As usual, for May the 4th (MTFBWY), we’re publishing a report for Star Wars fans, telling how a long time ago in a galaxy far away the Empire was negligent about information security. This year’s report subject is the just-concluded third season of the “Star Wars: The Bad Batch” animated series. As usual, we have to warn that the text below may contain spoilers.

Despite seemingly not the most serious format, the plot twists and overall coherence of the narrative in “The Bad Batch” are much better than in most recent live action series and movies. Ever since in the ninth episode “Palpatine Somehow Returned”, Lucasfilm creative director Dave Filoni has been trying to justify this return logically, at least to some extent. Therefore, the plot of the new animated series revolves around the “Project Necromancer”, conducted at the top-secret Tantiss base. And this is just what we need — a secret scientific institution, with unprecedented (for the Galactic Empire) protective systems, which, nevertheless, regularly fail.

Measures to protect the secrecy of the Tantiss base’s location

Doctor Hemlock, leader of the Tantiss base and head of the “Project Necromancer”, has the full trust of the Emperor and unlimited resources. One of his tasks is to ensure the security and secrecy of the base. And unlike most of the Imperial leaders we’ve seen before, he approaches his task responsibly.

There’s no information about the location of this facility in any imperial database. This, of course, causes certain difficulties with supply-ship flights — Hemlock put safeguards in place to make the coordinates to his base a secret. Any ship heading to Tantiss base must dock with Imperial Station 003 in the orbit of the Coruscant, capital of the Galactic Empire, and undergo a thorough check, which includes an inspection of the entire crew. The access code needed for docking changes once every rotation. Tantiss’s coordinates are downloaded directly into the ship’s navigation computer immediately after takeoff and are somehow not stored there. Obviously, they are downloaded from some isolated computer, since this data isn’t accessible from the base network. Even accessing the station’s manifest, which stores information about ship destinations, requires a separate access card.

Science ships that fly to Tantiss use enhanced safety protocols. In particular, they’re equipped with proximity sensors that detect suspicious objects near the ship’s hull (it’s totally unclear why this technology isn’t used anywhere else in the Empire). In addition, when someone is accessing the flight computer through the connection port for droids, an alarm signal is sent to the pilot’s console. And this is the first case of at least some cyberprotection of this data port.

Why these measures aren’t enough

Unfortunately, all precautions turn out to be completely pointless. The main characters of the series, “Clone Force 99”, dock with the station using a recently stolen shuttle, with a still valid clearance code in its computer. Their unscheduled arrival of course arouses certain suspicions, but a defector in an officer’s uniform who joins the clone squad uses social engineering methods to convince base personal that his arrival at the station is legitimate. He advise some suspicious officers to contact their superiors (and no one wants to contact Admiral Tarkin), and dismisses the door guards from their posts by threatening them with some “article 15 of Imperial Standing Order 10”.

Next, Echo, a clone with a bunch of cybernetic enhancements, connects directly to the base computer through the droid’s port and finds out which ship is heading to the Tantiss base. He gets on board the science vessel through a separate dock for droid loading — for some reason nobody controls it, while the human crew is being thoroughly scanned! On board the shuttle, he connects to a similar droid port and it indeed triggers a signal of “unscheduled droid activity in the cargo hold”, but Echo simply stuns the trooper sent to investigate, and through his communicator assures that everything is fine: it was a malfunction. And then simply turns off the proximity sensors.

How to avoid repeating imperial mistakes:

equip all computer systems that have a droid connection port with an alarm system in case of an unauthorized connection — not just those located in the hold of science ships;
periodically conduct security awareness trainings for the base crew. In particular, teach them to recognize social engineering methods.

Tantiss base defenses

Tantiss base also employs several protection technologies unique to the Imperial facilities. For example, the droids working at the station are capable of remotely triggering an alarm. But the main cybersecurity innovation is that access to a number of key scientific systems and zones is possible only after connecting an employee’s personal datapad through a special cradle. Those datapads are well encrypted; they stop working when taken away from the base, and activation of lockdown mode in the lab makes all datapad cradles inoperable.

The outer perimeter of the base is guarded, among other things, with the help of trained local predators (lurca hounds). There are tunnels leading to their stables at the base, but they are protected by force fields, activated on a signal from the supervisor. Moreover, the tunnels have some presence sensors that sound an alarm when unexpected activity is detected.

