{"id":5282,"date":"2015-10-12T09:46:29","date_gmt":"2015-10-12T13:46:29","guid":{"rendered":"https:\/\/www.kaspersky.co.in\/blog\/?p=5282"},"modified":"2019-11-22T15:38:19","modified_gmt":"2019-11-22T10:08:19","slug":"security-week-41-research-censored-outlook-web-access-hacked-subscriber-data-lost","status":"publish","type":"post","link":"https:\/\/www.kaspersky.co.in\/blog\/security-week-41-research-censored-outlook-web-access-hacked-subscriber-data-lost\/5282\/","title":{"rendered":"Security Week 41: research censored, Outlook Web Access hacked, subscriber data lost"},"content":{"rendered":"<div class=\"entry-content\">\n<div>\n<p>Today is special corporate edition of our weekly news digest, which we will devote to ROI, EBITDA, TCO, IFRS, CRM, SLA, NDA, GAAP and the likes. Just kidding \u2013 as always, we\u2019ll talk about the most important security news of the week. As it happened this week, they are all relevant to corporate security, in one way or another. We\u2019ll cover the cases of companies being hacked and data being leaked and companies reacting on the incidents.<\/p>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/36\/2015\/10\/05084929\/security-week-41-man-1024x720.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-10202 size-full\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/36\/2015\/10\/05084929\/security-week-41-man-1024x720.jpg\" alt=\"Where do things stand in terms of corporate security?\" width=\"1280\" height=\"900\"><\/a><\/p>\n<p>What is the difference between end-user security and corporate security? First, while users enjoy the luxury of relatively simple security solutions, corporations security is something very complex \u2013 due to several reasons, but mostly due to complexity of their IT infrastructure. Second, in order to protect corporate infrastructure from threats, particular policies should be applied on all levels of the organization.<\/p>\n<p>Anyway, how are businesses performing in terms of security? To be honest, not that well. For example, Gartner <a href=\"http:\/\/www.networkworld.com\/article\/2989273\/security\/gartner-it-should-simplify-security-to-fight-inescapable-hackers.html\" target=\"_blank\" rel=\"noopener nofollow\">thinks<\/a> that in three years companies would spend 30% of their budget on security. Moreover, the old-school approach of role-based access, which used to be the cornerstone of corporate security, is hopelessly obsolete. Now 90% of effort is spend on preventing the breach of the perimeter and only 10% on detection and response.<\/p>\n<p><a href=\"https:\/\/twitter.com\/CiscoEnterprise\/status\/652566712383107072\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/twitter.com\/CiscoEnterprise\/status\/652566712383107072<\/a><\/p>\n<p>That means, once an intruder manages to infiltrate the infrastructure, he finds himself in a very comfortable environment, which frequently results in devastating consequences for the victim. So, Gartner\u2019s recommendation to change this ratio to 60\/40 makes sense. For instance, our <a href=\"https:\/\/www.kaspersky.com\/blog\/billion-dollar-apt-carbanak\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">report on Carbanak<\/a>, a notorious campaign against banks and financial organizations, showed that the criminal remained undetected in this \u201c10%\u201d zone for quite a while.The previous editions of Security Week can be found <a href=\"https:\/\/www.kaspersky.com\/blog\/tag\/security-week\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">here<\/a>.<\/p>\n<h3>Outlook Web App as the entry point into corporate infrastructure<\/h3>\n<p><a href=\"https:\/\/threatpost.com\/targeted-attack-exposes-owa-weakness\/114925\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">News<\/a>. <a href=\"http:\/\/www.cybereason.com\/cybereason-labs-research-a-new-persistent-attack-methodology-targeting-microsoft-owa\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">Research<\/a> by Cybereason. Microsoft\u2019s <a href=\"http:\/\/blogs.technet.com\/b\/exchange\/archive\/2015\/10\/07\/no-new-security-vulnerability-in-outlook-web-access-owa.aspx\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">feedback<\/a>.<\/p>\n<p>If one hacks one of many corporate PCs, bugs the compromised machine and drains the data, what would the output be for a hacker? If it is a regular employee\u2019s laptop, the culprit would be able to steal some work-relevant data and, possibly, other information from the file servers this employee had access to.<\/p>\n<p>But the campaign would be much more \u2018efficient\u2019 if the surveillance is installed on a computer of a boss or an admin who typically enjoy higher privileges. The unsolicited access to a mail server would compromise an enormous amount of data sent through the email. A report prepared by Cybereason proves that sky mail is not the limit.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Targeted attack exposes Outlook Web Access weakness: <a href=\"https:\/\/t.co\/5rshOVB5iB\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/5rshOVB5iB<\/a><\/p>\n<p>\u2014 Eugene Kaspersky (@e_kaspersky) <a href=\"https:\/\/twitter.com\/e_kaspersky\/status\/651694464801464320?