Monthly Archives: February 2012

Halt! Who Goes There? Or Remedy #3.

Security people, sysadmins and, generally, all those who by virtue of their employment take loving care of corporate networks – all these people have plenty of headaches. Indeed, a veritable cornucopia of headaches. And, of course, the main source of trouble is… you guessed it, users. Tens, hundreds, even thousands of users (depending on your good fortune) who have problems 24/7. As for us, we try to help these ‘frontline soldiers’ get to grips with their headaches, using the full extent of our resources in our field of competence. Below, we discuss one very helpful remedy that fits this combat strategy to perfection.

There are, in fact, three separate remedies. But they all tackle one problem – keeping users under control. And there are helpful side effects – enforcing a centralized IT security policy, fool-proofing, and automating the ‘donkey work’. That’s right, I’m talking of three new features included in the new version of our corporate solution, Endpoint Security 8: application control, device control and web control. This post is about application control (or simply AC without the DC).

Most of the time it’s a struggle to keep computers clean. Users are given to downloading questionable “cool warez”, installing them, trying them out and forgetting all about them. As a result, in half a year the computer normally turns into an unmanageable software zoo, becoming unbelievably error-prone and slow. And, of course, the abovementioned “cool warez” can easily be virus-ridden, pirated, or at best counterproductive.

There are different ways of getting out of this predicament. Some companies wag their finger at users and strictly forbid them to install software on their computers (without actually enforcing a ban). Others simply make installing software impossible in one way or another. AC is, in fact, an elegant compromise between the two.

Read more: So how does it work and who’s the best?

Features You’d Normally Never Hear About – Part Four.

Hi all,

Once again, the subject is spam.

Depending on the “stars” and the time of year, the proportion of spam can range from anywhere between 70 and 90% of all email traffic.

Sounds like a lot, eh? But when you take all Internet traffic into consideration, it’s not actually that much – email traffic accounts for around just 1%. On the other hand, you can’t just forget about spam. Here is a bit more about spam’s role in the cybercrime ecosystem. Combating this particular evil is part of the massive war we are waging on cybercriminals. It’s no exaggeration to say that if we fail on this front, the rest of our efforts will amount to nothing.

In other words, we love anti-spam technologies and promote them as much as possible. There is, however, a subtle difference from anti-malware technologies. More precisely, there are different criteria for evaluating the quality of protection for anti-spam and anti-malware technologies. For malware it’s fairly easy: the higher the detection level, the better. For spam it’s more important to have no false positives. This is quite reasonable: it’s much better for the user to take a couple of seconds to delete a spam message that sneaks through the filter than miss important business correspondence. So, protection against spam is, in a way, a more complicated task, literally trying to kill two birds with one stone. In this difficult task, cloud technologies are a great help.

As I wrote earlier, we’ve been using cloud technologies for a while, and with considerable success. But one interesting detail has amazingly been overlooked, and unfairly so. In the cloud-based Kaspersky Security Network (KSN), (video, details) there’s a rather impressive anti-spam cloud. It started from the Urgent Detection System (UDS). The link to similar anti-malware technology is no coincidence: both are based on similar principles.

This is how the traditional anti-spam technology works.

Let’s say an email arrives at a computer. It is immediately assailed by various anti-spam technologies, both local and cloud-based, which test the message and give verdicts. Based on these, the system decides whether this message lives or dies.

And this is what happens in the UDS.

The system takes a micro-signature from the email message and sends it to the cloud to check it against a dedicated spam database. Earlier we used 16-byte hashes; in 2011 we started the UDS2 (UDS 2nd generation) procedure involving 4-byte fuzzy hashes, which are more effective against obfuscated texts and are therefore better at filtering out spam. Importantly, these hashes do not create extra work for the analyst, since the system creates them automatically based on collected spam samples.

Read more: Serious ambitions for the elite 100/0 club …

Woodpecker Summit 2012.