The central laboratory in which the experimental subjects are kept is protected not only by security squads and force fields, but also by a door locked with a special key (only Hemlock himself and the chief scientist of the base have copies of the same key). Regular blood samples are taken from the experimental subjects by medical droids and are sent through technological tunnels (opened also by medical droids).

Why these measures aren’t enough

Personal datapads don’t have their own authentication system. If an attacker manages to get hold of the device, he’ll be able not only to open doors and operate elevators, but also gain access to classified information systems (and even drop heavy containers on droids). Yes, datapads are encrypted, but the encryption can be bypassed by connecting one to any Imperial terminal, at any Imperial base.

The motion detectors in the lurca tunnels don’t activate protection mechanisms automatically. The order is given by an officer, and he may not be fast enough.

The technological tunnels for transporting blood samples are large enough for experimental subjects to crawl through. The hatches covering those tunnels can be opened mechanically using stolen medical instruments. They can also be used not only to paralyze a medical droid, but also to reprogram one.

Access to some systems doesn’t require authentication at all. In particular, the field that restrains a dangerous and practically invulnerable animal (Zillo Beast) is turned off from a nearby control panel by pressing several buttons and pulling one lever. And we’re talking about an animal capable of destroying the base entirely.

Unauthorized connections to droid ports that are scattered throughout the base are once again not controlled in any way. However, there’s a system on the shuttle that’s capable of monitoring such activity! Moreover, at some point the attackers try to connect to the blood testing station, but are denied access. And this failed attempt to access classified information doesn’t cause any alarm.

And the final touch: there’s no data backup for research materials on which “the future of the Empire depends”. One grenade exploded in a research laboratory is enough for all the results of Dr. Hemlock’s activities to be irretrievably lost.

How to avoid making the same mistakes:

it makes sense to make backup copies of critical information and store it on media isolated from the network in a separate room;
all systems that provide access to classified information or to secret premises must be equipped with a two-factor authentication system;
strictly speaking, what this scientific base lacks is something like a SIEM system that can manage security data and events. It can analyze cybersecurity events from various information systems, such as loss of signal from droids, access attempts and so on. It can even automate responses to those alerts – turn on isolation mode, force fields and alarms when necessary.

But in general, advancements in defense systems cannot be denied — other Imperial institutions we’ve seen in the Star Wars universe lack such a level of protection. But, as usual, it’s hard to call it progress. After all, this is a kind of prequel: the series takes place 18 years before the Battle of Yavin — the Death Star incident occurred much later. So the screenwriters probably would have to explain this in subsequent movies and animated series.

Kaspersky official blog – ​Read More

The first Thursday in May is a special day. For over a decade, this day has been celebrated as World Password Day. For us at Kaspersky, it’s an important occasion; we don’t throw a party, but rather take the opportunity to once again remind you of one of the important things in life. That’s right — passwords! So let’s discuss how to create them, where to store them securely, and why “qwerty12345” is a no-no.

This conversation is crucial because many people still rely on weak and reused passwords that are too easy to guess and have repeatedly fallen into the hands of hackers. Why this happens and how to address it — we explain in today’s post.

How do we discover leaks?

Our global threat intelligence network — Kaspersky Security Network (KSN) — plays a key role. It gathers and analyzes cyberthreat data from around the world, with most of the data being provided by our customers anonymously and voluntarily. This de-personalized data is analyzed by our machine learning algorithms (AI) and human experts, enabling us to respond rapidly to emerging cyberthreats: the average time between a new threat appearing and KSN participants’ learning about it is only 40 seconds!

Thanks to Kaspersky Security Network, we know that in 2023 there were over 32 million attempted attacks on KSN users’ passwords. In 2022, the number was even higher — a whopping 40 million. This translates to password hacking attempts happening more than once per second globally! Additionally, our late 2023 research showed that attacks don’t only affect home users — businesses aren’t immune either. 76% of small business entrepreneurs surveyed have faced at least one cyber-incident in the past two years, with nearly a quarter of attacks (24%) caused by the use of weak, repeated, or old passwords.

