a password if it is already in a known database.
Finally, mandate the use of two-factor authentication wherever possible. It’s the most effective way to protect against not only credential stuffing but also other account takeover attacks.

 

In addition, apply the principle of least privilege to mitigate the impact of successful credential stuffing attacks in advance and, of course, use reliable protection on all corporate devices.

Kaspersky official blog – ​Read More

Googerteller lets you hear how tracking sounds | Kaspersky official blog

We all know that we’re being tracked online, but the sheer scale of it continues to stagger — at least when this scale is properly communicated. Dry facts like “Your browser connected to 456 advertising trackers in the past hour” usually don’t get the point across. The problem is that such numbers lack context. They fail to connect our online actions with their unseen consequences. But what if we could somehow make online tracking visible — or audible? Electronic music artist Jasmine Guffond did just that a few years back…

The sound of Google tracking

She created a browser extension called Listening Back, which plays a sound every time your browser saves, modifies, or deletes a cookie file. Since these events accompany practically any user action, the result is both eye-opening (or ear-opening, if you will) and rather bizarrely beautiful.

A similar idea occurred to Dutch programmer Bert Hubert, known for creating the PowerDNS software for DNS servers. According to Hubert, when studying network activity logs, he was always struck by how often sites communicate with Google (and other sites too). This inspired him to write a small program he called Googerteller.

In the original version, the program emitted a sound every time a connection to Google was made. The result was also impressive — just listen to how it sounds. For example, here’s a recording of a visit to the official Dutch government job website, which features posts for vacancies in its intelligence agencies.

Almost every click on this site sends information to Google — and the user is never warned about this.

More tracking  — more sound

Not content with just Google, Bert Hubert added to Googerteller addresses belonging to Facebook and a number of other “popular” online trackers. Then, he visited a couple of websites that abuse online tracking much more severely than the Dutch government job site. The results speak volumes.

Unfortunately, Googerteller is only available as source code on GitHub. Anyone interested in listening to online tracking with their own ears can compile it, and then run it on their computer. Here’s the original Googerteller code for Linux, macOS, and other X-systems, and here’s a “fan-made version” for Windows called GoogeDotTeller. The only way to experience Googerteller without compiling it yourself is with this Googerteller-inspired plugin for Mozilla Firefox (and here’s its source code).

However, the above-mentioned electronic musician’s Listening Back browser extension remains readily available in the official extension stores — for both Google Chrome and Mozilla Firefox. No technical skills are needed’ just install and away you go.

Enjoy the silence

If you’d rather not just listen to trackers collecting information about you, but actively block them, our Private Browsing feature is here to help. It effectively counters online advertising trackers. This feature is available in all our home user subscriptions: Kaspersky Standard, Kaspersky Plus, and Kaspersky Premium.

Remember to check your settings: by default, the Private Browsing feature only works in tracker detection and counting mode. Blocking mode must be enabled manually. Once done, fire up Googerteller or Listening Back and compare how your browser sounds with and without protection.

Kaspersky official blog – ​Read More

Transatlantic Cable podcast episode 345 | Kaspersky official blog

Episode 345 of the Transatlantic Cable podcast kicks off with a story from the U.S, where a Pew survey suggested that most American’s feel that social media platforms have too much political power and influence. From there the team discuss news that ChatGPT can hack software vulnerabilities and the U.K becomes the first country in the world to ban simple passwords such as 123456 or ‘password’ for smart devices.

If you liked what you heard, please consider subscribing.

Social media companies have too much political power, 78% of Americans say in Pew survey
Could ChatGPT be the next big cybersecurity worry
‘Admin’ and ‘12345’ banned from being used as passwords in UK crackdown on cyber attacks

Kaspersky official blog – ​Read More

Information security in the “Bad Batch” | Kaspersky official blog

As usual, for May the 4th (MTFBWY), we’re publishing a report for Star Wars fans, telling how a long time ago in a galaxy far away the Empire was negligent about information security. This year’s report subject is the just-concluded third season of the “Star Wars: The Bad Batch” animated series. As usual, we have to warn that the text below may contain spoilers.

Despite seemingly not the most serious format, the plot twists and overall coherence of the narrative in “The Bad Batch” are much better than in most recent live action series and movies. Ever since in the ninth episode “Palpatine Somehow Returned”, Lucasfilm creative director Dave Filoni has been trying to justify this return logically, at least to some extent. Therefore, the plot of the new animated series revolves around the “Project Necromancer”, conducted at the top-secret Tantiss base. And this is just what we need — a secret scientific institution, with unprecedented (for the Galactic Empire) protective systems, which, nevertheless, regularly fail.

Measures to protect the secrecy of the Tantiss base’s location

Doctor Hemlock, leader of the Tantiss base and head of the “Project Necromancer”, has the full trust of the Emperor and unlimited resources. One of his tasks is to ensure the security and secrecy of the base. And unlike most of the Imperial leaders we’ve seen before, he approaches his task responsibly.

There’s no information about the location of this facility in any imperial database. This, of course, causes certain difficulties with supply-ship flights — Hemlock put safeguards in place to make the coordinates to his base a secret. Any ship heading to Tantiss base must dock with Imperial Station 003 in the orbit of the Coruscant, capital of the Galactic Empire, and undergo a thorough check, which includes an inspection of the entire crew. The access code needed for docking changes once every rotation. Tantiss’s coordinates are downloaded directly into the ship’s navigation computer immediately after takeoff and are somehow not stored there. Obviously, they are downloaded from some isolated computer, since this data isn’t accessible from the base network. Even accessing the station’s manifest, which stores information about ship destinations, requires a separate access card.

