Cyber hygiene: essential for fighting supply chain attacks.

Hi folks!

Quite often, technical matters that are as clear as day to techie-professionals are somewhat tricky to explain to non-techie-folks. Still, I’m going to have a go at doing just that here today. Why? Because it’s a darn exciting and amazingly interesting world! And who knows – maybe this read could inspire you to become a cybersecurity professional?!…

Let’s say you need to build a house. And not just a standard-format house, but something unique – custom-built to satisfy all your whims and wishes. First you need an architect who’ll draw up the design based on what you tell them; the design is eventually decided upon and agreed; project documentation appears, as does the contractor who’ll be carrying out the construction work; building inspectors keep an eye on quality; while at the same time interior designers draw up how things will look inside, again as per your say-so; in short – all the processes you generally need when constructing a built-to-order home. Many of the works are unique, as per your specific instructions, but practically everything uses standard materials and items: bricks, mortar, concrete, fixtures and fittings, and so on.

Well the same goes for the development of software.

Many of the works involved in development are also unique, requiring architects, designers, technical documentation, engineer-programmers… and often specific knowledge and skills. But in the process of development of any software a great many standard building bricks libraries are used, which carry out all sorts of ‘everyday’ functions. Like when you build a house – you build the walls with standard bricks; the same goes for software products: modules with all sorts of different functionalities use a great many standardized libraries, [~= bricks].

Ok, that should now be clear to everyone. But where does cybersecurity come into all of this?

Well, digital maliciousness… it’s kinda the same as house-building construction defects – which may be either trivial or critical.

Let’s say there’s some minor damage done to a completed house that’s ready to move into, which isn’t all that bad. You just remedy the issue: plaster over, re-paint, re-tile. But what if the issue is deep within the construction elements? Like toxic materials that were used in construction in the past? Yes, it can become expensive painful.

Well the same goes for software. If a contagion attaches itself to the outside, it’s possible to get rid of it: lance it off, clean up the wound, get the software back on its feet. But if the digital contamination gets deep inside – into the libraries and modules [= bricks] out of which the final product [house] is built… then you’ve got some serious trouble on your hands. And it just so happens that finding such deep digital pestilence can be reeeaaally tricky; actually extracting the poison out of the working business process – more so.

That’s all a bit abstract; so how about some examples? Actually, there are plenty of those. Here are a few…

Even in the long-distant past, during the Windows 98 era, there was one such incident when the Chernobyl virus (also called CIH, or Spacefiller) found its way into the distributions of computer games of various developers – and from there it spread right round the world. A similar thing happened years later in the 2000s: a cyber-infection called Induc penetrated Delphi libraries.

Thus, what we have are cyberthreats attacking businesses from outside, but also the more serious threats from a different type of cyber-disease that manages to get inside the internal infrastructure of a software company and poison a product under development.

Let’s use another figurative example to explain all this – a trip to your local supermarket to get the week’s groceries in… during mask-and-glove-wearing, antiseptic-drenching lockdown!… Yes, I’m using this timely example as I’m sure you’ll all know it rather well (unless you’re the Queen or some other VIP, perhaps live off the land and don’t use supermarkets… but I digress).

So yes: you’ve grabbed the reusable shopping bags, washed your hands for 20 seconds with soap, donned the faced mask, put the gloves on, and off you go. And that’s about it for your corona-protective measures. But once you’re at the supermarket you’re at the mercy of the good sense and social responsibility and sanitary measures of the supermarket itself plus every single producer of all the stuff that you can buy in it. Then there are all the delivery workers, packing workers, warehouse workers, drivers. And at any link in this long chain, someone could accidentally (or on purpose) sneeze right onto your potatoes!

Well it’s the same in the digital world – only magnified.

For the supply chain of modern-day ‘hybrid’ ecosystems of IT development is much, much longer, while at the same time we catch more than 300,000 brand new cyber-maliciousnesses EVERY DAY! What’s more, the complexity of all that brand new maliciousness itself is rising constantly. To try and control how much hand-washing and mask-and-glove wearing is going on at every developer of every separate software component, plus how effective cyber-protection systems of the numerous suppliers of cloud services are… – it’s all an incredibly difficult task. Even more difficult if a used product is open-source, and its assembly is fashionably automated and works with default trust settings and on-the-fly.