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">October 7, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>As it usually happens, the reason was not in some vulnerability in Outlook Web App (a.k.a. Web Access, Exchange Web Connect and Outlook on the web \u2013 Microsoft has changed this program\u2019s names four times in 20 years). The attackers stole (likely by phishing) an admin\u2019s login credentials and injected a malicious (unsigned!) DLL library, thus getting access to both mail AND the Active Directory \u2013 Hackers were then able to send any emails from any employees.Also, another embedding was found in the IIS server, monitoring connections to webmail. The research showed that culprits constantly kept an eye on who, when, and where logs onto the mail. Researchers pointed out to Microsoft that an unsigned binary could be easily executed on One Web Access\u2019 server, but Microsoft claimed that, if <em>properly<\/em>\u00a0configured, the system would not allow this to happen.<\/p>\n<p>Whatever that would mean, it\u2019s secondary. In a nutshell, here\u2019s what we have to date:<\/p>\n<p>\u2014 A service accessing both Internet and Intranet by design.<\/p>\n<p>\u2014 Lax security on the IT specialist\u2019s side (login and password were stolen from him, and not from an ordinary employee).<\/p>\n<p>\u2014 Flawed server configuration, which allowed a hassle-free installation of a backdoor.<\/p>\n<p>\u2014 Inability to detect the breach during a long time.<\/p>\n<p>What we have as a bottom line is a bunch of problems that should be solved separately. Curiously, data integrity in Active Directory is quite ok, and this service is heavily protected (although, there are some <a href=\"https:\/\/threatpost.com\/skeleton-key-malware-opens-door-to-espionage\/110433\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">examples<\/a> when this attack vector was used). However, there is a probability of a less obvious compromise method through the weakest link.<\/p>\n<h3>Fifteen million T-Mobile subscriber\u2019s data stolen via hack of a supplier<\/h3>\n<p><a href=\"https:\/\/threatpost.com\/experian-breach-spills-data-on-15-million-t-mobile-customers\/114901\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">News<\/a>. <a href=\"http:\/\/www.experian.com\/data-breach\/t-mobilefacts.html\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">Disclosure<\/a> by Experian, victims of the attack. T-Mobile\u2019s <a href=\"http:\/\/www.t-mobile.com\/landing\/experian-data-breach\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">official statement<\/a>.<\/p>\n<p>Allow me to make a short introduction. In the US the majority of mobile subscribers sign a long-term contract with a mobile carrier, which includes both voice\/data plans and a device (mobile phone, smartphone, or tablet). It seems a very convenient option: you get a new device for either no or little money, yet, on the other hand, you cannot switch to another carrier until your current contract expires.<\/p>\n<p>This approach presupposes that your credibility as a payer would be checked by the carrier \u2013 just as it\u2019s done with bank loans. In order to invoke this process, a carrier would send an enquiry to a local credit bureau. In the story with the T-Mobile leak this local credit bureau was Experian, and it was hacked.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\"><a href=\"https:\/\/twitter.com\/hashtag\/ICYMI?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#ICYMI<\/a> <a href=\"https:\/\/twitter.com\/Experian?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">@Experian<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/Breach?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#Breach<\/a> Spills Data on 15 Million <a href=\"https:\/\/twitter.com\/TMobile?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">@TMobile<\/a> Customers <a href=\"https:\/\/t.co\/dx0liAZMfy\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/dx0liAZMfy<\/a> <a href=\"http:\/\/t.co\/Ii2Dh06MzP\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/Ii2Dh06MzP<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/649945372824047616?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">October 2, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>According to the disclosure, unsolicited access was \u2018an isolated incident over a limited period of time\u2019, yet it resulted in the alleged leak of data on 15 million T-Mobile subscribers over a 2-year period. To do them justice, both companies handled the disclosure in a very open and adequate manner. Both posted an accurate and detailed description of the breach on their websites.All victims whose data was compromised were offered a free credit monitoring service. This case shows significant progress in terms of post-breach processes, if compared, say, with the Target debacle, when the retailer who suffered a <a href=\"https:\/\/threatpost.com\/report-target-hackers-used-default-vendor-credentials-justice-dept-investigating\/103968\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">leak of 40 million payment card credentials<\/a>, confined itself to a short we-fixed-the-issue <a href=\"http:\/\/pressroom.target.com\/news\/target-confirms-unauthorized-access-to-payment-card-data-in-u-s-stores\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">statement<\/a>.