Science ships that fly to Tantiss use enhanced safety protocols. In particular, they’re equipped with proximity sensors that detect suspicious objects near the ship’s hull (it’s totally unclear why this technology isn’t used anywhere else in the Empire). In addition, when someone is accessing the flight computer through the connection port for droids, an alarm signal is sent to the pilot’s console. And this is the first case of at least some cyberprotection of this data port.

Why these measures aren’t enough

Unfortunately, all precautions turn out to be completely pointless. The main characters of the series, “Clone Force 99”, dock with the station using a recently stolen shuttle, with a still valid clearance code in its computer. Their unscheduled arrival of course arouses certain suspicions, but a defector in an officer’s uniform who joins the clone squad uses social engineering methods to convince base personal that his arrival at the station is legitimate. He advise some suspicious officers to contact their superiors (and no one wants to contact Admiral Tarkin), and dismisses the door guards from their posts by threatening them with some “article 15 of Imperial Standing Order 10”.

Next, Echo, a clone with a bunch of cybernetic enhancements, connects directly to the base computer through the droid’s port and finds out which ship is heading to the Tantiss base. He gets on board the science vessel through a separate dock for droid loading — for some reason nobody controls it, while the human crew is being thoroughly scanned! On board the shuttle, he connects to a similar droid port and it indeed triggers a signal of “unscheduled droid activity in the cargo hold”, but Echo simply stuns the trooper sent to investigate, and through his communicator assures that everything is fine: it was a malfunction. And then simply turns off the proximity sensors.

How to avoid repeating imperial mistakes:

equip all computer systems that have a droid connection port with an alarm system in case of an unauthorized connection — not just those located in the hold of science ships;
periodically conduct security awareness trainings for the base crew. In particular, teach them to recognize social engineering methods.

Tantiss base defenses

Tantiss base also employs several protection technologies unique to the Imperial facilities. For example, the droids working at the station are capable of remotely triggering an alarm. But the main cybersecurity innovation is that access to a number of key scientific systems and zones is possible only after connecting an employee’s personal datapad through a special cradle. Those datapads are well encrypted; they stop working when taken away from the base, and activation of lockdown mode in the lab makes all datapad cradles inoperable.

The outer perimeter of the base is guarded, among other things, with the help of trained local predators (lurca hounds). There are tunnels leading to their stables at the base, but they are protected by force fields, activated on a signal from the supervisor. Moreover, the tunnels have some presence sensors that sound an alarm when unexpected activity is detected.

The central laboratory in which the experimental subjects are kept is protected not only by security squads and force fields, but also by a door locked with a special key (only Hemlock himself and the chief scientist of the base have copies of the same key). Regular blood samples are taken from the experimental subjects by medical droids and are sent through technological tunnels (opened also by medical droids).

Why these measures aren’t enough

Personal datapads don’t have their own authentication system. If an attacker manages to get hold of the device, he’ll be able not only to open doors and operate elevators, but also gain access to classified information systems (and even drop heavy containers on droids). Yes, datapads are encrypted, but the encryption can be bypassed by connecting one to any Imperial terminal, at any Imperial base.

The motion detectors in the lurca tunnels don’t activate protection mechanisms automatically. The order is given by an officer, and he may not be fast enough.

The technological tunnels for transporting blood samples are large enough for experimental subjects to crawl through. The hatches covering those tunnels can be opened mechanically using stolen medical instruments. They can also be used not only to paralyze a medical droid, but also to reprogram one.

Access to some systems doesn’t require authentication at all. In particular, the field that restrains a dangerous and practically invulnerable animal (Zillo Beast) is turned off from a nearby control panel by pressing several buttons and pulling one lever. And we’re talking about an animal capable of destroying the base entirely.

Unauthorized connections to droid ports that are scattered throughout the base are once again not controlled in any way. However, there’s a system on the shuttle that’s capable of monitoring such activity! Moreover, at some point the attackers try to connect to the blood testing station, but are denied access. And this failed attempt to access classified information doesn’t cause any alarm.

And the final touch: there’s no data backup for research materials on which “the future of the Empire depends”. One grenade exploded in a research laboratory is enough for all the results of Dr. Hemlock’s activities to be irretrievably lost.

How to avoid making the same mistakes:

it makes sense to make backup copies of critical information and store it on media isolated from the network in a separate room;
all systems that provide access to classified information or to secret premises must be equipped with a two-factor authentication system;
strictly speaking, what this scientific base lacks is something like a SIEM system that can manage security data and events. It can analyze cybersecurity events from various information systems, such as loss of signal from droids, access attempts and so on. It can even automate responses to those alerts – turn on isolation mode, force fields and alarms when necessary.

But in general, advancements in defense systems cannot be denied — other Imperial institutions we’ve seen in the Star Wars universe lack such a level of protection. But, as usual, it’s hard to call it progress. After all, this is a kind of prequel: the series takes place 18 years before the Battle of Yavin — the Death Star incident occurred much later. So the screenwriters probably would have to explain this in subsequent movies and animated series.

Kaspersky official blog – ​Read More