All rather worrying. But when you also learn that, of late, attacks on supply chains happen to be among most advanced cyber-evil around – it gets all rather yikes. Example: the ShadowPad group attacked financial organizations via a particular brand of server-infrastructure management software. Other sophisticated cybercriminals attack open source libraries, while our industry colleagues have reminded us that developers are mostly unable to sufficiently verify that components they install that use various libraries don’t contain malicious code.

Here’s another example: attacks on libraries of containers, like those of Docker Hub. On the one hand, using containers makes the development of apps and services more convenient, more agile. On the other, more often than not developers don’t build their own containers and instead download ready-made ones – and inside… – much like a magician’s hat – there could be anything lurking. Like a dove, or your car keys that were in your pocket. Or a rabbit. Or Alien! :) ->

Read on…

Cyber-yesteryear – pt. 5: 1996 (game-changer year).

Herewith, more tales from back in the day about how our company went from humble beginnings to what we are today. And this cyber-yesteryear series – it’s all thanks to… lockdown! I’d have never found the time for such meanderings down cyber-memory lane otherwise…

Just in case you missed them, here are the previous installments:

Part 1
Part 2
Part 3
Part 4

All righty. Part 5: 1996. Truly a fateful, watershed year…

First, at KAMI, where I was still working, the owners decided to break away. As a result KAMI was split up into several independent organizations. And in the following year – 1997 – we broke away too.

Second, we signed an OEM (original equipment manufacturer) contract with the German company G-Data to supply them with of our antivirus engine. That contract ran for a full 12 years – up to 2008! – when we became No.1 on the German retail market. That’s just how it went. Our original-tech prowess was unstoppable! But what were we to do? But, anyway, it was G-Data who’d approached us (we weren’t able to actively seek out tech-partners back then), offering Remizov – boss of KAMI – cooperation, culminating in the signing of the contract at CeBIT, as described in Part 4. And that was how our technology-licensing business took off.

After the Germans (in 1995) came the Finns – F-Secure (in 1996), then known as Data Fellows. Let me tell you about how our cooperation with them started.

In August 1995, the first ever macro virus appeared, which infected Microsoft Word documents. It turned out that writing macro viruses was very straightforward, and they were being spread at alarming rates among a great many unsuspecting users. This caught the attention of other virus writers, and very quickly macro viruses became the biggest headache for the antivirus industry. Detecting them was far from easy, since the format of a Word document is most complex (who knew?:). So for several months AV firms played shamen using various methods, until when, in early 1996, McAfee (the company:) announced the ‘correct’ disassembly method for the format of Word documents. That news was latched onto by our colleague Andrey Krukov (who’d joined our collective in 1995), and he quickly came up with a most elegant and effective tech solution. I put the word out about this, and pretty soon companies started approaching us with offers to buy our technology. Having garnered several such offers, we arranged a meet with them all – at the upcoming Virus Bulletin Conference in Brighton, UK, where Andrey and I traveled to in the fall of 1996.

In Brighton, things hardly went to plan: none of those meetings ever came to anything! However…

Read on…

Flickr photostream

  • Sochi / Sep 2020
  • Sochi / Sep 2020
  • Sochi / Sep 2020
  • Sochi / Sep 2020

Instagram photostream

Cyber-yesteryear – pt. 4: CeBIT.

Finally, summer’s arrived. Took it’s time! But I’m not sure it’s the blessing it normally is, since we’re all still sat at home working remotely. Sure, there have been ‘easings’ here and there around the world, but we here at K are in no rush to… rush things. I think that goes for other IT companies too that will be working from home till at least fall, while some have signaled they’re on for staying home until the end of the year. And of course business trips are still being cancelled, as are exhibitions and conferences and Olympic Games and Cannes Festival and a whole load of other large-scale events. Some countries still have closed borders too.

So yep: we’re all still cooped up, not getting out much, and getting a bit stir crazy with the cabin fever. At least that’s how things are for many, I’m sure. There are others who are taking advantage of all the extra time and getting more exercise than ever, the devils! I’m somewhere in-between. Sometimes tired of Groundhog Every-Day, but staying busy. And that includes dusting off and delving into my archives to dig up some old photos, which lead to fond memories (plus reminders of how quickly the world is changing), which lead to… my next cyber-yesteryear post!