<\/p>\n<p>In the case of T-Mobile, credit card data remained intact, yet other personal data, including names, addresses, driver license numbers, etc. were compromised. T-Mobile\u2019s CEO assured the data was \u2018partially\u2019 encrypted \u2013 meaning, not very well encrypted.<\/p>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/36\/2015\/10\/05084926\/security-week-41-haha-1024x544.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-10204 size-full\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/36\/2015\/10\/05084926\/security-week-41-haha-1024x544.jpg\" alt=\"When we hear about absolute security\" width=\"1280\" height=\"680\"><\/a><\/p>\n<p>This story has some solid reference to the issue of privacy. Credit bureaus, should know an awful lot about their clients and they get this data from everywhere. Moreover, they sell the acquired data to other companies for a big buck, and their buyers are not always prominent and respectable global companies. It\u2019s not the first time Experian messed around with customer data.<\/p>\n<p>There was an incident which was not at all the result of a breach: once a Vietnamese guy, acting as some Singapore-based private investigator, legally <a href=\"https:\/\/threatpost.com\/200-million-consumer-records-compromised-in-experian-id-theft-case\/104693\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">paid for Experian\u2019s services and sold<\/a> the personal data of 200 million Americans to a number of cybercriminal groups specializing in identity theft.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">ICYMI: 200 Million Consumer Records Compromised in Experian ID Theft Case \u2013 <a href=\"http:\/\/t.co\/WSHMHLfBFT\" target=\"_blank\" rel=\"noopener nofollow\">http:\/\/t.co\/WSHMHLfBFT<\/a><\/p>\n<p>\u2014 Threatpost (@threatpost) <a href=\"https:\/\/twitter.com\/threatpost\/status\/443353048707252224?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">March 11, 2014<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>This is horrifying. For instance, in order to change a forgotten password to an Amazon account, one should state postal address, date of birth, or social security number \u2013 and all of this is held by companies like Experian.One more thing: the data is most vulnerable in transit from one company to another \u2013 just because their security policies and solutions may vary.<\/p>\n<h3>Surveillance cameras vendor blocks vulnerability disclosure, threatens to sue researcher<\/h3>\n<p><a href=\"https:\/\/threatpost.com\/canceled-talk-re-ignites-controversy-over-legitimate-security-research\/114932\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">News<\/a>. <a href=\"http:\/\/gsec.hitb.org\/sg2015\/sessions\/session-004\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">Key takeaways<\/a> from the research.<\/p>\n<p>Gianni Gnesa, a researcher from a Swiss company Ptrace Security, prepared a report for HITB GSEC conference in Singapore, in which he was planning to cover some aspects of surveillance camera vulnerabilities. However, this never happened. His research included examples of vulnerabilities in several models of IP cameras by three vendors (now, eventually, we would never know who).<\/p>\n<p>No one could have guessed how the situation would evolve: Gianni sent bug reports to the vendors, corresponded routinely with their security teams, and then announced his intention to present the vulnerabilities at a conference and sought approval of his research. Then IT guys suddenly disappeared and were replaced by corporate lawyers who suggested Gianni did not go publicly with his research, or there would be consequences.<\/p>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/36\/2015\/10\/05084924\/security-week-41-cat.gif\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-10205 size-full\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/36\/2015\/10\/05084924\/security-week-41-cat.gif\" alt=\"bad behaviour\" width=\"372\" height=\"332\"><\/a><\/p>\n<p>Sadly, this is not the first and will not be the last time it happened. The reason is simple: the difference between a black hat and white hat, in terms of common sense, is obvious (the latter \u2018does no harm\u2019) and is not so from the legal point of view. One great example is the <a href=\"https:\/\/en.wikipedia.org\/wiki\/Wassenaar_Arrangement\" target=\"_blank\" rel=\"noopener nofollow\">Wassenaar Arrangement<\/a> \u2013 an international export control regime of dual-use good and technologies.