Finding the Needle in the Haystack. Introducing: Astraea.

Somewhere in the office there’s a carefully guarded little big black book that contains a collection of up-to-date KL facts & figures, which we use in public performances. You know, things like how many employees we have, how many offices and where, turnover, etc., etc. One of the most oft-used figures from this book is the daily number of new malicious programs – a.k.a. malware. And maybe this daily figure is so popular because of how incredibly fast it grows. Indeed, its growth amazed even me: a year ago it was 70,000 samples of malware – remember, per day; in May 2012 it was 125,000 per day; and now – by the hammer of Thor – it’s already… 200,000 a day!

I kid you not my friends: every single day we detect, analyze and develop protection against just that many malicious programs!

How do we it?

Simply put, it all comes down to our expert know-how and the technologies that come about from it – about which another big black book could be compiled from the entries on this here blog (e.g., see the features tag). In publicizing our tech, some might ask if we aren’t afraid our posts are read by the cyber-swine. It’s a bit of a concern. But more important for us is users getting a better understanding of how their (our) protection works, and also what motivates the cyber-scoundrels and what tricks they use in their cyber-bogusness.

Anyway, today we’ll be adding another, very important addition to this tech-tome – one on Astraea technology. This is one of the key elements of our KSN cloud system (video, details), which automatically analyzes notifications from protected computers and helps uncover hitherto unknown threats. In actual fact Astraea has a lot of other plusses going for it – plusses which for a while already our security analysts simply couldn’t imagine their working day without. So, as per my techie-blog post tradition, let me go through it all for you – step by step…

More: Big data, crowdsourcing, data mining and Rocket science…

Kaspersky Lab Developing Its Own Operating System? We Confirm the Rumors, and End the Speculation!

Hi all!

Today I’d like to talk about the future. About a not-so-glamorous future of mass cyber-attacks on things like nuclear power stations, energy supply and transportation control facilities, financial and telecommunications systems, and all the other installations deemed “critically important”. Or you could think back to Die Hard 4 – where an attack on infrastructure plunged pretty much the whole country into chaos.

Alas, John McClane isn’t around to solve the problem of vulnerable industrial systems, and even if he were – his usual methods of choice wouldn’t work. So it comes down to KL to save the world, naturally! We’re developing a secure operating system for protecting key information systems (industrial control systems (ICS)) used in industry/infrastructure. Quite a few rumors about this project have appeared already on the Internet, so I guess it’s time to lift the curtain (a little) on our secret project and let you know (a bit) about what’s really going on.

Operating System Code

But first – a little bit of background about vulnerable industrial systems, and why the world really needs this new and completely different approach of ours.

More: The defenselessness of industrial systems …

In Denial about Deny All?

In just a dozen or so years the computer underground has transformed itself from hooliganistic adolescent fun and games (fun for them, not much fun for the victims) to international organized cyber-gangs and sophisticated state-sponsored advanced persistent threat attacks on critical infrastructure. That’s quite a metamorphosis.

Back in the hooliganistic era, for various reasons the cyber-wretches tried to infect as many computers as possible, and it was specifically for defending systems from such massive attacks that traditional antivirus software was designed (and did a pretty good job at). These days, new threats are just the opposite. The cyber-scum know anti-malware technologies inside out, try to be as inconspicuous as possible, and increasingly opt for targeted – pinpointed – attacks. And that’s all quite logical from their business perspective.

So sure, the underground has changed; however, the security paradigm, alas, remains the same: the majority of companies continue to apply technologies designed for mass epidemics – i.e., outdated protection – to tackle modern-day threats. As a result, in the fight against malware companies maintain mostly reactive, defensive positions, and thus are always one step behind the attackers. Since today we’re increasingly up against unknown threats for which no file or behavioral signatures have been developed, antivirus software often simply fails to detect them. At the same time contemporary cyber-slime (not to mention cyber military brass) meticulously check how good their malicious programs are at staying completely hidden from AV. Not good. Very bad.

Such a state of affairs becomes even more paradoxical when you discover that in today’s arsenals of the security industry there do exist sufficient alternative concepts of protection built into products – concepts able to tackle new unknown threats head-on.