Yes, this series combines cyber-nostalgia, plus various personal and business insights I’ve picked up along the cyber-way, which I hope will be useful to some, or just interesting to others. Accordingly, I continue here today with part four, and I continue my tales, begun in part three, about CeBIT

CeBIT – we loved it to bits! It was just sooo new and different and massive and…

Read on…

Enter your email address to subscribe to this blog

Whether still locked-down at home or free – must-read books, part 3!

Looks like I’m just in time with the third and final part of my book recommendations series: stay-at-home restrictions are easing seemingly everywhere. Still, staying home looks like what many will continue to do anyway, so this part-three isn’t too late really. But, even during ‘normal’ times, reading is totally must-do, surely? It’s not like these recommendations have an expiry date! Ok, enough intro; here are my recommendations – category: science fiction!

Yes, I’m a science fiction buff, and have been since I was a kid. I remember looking forward to our regular visits to some friends of my parents who had a really impressive (for the times) collection of sci-fi on their shelves. I’d just disappear for hours, fixated by a work like those by Jules Verne (Captain Nemo), H.G. Wells (The Time Machine, The War of the Worlds, The Invisible Man), and Alexander Belyayev (Amphibian Man, Professor Dowell’s Head), which I’d get through in a few hours! Later came Bradbury’s Martian Chronicles, Asimov’s Three Laws of Robotics and I, Robot, Arthur C. Clarke’s A Fall of Moondust, Simak’s parallel worlds (proto-multiverses), Ursula K. Le Guin‘s Earthsea stories, and much more.

I could dig endlessly on this topic, but here, for brevity’s sake, I’ll stick to my top-3 all-time fave sci-fi writers; rather – top-4, as two brothers wrote together (the Strugatskys). Btw – I have the complete works of the Strugatskys, and also of Kurt Vonnegut in hardback! (Yes, I prefer actual books; we stare at screens enough IMHO:). 

Arkady and Boris Strugatsky

The master-maestros of the genre. They started out in the 1950s writing utopian-heroic-communist texts, but later changed their tune big time – their heroes changed, as did the problems they had to deal with.

There are a great many super sci-fi writers, but these two are to me the very best. Deeper, more emphatic, more audacious – the thinking person’s sci-fi: more ‘literature’ than sci-fi!

Later in their careers they became all the more philosophical, and conducted literary experiments on identity and society.

I remember clearly my first Strugatsky novel: Beetle in the Anthill, published in 1979 in a Soviet magazine – one chapter per edition (waiting impatiently each month for the next chapter). 

Read on…

Lockdown or not – read these books, you ought! Part 2.

I hope you liked the first part of the ‘greatest hits’ on my bookshelves – business books. Time now to turn to another category: about how the world ‘ticks’: the history, societies and governments of human beings, and more…

On China, by Henry Kissinger

For those who find a few Wikipedia pages ok but insufficient on detail to satisfy their curiosity and quest for learning more about China – this is the book to go for. In it you’ll learn all sorts about the country’s ancient history, its economy and more. There’s the estimation that the GDP of mediaeval China was something like a third of world GDP (!), there’s all the treachery of the opium wars, there’s the Communist past, and the country’s renaissance. Highly recommended. But be warned: there’s a TON of detail in there. Some pages I just scanned. So let me adjust my recommendation: I highly recommend you read… the best bits sections of this book ).

Read on…

Lockdown at home? Read a tome! Part 1.

Working remotely is one thing. Learning a new hobby or even profession – also remotely: super. But you need to take a break now and again otherwise that learning suffers. Also – since you’ve no commute, your free time of an evening tends to be a bit longer. What I’m getting to is… it’s high time – to read!

But read what?

Well, I personally read all sorts. Just as well, as I’m often asked what books I might recommend to others. Fine by me – as I’ve plenty of recommendations. That many, in fact, that when I decided to put fingers to keyboard and come up with a list, there were just too many. Accordingly, I’ve split my recommendations into three separate posts. Today’s post: business books I highly recommend.