How we check your data

We employ three methods to check if your data and passwords have been compromised:

By email address for Kaspersky Standard, Kaspersky Plus, and Kaspersky Premium. It’s simple: you enter into the application the email addresses you and your close ones use for online accounts. We tell you if any of your personal data, including passwords, has leaked to the internet or dark web. Rest assured, our application doesn’t receive or store the compromised data itself but only provides information about its type. We’ll alert you if a breach involves your password, home address, ID or passport data, bank card number, or any combination thereof. And we won’t just alert you; we’ll also provide sound advice from our cybersecurity experts on the appropriate actions to take, as different types of leaks require specific responses.
By phone number for Kaspersky Premium. This method operates similarly to the email check, but focuses on accounts linked not to email addresses but to phone numbers. These accounts often belong to more “serious” services like banks, government institutions, and major online marketplaces, where data leaks can have severe consequences. You just need to specify your phone number in the application for us to check if it has appeared in any data leaks. You can even check not only your own number but also the numbers of all your family and relatives. The best part is that you only need input the email addresses and phone numbers once; we’ll continuously monitor the web for leaks from then on. If your data gets exposed, you’ll receive an immediate alert with recommendations on what to do.
By special algorithm in Kaspersky Password Manager. Unlike the two previous methods, which check all possible leak scenarios, our password manager focuses on analyzing the passwords you store in it. Even offline, we can tell you which of your passwords are weak or reused, and which ones are sufficiently strong. Additionally, Kaspersky Password Managerregularly checks all your passwords against databases of compromised credentials and notifies you of any matches.

You can also check if a password has been compromised using our online Password Checker service. Simply enter the password you want to check, and the system will tell you how many times it’s appeared in leaked databases and whether it can be considered secure.

However, this method has one drawback compared to the previous three: it requires manual checks, while Kaspersky Password Manager, Kaspersky Plus, and Kaspersky Premium automatically monitor for leaks in the background.

So does Kaspersky store the passwords of all its users? Absolutely not. None of the company’s employees — a developer, analyst, editor, designer, or even Eugene Kaspersky himself — has access to your sensitive data. We’ve already discussed our zero-knowledge policy in detail, here. Below, we’ll explain why we can’t access your passwords stored in Kaspersky Password Manager.

Why storing passwords in Kaspersky Password Manager is easier and safer

Memorizing all your passwords or keeping them in, say, note-taking apps is risky. The dedicated Kaspersky Password Manager is designed specifically for this purpose. It creates, stores and automatically enters strong and unique passwords on websites and applications, checks them for compromise, and generates two-factor authentication codes.

Here’s a simplified explanation of how Kaspersky Password Manager works. All your passwords are stored in a vault encrypted using the AES-256 symmetric encryption algorithm. This encryption standard is considered strong enough by the U.S. NSA to be used to store government secrets. The encryption key is your main password, which you create during the initial setup of the application. Every time you try to access the data vault, Kaspersky Password Manager prompts you for this password and uses it to decrypt the data.

You can keep not only passwords but other important data line bank card numbers, scanned documents, notes, etc. in the same vault. Thus, your confidential data is stored and synchronized among all your devices in “top secret” encrypted form.

This level of security far surpasses storing passwords in browsers. We advise against agreeing to the persistent suggestions of your browser to store your passwords for you — such passwords can be extracted from the browser in mere seconds.

Access to the encrypted vault in Kaspersky Password Manager is granted exclusively through your main password. We don’t know this password and never store it anywhere. If you forget it, the vault’s contents will be irretrievable, and you’ll have to create a new vault. This approach ensures the highest level of security: even if a hacker somehow gains access to the encrypted vault of Kaspersky Password Manager, they won’t be able to uncover your passwords, bank card details, or any other stored documents.

How can we check your passwords for leaks if we don’t know them in the first place?

This is where a Secure Hash Algorithm 1 (SHA-1) comes in handy. It takes any data and uses it to create a hash value – a fixed-length binary string unique to the input data. For example, if your actual password is “qwerty12345”, its “SHA-1 language” representation would look like this: 4e17a448e043206801b95de317e07c839770c8b8.

Each unique password always produces the same hash, and if two hashes match, then the original passwords also match. KSN stores calculated hashes for all known hacked and leaked passwords. To check your password, we calculate its hash locally on your device, then send only the first half of this hash to Kaspersky servers, and find all hashes of compromised passwords with the same beginning. Those hashes are sent back to your device, where each of them is compared with the entire hash of your password. If an exact match is found, your password has been compromised.

Thus, we do not know your passwords – they never leave your device in an unencrypted form. It’s theoretically possible to recover the original password from its hash, but… full hashes of your passwords are also never sent anywhere from your device! Only fragments of them are sent to KSN servers for comparison, and it’s impossible to restore the original password from a part of its hash. Therefore, checking your passwords for leaks is completely safe.