<\/p>\n<p>In December 2013, the European Parliament included intrusion software into this list. The idea of \u2018hacking for the greater good\u2019 is dualistic, per se, but in this case regulators at least considered that the developers of such software (like the <a href=\"https:\/\/threatpost.com\/hackers-release-hacking-team-internal-documents-after-breach\/113612\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">notorious Hacking Team<\/a>) are more discriminative when choosing their customers.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Talk revealing p0wnable surveillance cams pulled after legal threat <a href=\"http:\/\/t.co\/HyWDGmXLE8\" target=\"_blank\" rel=\"noopener nofollow\">http:\/\/t.co\/HyWDGmXLE8<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/0day?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#0day<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/IoT?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#IoT<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/HITBGSEC?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#HITBGSEC<\/a> @GianniGnesa <a href=\"https:\/\/twitter.com\/darrenpauli?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">@darrenpauli<\/a><\/p>\n<p>\u2014 Ptrace Security GmbH (@ptracesecurity) <a href=\"https:\/\/twitter.com\/ptracesecurity\/status\/652062706267222016?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">October 8, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>However, the Wassenaar rules define practically anything as \u2018intrusion software\u2019. It would not create significant obstacles to bad guys, yet will make the good guys\u2019 lives much harder \u2013for instance, the pentesters\u2019 work would be seriously undermined by the new regulation. As a result, HP was forced to decline participation in PWN2OWN hackathon in Japan, as the fact of HP researchers presenting overseas might be considered the case of \u2018export of dual-use goods and technologies\u2019.Too bad. If it\u2019s hard with corporations, in terms of legislation it\u2019s even worse. The motivation behind the vendors\u2019 restrictions on disclosure is quite understandable: if you have a way to get rid of a problem like that, why not leveraging this opportunity? But how would it impact security of products?<\/p>\n<p><a href=\"https:\/\/twitter.com\/GianniGnesa\/status\/650665942112968704\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/twitter.com\/GianniGnesa\/status\/650665942112968704<\/a><\/p>\n<p>I wouldn\u2019t say the \u2018disclose all\u2019 approach is any better than the \u2018restrict all\u2019 approach: in some cases, irresponsible disclosure of critical hardware or software vulnerabilities would fire back on users. The optimum is, again, somewhere in between those extremities.<\/p>\n<h3>What else happened:<\/h3>\n<p>It\u2019s all very, <a href=\"http:\/\/www.theregister.co.uk\/2015\/10\/05\/nuclear_plants_cyber_denial_man_in_the_middle\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">very<\/a> bad \u2013 with cybersecurity on nuclear energy facilities. Check out the relevant <a href=\"https:\/\/eugene.kaspersky.com\/2015\/10\/12\/cyber-news-vulnerable-atomic-power-stations-and-cyber-sabre-control\/\" target=\"_blank\" rel=\"noopener noreferrer\">post in Eugene Kaspersky\u2019s blog<\/a>. The key takeaway here is as follows: if you think there is an Air Gap between your critical infrastructure and Internet, think again. Maybe you are wrong.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Cyber-saber rattling: bad; vulnerable nuclear power stations: v. bad. But there\u2019s hope: <a href=\"https:\/\/t.co\/owbzGS0eMo\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/owbzGS0eMo<\/a><\/p>\n<p>\u2014 Eugene Kaspersky (@e_kaspersky) <a href=\"https:\/\/twitter.com\/e_kaspersky\/status\/653509752958373889?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">October 12, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Gartner continues <a href=\"http:\/\/www.networkworld.com\/article\/2989203\/careers\/gartner-top-10-strategic-predictions-that-could-shake-up-it.html\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">to foretell the future<\/a>. Check this out: by 2018, we\u2019ll have to create machines to manage machines, as managing all IoT (Internet of things) devices manually would become impossible (I could not possibly object, having spent half of my weekend on attempts to manage just four Raspberry Pis).<\/p>\n<\/div>\n<div>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Gartner's top 10 strategic technology trends for next year: <a href=\"http:\/\/t.co\/FcDqdWz2eA\" target=\"_blank\" rel=\"noopener nofollow\">http:\/\/t.co\/FcDqdWz2eA<\/a> <a href=\"http:\/\/t.co\/S3xKrnAiw9\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/S3xKrnAiw9<\/a><\/p>\n<p>\u2014 Forbes Tech (@ForbesTech) <a href=\"https:\/\/twitter.com\/ForbesTech\/status\/651638084426203136?