I’ll tell you about one such concept today…

Now, in computer security engineering there are two possible default stances a company can take with regard to security: “Default Allow” – where everything (every bit of software) not explicitly forbidden is permitted for installation on computers; and “Default Deny” – where everything not explicitly permitted is forbidden (which I briefly touched upon here).

As you’ll probably be able to guess, these two security stances represent two opposing positions in the balance between usability and security. With Default Allow, all launched applications have a carte-blanche to do whatever they damn-well please on a computer and/or network, and AV here takes on the role of the proverbial Dutch boy – keeping watch over the dyke and, should it spring a leak, frenetically putting his fingers in the holes (with holes of varying sizes (seriousness) appearing regularly).

With Default Deny, it’s just the opposite – applications are by default prevented from being installed unless they’re included on the given company’s list of trusted software. No holes in the dyke – but then probably no excessive volumes of water running through it in the first place.

Besides unknown malware cropping up, companies (their IT departments in particular) have many other headaches connected with Default Allow. One: installation of unproductive software and services (games, communicators, P2P clients… – the number of which depends on the policy of a given organization); two: installation of unverified and therefore potentially dangerous (vulnerable) software via which the cyber-scoundrels can wriggle their way into a corporate network; and three: installation of remote administration software, which allows access to a computer without the permission of the user.

Re the first two headaches things should be fairly clear. Re the third, let me bring some clarity with one of my EK Tech-Explanations!

Not long ago we conducted a survey of companies in which we posed the question, “How do employees violate adopted IT-security rules by installing unauthorized applications?” The results we got are given in the pie-chart below. As you can see, half the violations come from remote administration. By this is meant employees or systems administrators installing remote control programs for remote access to internal resources or for accessing computers for diagnostics and/or “repairs”.

Employee IT-security violations

More: The figures speak for themselves: it’s a big problem …

Enter your email address to subscribe to this blog
(Required)

Kaspersky (Server) Anti-Spam: No Longer the Underdog; More Top Dog.

There’s an old Russian saying: As you start the New Year – that’s how you’ll spend the rest of it.

And this year started rather well for us: First, we were awarded Product of the Year by the Austrian testing lab AV-Comparatives; second, we broke the record on the number of points from Germany’s AV-Test.org; and third, we secured the top grade from Virus Bulletin in the UK. But after that pleasant start to the year things just got better, with the number of medals on our lapel going up and up and up! There were top marks in comparative testing of our proactive protection by Matousec; we were No. 1 in testing of our Application Control function by West Coast Labs; and we also secured excellent results in testing of our mobile security product (pdf) by PCSL. But we didn’t stop at serial-wins with our personal products; we also tore up the competition with our corporate ones; for example, in the August round of testing by AV-Test.org both KIS and KES were awarded 17 and 16 points, respectively – both higher than all the other competing solutions.

So, as you can see, in the first eight months of 2012 we’ve had rather a lot of good news. But never enough good news for me to forget to praise our ever faithful and pioneering AV lab (which praise I think it appreciates – so expect more victorious bulletins from the malware front soon!).

On this backdrop of positivity and optimism, the more deeper-delving observer might remark, “ok, your antivirus technologies come top-of-the-class across-the-board, but what about your NON-antivirus technologies – the important whistles and bells that add to a solution’s completeness and thus overall usefulness – like for example anti-spam?” All-righty: that’s what I’ll address in this post.

Just recently the results of Virus Bulletin’s VBSpam testing were released in which our new Kaspersky Linux Mail Security (KLMS) – unexpectedly for our competitors but quite expectedly for us – was among the winners – actually second – with an outstanding result of a 93.93% spam catch rate and 0.01% false positives. “Who wants to come second?” might come the refrain from those used to nothing but first place for KL. But in answer I’d say, “I do!” Here’s why…

VBSpam Comparison Chart

More: It’s not for nothing I write ‘outstanding’ in italics……

Catching the Phishes.