How to come up with a main password

With Kaspersky Password Manager, you only need to remember one – main – password. The application uses the main password to encrypt your data in the vault. Therefore, we recommend taking its creation seriously. Using “qwerty12345” as your main password is like putting all your valuables in a safe and then leaving the key in the lock. To make the process easier and ensure you remember the password, here’s a tip on making it strong yet memorable:

Think of a favorite phrase, quote, or song lyric. Take one letter (not necessarily the first one!) or a combination of letters from each word in the phrase and insert special characters between them. Replace letters that resemble numbers or special characters with their respective symbols.

For example:

“May the Force be with you” — M@y!T!4!B!W!U

A good password isn’t necessarily one with many difficult-to-remember special characters, but one that is resistant to cracking. Test your newly created password using our Password Checker online service. If it confirms that your password is strong, you can use it as your Kaspersky Password Manager main password. And this is the only password you have to remember, since our password manager will generate, save, and automatically fill in all your other passwords on websites and apps.

If you prefer the old-school method of storing passwords in your head, use the combination you came up with as a base, and for each service and website, add a mnemonic “extension” to it to ensure all your passwords are unique. We’ve a detailed guide on this technique. And guess what? Many services, including Kaspersky Password Manager, allow creating passwords using… emojis and emoticons.

Summary

Use reliable protection. This ensures that your passwords and other sensitive data are safe.
Create mnemonic passwords. This technique helps you create passwords that are both cryptographically strong and easy to remember.
Store passwords in a password manager. You create and remember a one-and-only cryptographically strong main password, and we protect all your valuable data with it.
Don’t reuse passwords across services and websites. A data leak from one service could expose your password to hackers, making it easier for them to compromise your other accounts. Unique passwords are the way to go, and here’s why.
Enable two-factor authentication (2FA) wherever possible. This adds an extra layer of security to your accounts. Even if your password is compromised, the unique 2FA code will prevent unauthorized access. You can even store 2FA tokens and generate one-time codes in Kaspersky Password Manager.

Kaspersky official blog – ​Read More

You’ve probably received more than a few spam or phishing emails from addresses belonging to seemingly reputable organizations. This may have left you wondering how attackers manage this feat, and perhaps even concerned if anyone out there sends malicious emails under your own company’s name.

The good news is that several technologies exist to combat emails sent on someone else’s behalf: Sender Policy Framework (SPF); DomainKeys Identified Mail (DKIM); and Domain-based Message Authentication, Reporting, and Conformance (DMARC). The not-so-good news is that attackers occasionally discover ways to bypass these safeguards. This post looks at one such technique that spammers use to send emails from the addresses of real organizations: domain hijacking.

SubdoMailing campaign and corporate domain hijacking

Researchers at Guardio Labs have uncovered a large-scale spam campaign that they’ve dubbed SubdoMailing. This campaign, ongoing since at least 2022, involves over 8000 domains and 13,000 subdomains previously owned by legitimate companies, along with nearly 22,000 unique IP addresses. The researchers estimate the average volume of spam at around five million emails daily.

The SubdoMailing operators are constantly on the lookout for suitable expired corporate domains, and once they find some they re-register them — typically capturing several dozen legitimate domains daily. The record stands at 72 hijacked domains in a single day — back in June 2023.

To avoid landing on spam lists, the attackers rotate them constantly. Each domain is used for spam distribution for 1–2 days before going dormant for an extended period while the spammers switch to the next. After a couple of days, this one too is temporarily retired, and another takes its place.

Hijacking domains with a custom CNAME

So, how exactly do threat actors go about exploiting hijacked domains? One method involves targeting domains with a custom canonical name (CNAME) record. A CNAME is a type of DNS record used to redirect one domain name to another.

The simplest example of a CNAME record is the “www” subdomain, which usually redirects to the main domain, like this:

company.com → company.com

However, more complex scenarios exist where a CNAME record redirects a subdomain to a completely separate domain. For example, this could be a promotional website hosted on a different domain but integrated into the company’s overall web resource structure with a CNAME record.

company.com → company2020promo.com

Large companies with extensive web resources may have multiple CNAME records and corresponding domains. The problem is that administrators cannot always keep track of is all. As such, a situation can arise where a domain has expired but its CNAME record lives on. These are the kind of domains that the cybercriminals behind the SubdoMailing campaign are eager to harvest.

They hunt for abandoned domains that still have active CNAME records referencing the large companies that once owned them. Let’s take company2020promo.com from our example. Say the company abandoned this domain after a promotional campaign several years ago, but the administrators forgot to remove the CNAME record. This allows threat actors to register the domain to themselves and automatically gain control over the promo.company.com subdomain.

