Kaspersky Lab was busy this October bringing you breaking security news stories, and other relevant reads. From infected ATMs and Android 5.0\u2019s new crypto system, to cyber-mercenaries and cryptoware protection, we covered it all. If you missed any of our October posts, fear not! This quick summation of our most popular posts will get you up to speed!<\/p>\n
Read highlights from our top #security news posts in October.<\/p>Tweet<\/a><\/blockquote>\n
Android 5.0 Data Better Protected with New Crypto System<\/a><\/strong><\/p>\n
Law enforcement agencies are not exactly happy with Google and Apple these days. User content, stored in the latest iterations of the iOS and Android operating systems, is encrypted in such a way that neither company has the capacity to decrypt the locally stored information. This means that even with a warrant, they\u2019ll have no sure-fire way of compelling users to decrypt locally stored data. However,\u00a0privacy and security advocates are heralding the new disk-encryption schemes<\/a>, which seem to equip consumers with real mobile data-security. Some will see these moves as reckless; others will see them as obvious reactions to an environment where it\u2019s become entirely too easy for the government to collect prosecutorial information with little to no oversight. Google is now touting their new by-default encryption that is part of the new Android Lollipop, also known simply as \u201cAndroid 5.0\u2033 or \u201cAndroid L.\u201d In this new system the password or PIN plus some built-in, possibly hardware-based credential, will derive the decryption key. Thus, brute-forcing a password may still be possible, but it won\u2019t decrypt encrypted disk space.<\/p>\n
In other words, the most popular mobile operating system in the world finally becomes more secure.\u00a0<\/strong><\/p>\n
How to Remember Strong, Unique Passwords<\/a><\/strong><\/p>\n
How is it 2014 and we\u2019re still stuck memorizing ever-longer\u00a0lists of passwords<\/a>\u00a0like it\u2019s 1999? \u00a0If we\u2019re going to rely on an ancient authenticator for future technology, then we might as well come up with a solid way to remember our passwords. This is exactly what our friends at\u00a0Carnegie Mellon<\/a>\u00a0University\u2019s computer science department have done. Unfortunately, it turns out that remembering long lists of complicated\u00a0passwords<\/a>\u00a0requires us to do something that no one likes: study. In this study, participants were prompted with a scene and person pair, and were made to perform a rehearsal routine to recall the action and the object at a set number of spaced intervals over a period of 100 or so days. To learn the results that shocked researchers, read the rest of the article! Ultimately, we learned that it\u2019s easier to remember fewer passwords. Which is probably why nearly everyone uses the same password across multiple accounts, despite knowing that password sharing is a bad idea. But there is also good news \u2014you can improve your passwords using the relatively easy mnemonic technique described here.<\/p>\n
Legal malware and cyber-mercenaries<\/a><\/strong><\/p>\n
Think about this: the more we entrust our everyday routines to computers, the more attractive they become for those that love digging into others\u2019 secrets\u2014bad guys and good guys alike; hacking and espionage are hardly crimes for the secret service, but instead are a part of their everyday work. A key trend in today\u2019s world of cybercriminal business is the legalization of cybercrime, which is positioned differently in the infosec market. Kaspersky Lab\u2019s experience proves that privately developed legal malware could potentially end up not only in the \u2018good\u2019 hands of secret service, but also in the hands of very pragmatic third parties. \u00a0So is it dangerous? Significantly. Malware like this is created for those with a very generous budget. It is at a very advanced level that has nothing to do with teenage misbehaviors or petty criminals trying to steal a hundred bucks from your credit card. The developers of legal malware use a great deal of advanced technologies in their products that can fool a virus analyst and prevent him from looking under the hood. Despite all this, practices do prove that such technologies do have their limitations: there is no magic allowing one to break stealthily into any system but, rather, it is a sample of a usual malware.\u00a0<\/strong><\/p>\n
Infected ATMs gave away millions of dollars<\/strong><\/a><\/p>\n
Hackers don\u2019t take money out of the ATM like you and me: they don\u2019t need cards, PIN codes or bank accounts to get money. In reality, all they need is an ATM with some cash in it and a special piece of software. At the request of a financial institution, our colleagues from the Global Research and Analysis Team (GReAT) performed a forensic investigation into a cyber-criminal attack that targeted multiple ATMs in Eastern Europe. They discovered that by using a trojan called Tyupkin, hackers can withdraw an unlimited amount of banknotes simply by entering a special code into the pin pad. Tyupkin infects the PC inside of an ATM and forces it to dispense banknotes when prompted by the special code. Criminals were somehow able to physically access the ATMs so that they could install the malware. The Trojan had a number of advanced abilities making an attackers job quite simple.\u00a0 Thankfully, right now hackers can only infect certain ATM models, but the variety of hackable ATMs will grow unless banks and ATM manufacturers increase the physical, and software, protections of these machines.\u00a0<\/strong><\/p>\n
Prioritizing the Protection of Primary Webmail Accounts<\/a><\/strong><\/p>\n
Think about this: whenever you set up nearly any online account, you\u2019re prompted to enter a primary webmail account. This primary email account also acts as the place where you can recover online accounts if they become hijacked or if you forget your password. In this way, your primary email account is more sensitive than your PayPal or your banking account, because if the email account is compromised, so too are the financial accounts! A criminal in control of your webmail account can gather some serious intel about what other accounts you use online, and compromise those as well. This is why we constantly and relentlessly remind you to use strong passwords and\u00a0enable two-factor authentication<\/a>\u00a0and all other available security controls for accounts of importance. As if that wasn\u2019t bad enough, your hacked accounts affect the lives of all of your contacts. When and if your account is hacked, attackers will use it as a tool to attack the accounts of your friends, family and digital acquaintances. Thankfully, a strong antivirus solution<\/a>\u00a0will protect you against email-borne attacks containing malware. Kaspersky security products also contain anti-phishing technologies that will detect\u00a0phishing websites<\/a>\u00a0and warn you about them. Long story short: you need to start handling that primary email address in the same way you handle your online banking account, or perhaps\u00a0even more carefully since it is your most\u00a0precious online account.\u00a0<\/strong><\/p>\n