Good to Great, by Jim Collins

I reckon that if I had to line up the business books I’ve read on my bookshelf in order of importance from left to right, this one would be first – furthest left. But might it be outdated already? After all, it was published in 2001, and given that our world is changing at dizzying speed, sure, that seems like a fair question. Actually – no. For the main topics in the books are somewhat timeless and are as relevant today as they were back then. In plain language and with lots of practical examples, the author convincingly analyzes the traits commonly found in various types of leaders (manager-leader, team leader, company leader). It’s one of the few good books, IMHO, on how to build a great business.

Read on…

Which hacker group is attacking my corporate network? Don’t guess – check!

Around four years ago cybersecurity became a pawn used in geopolitical games of chess. Politicians of all stripes and nationalities wag fingers at and blame each other for hostile cyber-espionage operations, while at the same time – with the irony seemingly lost on them – bigging-up their own countries’ cyber weapons tools that are also used in offensive operations. And caught in the crossfire of geopolitical shenanigans are independent cybersecurity companies, who have the ability and gall guts to uncover all this very dangerous tomfoolery.

But, why? It’s all very simple…

First, ‘cyber’ is still really quite the cool/romantic/sci-fi/Hollywood/glamorous term it appears to have always been since its inception. It also sells – including newspapers online newspaper subscriptions. It’s popular – including to politicians: it’s a handy distraction – given its coolness and popularity – when distraction is something that’s needed, which is often.

Second, ‘cyber’ is really techy – most folks don’t understand it. As a result, the media, when covering anything to do with it, and always seeking more clicks on their stories, are able to print all manner of things that aren’t quite true (or completely false), but few readers notice. So what you get are a lot of stories in the press stating that this or that country’s hacker group is responsible for this or that embarrassing/costly/damaging/outrageous cyberattack. But can any of it be believed?

We stick to the technical attribution – it’s our duty and what we do as a business

Generally, it’s hard to know if it can be believed or not. Given this, is it actually possible to accurately attribute a cyberattack to this or that nation state or even organization?

There are two aspects to the answer…

From the technical standpoint, cyberattacks possess an array of particular characteristics, but impartial system analysis thereof can only go so far in determining how much an attack looks like it’s the work of this or that hacker group. However, whether this or that hacker group might belong to… Military Intelligence Sub-Unit 233, the National Advanced Defense Research Projects Group, or the Joint Strategic Capabilities and Threat Reduction Taskforce (none of which exist, to save you Googling them:)… that is a political aspect, and here, the likelihood of manipulation of facts is near 100%. It turns from being technical, evidence-based, accurate conclusions to… palm or coffee grounds’ readings for fortune-telling. So we leave that to the press. We stay well away. Meanwhile, curiously, the percentage of political flies dousing themselves in the fact-based ointment of pure cybersecurity grows several-fold with the approach of key political events. Oh, just like the one that’s scheduled to take place in five months’ time!

For knowing the identity of one’s attacker makes fighting it much easier: an incident response can be rolled out smoothly and with minimal risk to the business

So yes, political attribution is something we avoid. We stick to the technical side; in fact – it’s our duty and what we do as a business. And we do it better than anyone, I might modestly add ). We keep a close watch on all large hacker groups and their operations (600+ of them), and pay zero attention to what their affiliation might be. A thief is a thief, and should be in jail. And now, finally, 30+ years since I started out in this game, after collecting non-stop so much data about digital wrongdoing, we feel we’re ready to start sharing what we’ve got – in the good sense ).

Just the other day we launched a new awesome service aimed squarely at cybersecurity experts. It’s called the Kaspersky Threat Attribution Engine (KTAE). What it does is analyze suspicious files and determine from which hacker group a given cyberattack comes from. For knowing the identity of one’s attacker makes fighting it much easier: informed countermeasure decisions can be made, a plan of action can be drawn up, priorities can be set out, and on the whole an incident response can be rolled out smoothly and with minimal risk to the business.

So how do we do it?

Read on…

Rewind: Africa-fotografia!