That done, they gain the ability to authorize mail servers located at IP addresses they own to send emails from the promo.company.com subdomain — effectively inheriting the reputation of the primary domain, company.com.

Exploiting SPF records

The second tactic employed by the SubdoMailing attackers involves exploiting SPF records. SPF (Sender Policy Framework — an extension of the SMTP protocol) records list the IP addresses and domains authorized to send emails from a particular domain.

Again, it’s perfectly normal for large organizations to include a multitude of addresses and domains in this list for various purposes. This may include external domains that either do not belong to the company at all, or are used for some specific purpose: temporary projects, mass mailing tools, user survey platforms, and the like. Similar to the CNAME scenario, it may happen that the domain registration has expired, but someone forgot to remove the said domain from the SPF record.

Domains like these are also prized by threat actors. For our example company.com, let’s say the SPF record also includes some external domain like customersurveytool.com, belonging to a user-survey service.

Now, imagine this service no longer exists, the domain registration has expired, and the administrators forgot to update the SPF record. By registering the abandoned customersurveytool.com domain, attackers gain the ability to send emails not just from the subdomain, but from the company’s primary domain, company.com.

Examples of domain hijacking in the SubdoMailing campaign

How such problems can arise can be illustrated by the case of msnmarthastewartsweeps.com. The Microsoft Network (MSN) portal once collaborated with celebrity chef Martha Stewart on a project promoting MSN Messenger (remember that?) through prize giveaways. The project’s website used the subdomain marthastewart.msn.com, which redirected to the external domain msnmarthastewartsweeps.com through a CNAME record.

As you might guess, the msnmarthastewartsweeps.com domain registration eventually expired, but the MSN administrators failed to remove the corresponding CNAME record. In 2022, attackers discovered this domain, registered it, and gained the ability to send emails from marthastewart.msn.com, leveraging the reputation of none other than the Microsoft Network for their own purposes.

How to guard against SubdoMailing

To prevent domain hijacking and spamming in your company’s name, we recommend the following:

Implement SPF, DKIM, and DMARC
Regularly inventory your company’s web resources, including domains.
Ensure timely renewal of active domain registrations.
Remove outdated DNS records.
Update SPF records by removing unused addresses and domains authorized to send emails on your company’s behalf.

Kaspersky official blog – ​Read More

Many companies have long since moved from the traditional workstation model to the virtual desktop infrastructure (VDI). VDI provides a number of advantages — one being better cybersecurity (not least because work data doesn’t leave corporate servers; it always lives in a virtual machine). However, despite a popular misconception, VDI alone doesn’t mean guaranteed security. It always matters how secure the endpoint device is that connects to the virtual workplace.

By and large, there are two options for using VDI. The first is to employ traditional workstations; the second is to use thin clients. Common advantages of a thin client include the following:

no moving parts: they don’t have active cooling systems or mechanical hard drives, which significantly increases the service life of the thin client (up to 7-10 years);
low energy consumption, which leads to direct savings;
lower price and cost of ownership (in comparation even with desktops and laptops for office work);
ease of maintenance and operation.

However, from our point of view, this isn’t the main advantage of using a thin client. Any workstation, be it a desktop PC or a laptop, must be provided with additional layers protection. And a thin client can be made secure as-is if its operating system is based on the secure-by-design principle. It’s precisely such an operating system — Kaspersky Thin Client 2.0 — that we propose to use in thin clients connected to virtual desktop infrastructure.

What is Kaspersky Thin Client, and what’s new in version 2.0?

Essentially, Kaspersky Thin Client 2.0 is an updated operating system for thin clients, created in accordance with our Cyber Immune approach; as such, it doesn’t require additional security measures. Kaspersky Thin Client is based on our KasperskyOS system, which minimizes the risk of its compromise even in the event of complex targeted attacks.

The updated Kaspersky Thin Client version 2.0 can connect to remote environments deployed on the Citrix Workspace platform and VMware Horizon infrastructure using HTML5 technology. Kaspersky Thin Client 2.0 also supports connection to individual business applications deployed on the Microsoft Remote Desktop Services infrastructure, Windows Server, and terminal servers running Windows 10/11.

Another key change in KTC 2.0 is the increase in performance. We managed to increase both the speed of application delivery and the speed of system updates (due to the compact size of the OS image). Now deployment time of thin clients under KTC 2.0 through automatic connection takes about two minutes.

You can learn more about the updated operating system for thin clients on the Kaspersky Thin Client page.

Kaspersky official blog – ​Read More