I’m not completely sure why, but  somehow since the invention of the Internet, there has always existed a stereotypical attitude towards all things WWW. That attitude sees the net as little more than a toy, while the viruses that come with it are put down to mere playing about at best, and just hooliganism at worst. However, the reality is quite something else – especially lately.

Remember Cascade and other similar viruses? Ah, so naïve and innocent compared to what was to come… Fast forward a couple of decades and the bad guys started stealing data, Trojanizing computers for zombie networks to perform distributed attacks, and milking bank accounts. And today we’ve arrived at attacks on industrial, infrastructural and military systems. Some toy!

We need to get away from such a stereotype ASAP. Faulty impressions give cybercrime a romantic aura, which in turn attracts the younger generations of would-be cybergeeks-come-cybercriminals – who can’t seem to grasp the seriousness of their “fun” or understand how many years they could face in jail.

Then there’s another stereotype: that computer crime pays, and the perpetrators don’t get caught. Romanticism! Ok, it’s true that several years ago in many countries computer crime was in fact not all that often prosecuted; however, now that situation has changed: the law enforcement bodies have both the experience and know-how required, have made great strides in terms of cyber-criminalistics (cyber-CSI stuff), and have established good working relations with professionals, all leading them to now being able to solve one hi-tech crime after another.

We are always ready to assist national and international law enforcement agencies if they request it. I think the development of such cooperation is crucial for the successful fight against cybercrime – as security companies are the ones that possess the necessary knowledge.

Now, let me give you an illustrative example of how it works in Russia.

More: Catching the phishes …

Crowdsourcing in Security.

To think of all the yummy stuff the Internet has brought us, though interesting, would probably be a waste of time: by the time you’d have finished totting up all the scrumptiousness you remember, just as much new scrummyness would have appeared. But there is one particular Internet-delicacy concept that, due to its importance and value, should really never be overlooked, even in just a “Best Hits” of the Internet. This concept deserves closer consideration. And this concept is crowdsourcing.

I won’t go into loads of detail – you can get that at the other end of the Wikipedia link above (incidentally, Wikipedia is also a crowdsourcing project :) or via a search engine. Here, let me briefly go through the idea:

The WWW permits large numbers of folks from all over the world to very quickly all get together and combine efforts to solve some kind of difficult task or other. The result is collective intelligence, backed up by gigahertz, gigabytes and terabytes of computers and communication channels. Technically, its all about the sharing and allocation of computing power. For example, I remember well how at the end of the nineties many at night connected their comps to SETI@Home – a non-commercial project that searched for radio signals of extraterrestrial civilizations. The project is still going, with 1.2 million participants and a total processing power running up to 1.6 petaflops.

SETI@home

Perhaps surprisingly, you’ll generally find network crowdsourcing being applied in practically every sphere of life. And security is no exception. Recent examples: the international brainstorming that went into solving the Duqu Framework, and into trying to crack the mystery of the encrypted Gauss payload. (For the former, by the way, we received a rather flattering write-up on darkreading.com.) Still, these cases aren’t really the best examples of crowdsourcing at work…

The best example is probably to be found in the way we (KL) successfully process 125,000 samples of malware every day (up from 70,000 late last year). Of course, robots and other technologies of automation and data-flow analysis help, but the most important ingredient to make it all work – the statistical food – is furnished by you! Yes, you! The system’s a big you-scratch-my-back, I’ll-scratch-yours gig in which our users help both us and one another in the business of preventing cyber break-ins around the world, and in particular of tackling unknown threats. And everyone helps anonymously and voluntarily after having clearly expressed a willingness to take part; and none of it affecting computer performance!

More: Let me tell you how it works …

Windows 8: We’re Ready Already

Greetings droogs!

The new version of KIS is attracting quite a bit of buzz in the media: in the two weeks since its global premiere it has been receiving gushing review after gushing review. Just about all of them go into plenty of detail covering all the ins and outs of the product, and specific features have been covered here on this blog of mine – for example posts about automatic protection from vulnerabilities and making secure payments.

But KIS has one more delicious layer of features; however, they can’t be used yet, and will only become applicable in the (nearest) future (we really mean it when we say Be Ready for What’s Next, you know!). These futuresque featuresques are undeservedly not getting the limelight. I’m talking about KIS support for Windows 8.