NB: With this post – about a place I visited before the lockdown – I want to bring you some positivism, beauty and the reassurance that we will all get a chance to see great different places again. Meanwhile, I encourage you not to violate the stay-at-home regime. Instead, I hope you’re using this time for catching up on what you never seemed to find the time to do… ‘before’ :).

Finally, the friends who accompanied me on my pre-lockdown Africa vacation have sent me their edited ‘greatest hits’ photos from the trip. Better late than never, no? But, I wonder – would they have been even tardier if not for the pandemic?! Just joking: they each did have probably terabytes of photos to choose from ).

Anyway, those terabytes of pics from (covering Namibia, Victoria Falls, and Madagascar) were whittled down to the very best, and then I had a go at even further editing them so that they’d ‘fit’ into this here blogpost without it getting ridiculously long. The result is the collection below. Some are mine, which I didn’t publish earlier. But most are my travel companions’ best shots. All righty. Let’s go…

First up: Namibian roads:

Stone fields along Skeleton Coast:

[Yawn]. “Ooh, do excuse me; I must have dozed off. What? Where? Walvis Bay, you say? Well, you’re on the right road. Just keep going, and you’ll come to it in half an hour!”

Pink salt lakes:

Cactii Aloe:

Unsorted unusualnesses:

Dunes, endless desert:

Deadvlei:

Windswept dunes:

Shadow on flying sand atop a dune’s ridge:

Oh my gorgeous!

Unsorted Namibia:

Zambia/Zimbabwe, Victoria Falls. No comment!…

Magic stone mushrooms in Madagascar. Gray tsingi at Ankarana:

Red tsingi – even more striking a thingy:

How cute? ‘Where are the bananas?!’

Night lemurs:

Unfed. Uninterested in anything but passing tourists and the food they give them:

Plenty portraits:

Ring-tailed lemurs:

Indri – the largest lemurs on Madagascar:

Unexpected, uninvited ‘guests’ – of Madagascan proportions:

Karma, karma, karma, karma chameleons: they come and go:

Oh my goodness. Just check out this miracle of nature:

Check out the independent eye movements!

“Who’s that back there?”

A whole new – literal – meaning to ‘I’ll have to keep my eye on you!’ ->

 

Smaller, subtler:

Oh my geckos!

As you can see – an amazing trip!

– The End –

PS: These pics were taken by (besides me): DZ, NI, OR, SS, and AD.

Thank-you to them, and thank-you too, dear readers, for your attention! Hope you liked the pics as much as we liked taking them!

Cyber-tales update from the quarantined side: March 92, 2020.

Most folks around the world have been in lockdown now for around three months! And you’ll have heard mention of a certain movie over those last three months, I’m sure, plenty; but here’s a new take on it: Groundhog Day is no longer a fun film! Then there’s the ‘damned if you’re good, damned if you’re bad’ thing with the weather: it stays bad and wet and wintry: that’s an extra downer for everyone (in addition to lockdown); it gets good and dry and summery: that’s a downer for everyone also, as no one can go out for long to enjoy it!

Still, I guess that maybe it’s some consolation that most all of us are going through the same thing sat at home. Maybe. But that’s us – good/normal folks. What about cyber-evil? How have they been ‘coping’, cooped up at home? Well, the other week I gave you some stats and trends about that. Today I want to follow that up with an update – for, yes, the cyber-baddies move fast. // Oh, and btw – if you’re interested in more cyber-tales from the dark side, aka I-news, check out this archives tag.

First off, a few more statistics – updated ones; reassuring ones at that…

March, and then even more so – April – saw large jumps in overall cybercriminal activity; however, May has since seen a sharp drop back down – to around the pre-corona levels of January-February:

At the same time we’ve been seeing a steady decline in all coronavirus-connected malware numbers:

// By ‘coronavirus-connected malware’ is meant cyberattacks that have used the coronavirus topic in some way to advance its criminal aims.

So, it would appear the news is promising. The cyber-miscreants are up to their mischief less than before. However, what the stats don’t show is – why; or – what are they doing instead? Surely they didn’t take the whole month of May off given its rather high number of days-off in many parts of the world, including those for celebrating the end of WWII? No, can’t be that. What then?…

Read on…

Cyber-yesteryear – pt. 3: 1992-199x.