The main occasion of our recent series of events in Cancun was the Security Analyst Summit (SAS) – the supreme congress of KL’s most distinguished virus analysts (woodpeckers; why woodpeckers? – see the full story here) and invited external security experts, who come together to boast about their achievements; exchange ideas, opinions and experiences; and, of course, do some informal networking.

Security Analyst Summit

The idea of the woodpecker summit goes back years. Its inception came in 1997 in Prague. We decided to reject the status quo – the usual boring model of what a summit should be about – and rethink the whole idea from scratch. What we came up with was a mostly informal get-together in comfortable surroundings in a distant, original location to discuss our technological breakthroughs. And one such breakthrough happens to have been the basic blueprint of our antivirus engine – named after the Czech capital where it was ‘born’. Clearly something was working with the summit format.

There followed rather a long break, but then in the early 2000s the tradition was kick-started again and these micro-conferences (in which only our employees took part at first) started being held sometimes several times a year. Since then there’ve been 15 of them.

Then in 2009 this tradition was updated and expanded – to version 2.0: transformed into much bigger, non-KL-exclusive, annual “woodpecker summits” in warm climes and with a serious intention to make the summits the main yearly event of the industry. Our latest – the fourth – was in the sunny Mexican resort of Cancun – coming across, I think, as a serious pronouncement of our present status. We had some 100+ attendees from 14 countries, great presentations and plenty of awesome team building. More details are in the guest post below from our Senior Virus Analyst, Yury Namestnikov:

Read more: SAS 2012 unleashed …

A Break Well Deserved – Mayan Style.

With three events (Security Analyst Summit, international press tour, and IT-security industry analysts’ conference) in Cancun over and done with (which completed the last leg of more than three weeks on the road at conferences, etc., etc., etc. all around the world), and the very last guests all having left, a little nostalgia was already setting in for the great times we had in the place… everything was just so very positive, interesting and fun – especially the evenings; extra-specially the Mexican Yucatan nights – yee-ha!

So let me tell you a little about the three ‘best bits’ – what you really must see in Yucatan if you ever get the chance to visit the place.

First – Chichen Itza (the Mayan pyramids); second – Cenote Ik-Kil (for swimming); and third – Rio Secreto (underground caves); not necessarily in that order. All must-visits!

A few pieces of advice: in Rio Secreto it’s better to leave your camera outside the cave – otherwise it’ll just get ruined down there from being submerged in water. But not to worry – every group of visitors to the caves is accompanied by a photographer who knows exactly how to keep his camera dry above water level. There are three different routes in Rio Secreto – all taking approximately 90 minutes to complete – at first by foot, then up to one’s knees in water, then swimming, then… just anyway, anyhow, as best you can :)

Indeed, a massive ‘big up’ to Rio Secreto . And I recommend buying one of the CDs with photos at the exit – the CDs contain great pics of both underground and surface scenes, plus ones of all the wildlife to be found in the caves.

For Chichen Itza you need to take camera equipment, bathing suit, plus towel – that’s about all you need for a great day’s chillage there.

It goes without saying that all the touristy spots are lined with densely packed stalls hawking the inevitable mass consumption tat. “Onnly van dullaar, senyor!”

The pics below show where the Mayas played their ancient version of basketball. Legend has it that one of the teams in the final after the game would be sacrificed for the gods. Which team wound up dead after the match – the winning or losing one – is not known: scholarly opinion is divided on this.

Swimming in Cenote Ik-Kil is one of the most magical swims in the world! The purest water, at the perfect temperature, at the bottom of a kind of deep sinkhole with long dangling plants hanging from high above. I really recommend it. One problem though is that it’s tricky taking good photos there – it’s quite dark below and very light above L.

That’s all folks! And now, for several days I’m going to be in full offline regime, somewhere here:

View from the plane

The rest of the photos are here.

 

The Black Box.

Filtering out spam may not seem such a big deal – after all, even a kid knows the difference between a Viagra advert and a normal message! In the security world things are much more complicated as we have to create something akin to artificial intelligence that is capable of doing the job automatically, on the fly.