So what are these technologies, how do they fit in with Win8, and what are the benefits for users?

I’ll start with the most obvious: the new Windows 8 interface. I haven’t had a test-drive myself, but I’ve heard lots of good things about it and read flattering reviews. The fully redesigned interface is really not bad looking at all, and that goes for the desktop version and the tablet-touchscreen-mobile incarnation. I’m looking forward to its release and the reactions of users…

At the same time it has to be said that this new kid on the block has significantly increased the proverbial pain in the neck for third-party software developers: in order to cater to the whole spectrum of user preferences it was deemed necessary to have two interfaces – the classic one we’re all used to, and the new go-faster-stripes one. In response, we’ve been one of the first in the antivirus industry to develop a special application that transfers the antivirus management features to the new Windows 8 interface. The application is free of charge, and you can download and install it from the Windows Store.

Kaspersky Now For Windows

More: Fighting rootkits in Win8…

Social Networks: the Force Is Strong with These Ones.

Prologue

The history of social networks is pretty much like Star Wars. Really! Social networks started out obscure and mysterious, with folks saying, “There’s this new type of site, with enormous capabilities and hidden business opportunities, which no one can estimate at present, but in the future will truly make all people truly connected, free and equal!” It’s pure Eastern-spirituality-influenced George Lucas – about “bringing balance to the Force.” And so it came to pass – social networks became a perfect communication ground for all – ordinary folks, companies, and the media.

Of course, with such a boring script you’re hardly going to get a blockbuster movie :-). Let’s face it, you can’t have folks living happily ever after (and all with equal rights, opportunities, etc., etc.) at the start of a film, can you?! The story needs an insidious infernal plan pursued by dark forces to arise. And – voila! – that’s what we got. Social networks became the medium of choice for games played by the world’s intelligence services and manipulation of public opinion – about which I’ve written and talked plenty before.

So, Star Wars: A New Hope has finished. The next chapter has begun:

The Empire Strikes Back

“Forming public opinion” via social networks has for several years already been practiced rather successfully by governments of many countries, no matter their political traditions or leanings. With so much open and free (no cost) information on the surface – no digging necessary – folks themselves tell all about their news, interesting information, whereabouts, lists of colleagues, friends and professional contacts. And the bizarre thing is that anyone who can access that data – private individuals, companies, criminals, members of a cross-stich embroidery group… (you get the point). The data lies about on the surface and people continue (despite warnings) to put more and more such data on the Internet. But with the many APIs crisscrossing social networks acting as mutagens that speed up the evolution, information uploaded one day on just one network is the next day forever (literally: eternally) indexed in search engines.

At the same time the intelligence services have happily joined social networks – becoming “users” themselves – but with their own agenda, naturally. For ordinary folks social networks are mostly a source of reading matter; for companies they’re a source of – or tool for – sales and marketing; but for intelligence services social networks represent a vital means for protecting state interests, and can also be used as weapons against potential opponents.

More: The vicious circle and Return of the Jedi …

Safe Money: A Virtual Safe for Virtual Money – that Actually Works.

Apart from petty cash carried on the person, where in general does money mostly get stored?

Sure, gangsters still prefer cash stashed in a grubby cubby hole, while grandma still resorts to the trusty in-a-stocking-under-the-matrass option. But in most other cases the sensible move is to have cash converted into non-cash funds – or virtual money – ASAP, and put in banks and the like, where it can at least earn a bit of interest. And banks tend to keep cash in big safes. With this sensible option today come various useful knick-knacks like online banking, online shopping, and online just about whatever.

Of course, wherever lots of money and the Internet are closely connected there’ll always be plenty of cyber-scoundrels close by trying to get at that money – be it in folks’ current, savings or credit card accounts. And we’re not talking here about an occasional threat posed by a pair of unwashed, long-haired marginals from da cyber-underground either. It’s a real serious problem on a worldwide scale. A well-organized and smoothly running criminal industry with a multi-billion dollar turnover. It’s no wonder then that the security of financial transactions on the Internet has become the No. 1 problem (pdf) in the world for the majority of users.