Just in case you missed the first two, this is the third episode of my cyber-yesteryear chronicles. Since I’m in lockdown like most folks, I have more time on my hands to be able to have a leisurely mosie down cyberseKurity memory lane. Normally I’d be on planes jetting here, there and everywhere for business and tourisms – all of which normally takes up most of my time. But since none of that – at least offline/in person – is possible at the moment, I’m using a part of that unused time instead to put fingers to keyboard for a steady stream of personal / Kaspersky Lab / cyber-historical nostalgia: in this post – from the early to mid-nineties.

Typo becomes a brand

In the very beginning, all our antivirus utilities were named following the ‘-*.EXE’ template. That is, for example, ‘-V.EXE’ (antivirus scanner), ‘-D.EXE’ (resident monitor), ‘-U.EXE’ (utilities). The ‘-‘ prefix was used to make sure that our programs would be at the very top of a list of programs in a file manager (tech-geekiness meets smart PR moves from the get go?:).

Later, when we released our first full-fledged product, it was named ‘Antiviral Toolkit Pro’. Logically, that should have been abbreviated to ‘ATP’; but it wasn’t…

Somewhere around the end of 1993 or the beginning of 1994, Vesselin Bontchev, who’d remembered me from previous meet-ups (see Cyber-yesteryear – pt. 1), asked me for a copy of our product for testing at the Virus Test Center of Hamburg University, where he worked at the time. Of course, I obliged, and while zip-archiving the files I accidentally named the archive AVP.ZIP (instead of ATP.ZIP), and off I sent it to Vesselin unawares. Some time later Vesselin asked me for permission to put the archive onto an FTP server (so it would be publically available), to which I obliged again. A week or two later he told me: ‘Your AVP is becoming really rather popular on the FTP!’

‘What AVP?’, I asked.
‘What do you mean ‘What AVP’? The one you sent me in the archive file, of course!’
‘WHAT?! Rename it right away – that’s a mistake!’
‘Too late. It’s already out there – and known as AVP!’

And that was that: AVP we were stuck with! Mercifully, we (kinda) got away with it – Anti-Viral toolkit Pro. Like I say – kinda ). Still, in for a penny, in for a pound: all our utilities were renamed by dropping the ‘-‘ prefix and putting ‘AVP’ in its place – and it’s still used today in some of the names of our modules.

First business trips – to Germany for CeBIT

In 1992, Alexey Remizov – my boss at KAMI, where I first worked – helped me in getting my first foreign-travel passport, and took me with him to the CeBIT exhibition in Hannover in Germany. We had a modest stand there, shared with a few other Russian companies. Our table was half-covered with KAMI transputer tech, the other half – our antivirus offerings. We were rewarded with a tiny bit of new business, but nothing great. All the same, it was a very useful trip…

Our impressions of CeBIT back then were of the oh-my-grandiose flavor. It was just so huge! And it wasn’t all that long since Germany was reunified, so, to us, it was all a bit West Germany – computer-capitalism gone bonkers! Indeed – a cultural shock (followed up by a second cultural shock when we arrived back in Moscow – more on that later).

Given the enormity of CeBIT, our small, shared stand was hardly taken any notice of. Still, it was the proverbial ‘foot in the door’ or ‘the first step is the hardest’ or some such. For it was followed up by a repeat visit to CeBIT four years later – that time to start building our European (and then global) partner network. But that’s a topic for another day post (which I think should be interesting especially for folks beginning their own long business journeys).

Btw, even as far back as then, I understood our project was badly in need of at least some kind of PR/marketing support. But since we had, like, hardly two rubles to rub together, plus the fact that journalists had never heard of us, it was tricky getting any. Still, as a direct result of our first trip to CeBIT, we managed to get a self-written piece all about us into the Russian technology magazine ComputerPress in May 1992: home-grown PR!

Fee-fi-fo-fum, I smell the dollars of Englishmen!

My second business trip was in June-July of the same year – to the UK. One result of this trip was another article, this time in Virus Bulletin, entitled The Russians Are Coming, which was our first foreign publication. Btw – in the article ’18 programmers’ are mentioned. There were probably 18 folks working at KAMI overall, but in our AV department there were just the three of us.

London, June 1992

Read on…