That’s no easy task and entails all sorts of demands in terms of efficiency, reliability, compatibility and so on. And you no doubt know where things stand with AI – there are plenty who claim to have got it figured, but there’s nothing really to show for it (or if there is, they’re doing a good job of keeping it a secret).

Anti-spam security is no easier a task than anti-malware protection. And may even be more difficult (or maybe I just understand more about viruses…). The spam industry is a multi-billion dollar business and tens of thousands of skilled bloodsuckers are behind the huge variety of junk that is sent out. And these parasites show great ingenuity when it comes to linguistics and other stuff to make spam reach your inbox.

On the face of it, a spammer’s work looks fairly easy – write a spam message, test it against several of the most popular anti-spam filters and spawn via a botnet.  But few customers realize that a spam message’s lifecycle is just half an hour to an hour long. 90% of a mass mailing will never reach its intended recipients – spam filters, activated with an update or triggered by statistics, will intercept it.

And it’s that black box – the thing that withstands the worst things that email traffic throws at it and keeps your inbox clean – that I want to discuss here.

First of all, a bit of background. Since 2002 our anti-spam solution (KAS) has got through four generations of engine and we’re now developing a fifth. A single blog post would hardly suffice to recount everything. Basically, KAS has acquired lots of bits and bobs over the last 10 years. It boasts over 10 methods of spam analysis alone. That’s why I’ll start with our new ‘Möbius‘ technology – just in time for its debut in the latest version of KAS for Exchange Server.

Kaspersky Security 8.0 for Microsoft Exchange Servers

Read more: Anti-spam bottleneck and how we solved it …

The Red Snowmobile.

I give you the new model of the Red Snowmobile!

Italy (and most of Europe) is buried under snow and frozen solid. It meant that the brand new Ferrari F1 car was unveiled online this year – the guests just couldn’t get there, myself included. I’m enjoying the photos of a severe Italian winter from the airport in Cancún.

// you can come up with your own captions :)

Cars and the climate collide….

And here’s a video of the presentation:

You can find out more about our partnership with Scuderia Ferrari at a dedicated webpage or follow the updates on Facebook and Twitter.

The Big Euro Freeze & The Munich Security Conference.

A big hello from Munich!

More news, and this time I’d call it ‘The big Euro freeze’.

Europe is slowly icing over as a result of Siberian freezing weather blasting across the continent. Eastern Europe (Romania and Bulgaria) has been buried under meters of snow, the cold in Germany is bitter; in France it’s biting; England has also had its fair share and has cancelled a number of flights. I can only guess what is happening in Scandinavia and Poland. In Munich today it’s -9C, and it’s supposed to get down to -19C tonight, but the Bavarians are undaunted!

The photos are not mine, seeing as how I was at the Munich Security Conference all day. I’m a newbie here – I’ve never been involved at this level before (well, if you discount the London Conference on Cyberspace and Davos), but everything seemed to go well! I was on the roundtable, a few meetings and interviews. Here is my observations of the proceedings.

Read more: Big geopolitical players talk cyber security

DDoS – a Nasty SOB, but Curable – with KDP.

Hi everyone!

The Russian parliamentary elections late last year and the ensuing mass protests against their alleged falsification have brought about a sharp increase in the level of polarization of viewpoints being bandied about on Russian-language social networks and online media.

Simultaneously with all this, plenty of the Russian online media were visited by a ghost – the ghost of DDoS (Distributed Denial of Service Attack) – in early December 2011. This led to brazen hacker attacks, with one after another Russian website going down, and several attacks occurring simultaneously. Some were organized using traditional criminal bot networks, but behind them, it sure seems to me, stood marginal political groups, since the victims of the attacks were the sites both of opposition groups (including the Communist Party) and also of the ruling United Russia party.

A second DDoS attack – in mid-December – was more sophisticated. To date we still don’t have any reliable information about its origin – that is, not technically (how they actually pulled off the DDoS), and not the people who ordered it. And I’m not sure we’ll ever get to the bottom of it.

But I won’t get bogged down here with theory.

Read more: Let me get straight to DDoS in action …