Now, just like with banks with safes for paper money, this virtual money accessed via the Internet could also do with a safe – a virtual one, but one no less secure than a high-tensile steel armor-plated one. So let me tell you about our new Safe Money technology, which will be appearing in the next version of KIS towards the end of August/the beginning of September (depending on the country).

Before going through the details and advantages of Safe Money, it’s probably best first to look at how the cyber-swine try to get their grubby mitts into your virtual pockets. Or, less figuratively, to get at your user logins and passwords to access your online banking and other ‘monied’ accounts.

So, three ways how the cyber-baddies tend to break in:

  • Infecting the computer of a victim with a Trojan to thieve data, take screenshots, and log keyboard strikes. Infection frequently occurs via a vulnerability in popular software;
  • Phishing and social engineering: imitating genuine online stores, bank websites, dialog boxes, even telephone calls, etc.; and
  • Different high-profile attacks like sniffing, DNS/Proxy server substitution, fraudulent certificate use, etc. to intercept traffic using man-in-the-middle attacks, and also man-in-the-browser threats, wardriving, etc.

And now – another threesome: the three main problems in terms of security against financial cyber-fraud:

  • a lack of reliable site identification;
  • a lack of trusted connections via the Internet between online services and clients; and
  • a lack of guarantees that software installed on a computer doesn’t contain vulnerabilities that could be exploited by malware.

Luckily (for some), many aspects of this problem are comfortably dealt with by the latest Internet Security-class protection products. Only the most slothful of IT Security vendors these days don’t offer built-in protection against phishing; however, the quality of protection is another matter. But this is in no way enough to be safe in real life scenarios (about scenarios – see below). Still, the majority of products don’t have all the necessary features to provide fully comprehensive protection. What’s worse, the features they do have don’t work together harmoniously in solving specific problems, even though what’s really needed here is a multi-faceted, wide-spectrum “medicine”.

And so, if you’ll please now welcome onto the stage… Safe Money technology!

Safe Money resides in the upcoming version of KIS. What you do is enter the address of an online service that needs to be protected that uses money (a bank, store, auction system, payment system, etc.). Or you can choose a site from the built-in database, which includes 1500 different banks and 84 domains. On entering the site you need to choose the “Run the protected browser automatically” option, and from then on all sessions with that site are automatically launched in a special protected browser mode.

Kaspersky Internet Security

More: So what does this here protected browser mode do then? …

What Wired Is Not Telling You – a Response to Noah Shachtman’s Article in Wired Magazine

Eugene Kaspresky is not KGB but Indiana Jones of the Industry

This is a very unusual post. It’s not about cyber-crime, malware, our latest business achievements or my latest long journey around the globe. It’s about truth and facts, and the importance of not hiding certain facts while revealing others.

For sure I was surprised to read such an article from a journalist who, up until Monday, always seemed to maintain the highest of professional and ethical standards. And it goes without saying that, on behalf of my company and our 2400+ employees around the world, I have to object to Mr. Shachtman’s litany of inferences, opinions, omissions and errors.

We first got to know Mr. Shachtman early last fall, and then invited him to our headquarters in Moscow. After several meetings with me and our team members, during which we discussed many different current issues related to the security field, it appears Noah Shachtman thought that he was ready to tell the world the “truth” about Kaspersky Lab and me personally, and decided to produce an article for Wired Magazine. And he got off to a great start (the way he described me after practically 72 hours on planes (Cancun-Munich-Cancun) just to be there for the opening of the event was all very true – and to me very amusing). But unfortunately Mr. Shachtman forgot to include essential components such as key facts, independent international experts’ opinions, and independent marketing research agencies’ data. Not only did he forget to check his facts, in some cases he wrote almost the opposite of what I actually said in my numerous interviews with him over the past seven months.

I hope Noah tried to do his best and had no hidden agenda. But he unfortunately failed to present to you the whole truth. So I’ve decided to help him out.

Read on: What Wired Is Not Telling You – a Response to Noah Shachtman’s Article in Wired Magazine