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">October 7, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Moreover, people might work with robo-bosses, and fitness trackers would be used not for fitness but for controlling your daily activities. Brave New World! Well, this awaits you given you keep your job, as the fastest-growing companies would employ thrice more robots than people in just three years.Drones <a href=\"http:\/\/www.securityweek.com\/design-flaws-expose-drones-hacker-attacks-researcher\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">can be hacked<\/a> (who would disagree with this). Traditionally, each new breed of devices is susceptible to all kind of security \u2018teething problems\u2019, just as small kids are susceptible to chickenpox. In this case, drones employ insecure connectivity protocols, which do not employ any kind of authorization.<\/p>\n<p><span class=\"embed-youtube\" style=\"text-align:center; display: block;\"><iframe class=\"youtube-player\" type=\"text\/html\" width=\"640\" height=\"390\" src=\"https:\/\/www.youtube.com\/embed\/S0GBeOnxA4M?version=3&amp;rel=1&amp;fs=1&amp;showsearch=0&amp;showinfo=1&amp;iv_load_policy=1&amp;wmode=transparent\" frameborder=\"0\" allowfullscreen=\"true\"><\/iframe><\/span><\/p>\n<p><span class=\"embed-youtube\">\u00a0<\/span><\/p>\n<h3>Oldies:<\/h3>\n<p>The Hymn family<\/p>\n<p>The family of resident viruses. Usually, they infect COM and EXE files on running, closing, renaming, or changing attributes. If a number of current month matched with the day (like in January 1 (01.01) or February 2 (02.02), the viruses destroy a part of system information on the Disk C\u2019s boot sector. Then they decrypt and display an image:<\/p>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/36\/2015\/10\/05084923\/security-week-41-hymn-1024x614.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-10206 size-full\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/36\/2015\/10\/05084923\/security-week-41-hymn-1024x614.jpg\" alt=\"Hymn virus in action\" width=\"1500\" height=\"900\"><\/a><\/p>\n<p>Then they play USSR national anthem, at the same time nulling bytes in the boot sector, which contain a number of bytes per sector, a number of sector per cluster, a number of FAT copies, etc (in total 9 bytes). Once this changes are applied in the boot sector of an MS-DOS computer, it would not boot, both from HDD or a floppy drive. To restore information, one should program their own mini-launcher or use special utilities. Hymn-1962 and Hymn-2144 also encrypt their body.<\/p>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/36\/2015\/10\/05090921\/infosec-digest-32-book1.jpg\"><img decoding=\"async\" class=\"alignright wp-image-8649\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/36\/2015\/10\/05090921\/infosec-digest-32-book1-800x1024.jpg\" alt='\"Computer viruses in MS-DOS'><\/a><\/p>\n<p><em>\u201cComputer viruses in MS-DOS\u201d by Eugene Kaspersky, 1992. Page 36.<\/em><\/p>\n<p><em>Disclaimer: this column reflects only the personal opinion of the author. It may coincide with Kaspersky Lab position, or it may not. Depends on luck.<\/em><\/p>\n<\/div>\n<\/div>\n<div class=\"social-likes__widget social-likes__widget_facebook\" title=\"Share link on Facebook\"><span class=\"social-likes__counter social-likes__counter_facebook\">\u00a0<\/span><\/div>\n","protected":false},"excerpt":{"rendered":"<p>Today is special corporate edition of our weekly news digest, which we will devote to ROI, EBITDA, TCO, IFRS, CRM, SLA, NDA, GAAP and the likes. Just kidding \u2013 as<\/p>\n","protected":false},"author":53,"featured_media":5284,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[5],"tags":[1261,850,1159,1173,38,1262,884,1185,1263,342],"class_list":{"0":"post-5282","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-news","8":"tag-breaches","9":"tag-bugs","10":"tag-digest","11":"tag-leaks","12":"tag-microsoft","13":"tag-outlook","14":"tag-private-data","15":"tag-security-week","16":"tag-t-mobile","17":"tag-webcams"},"hreflang":[{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/security-week-41-research-censored-outlook-web-access-hacked-subscriber-data-lost\/5282\/"},{"hreflang":"zh","url":"https:\/\/www.kaspersky.com.cn\/blog\/security-week-41-research-censored-outlook-web-access-hacked-subscriber-data-lost\/3577\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.co.in\/blog\/tag\/breaches\/","name":"breaches"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/posts\/5282","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/users\/53"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/comments?post=5282"}],"version-history":[{"count":3,"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/posts\/5282\/revisions"}],"predecessor-version":[{"id":17756,"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/posts\/5282\/revisions\/17756"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/media\/5284"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/media?parent=5282"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/categories?post=5282"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/tags?post=5282"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}