antivirus software - bitdefendercentralhub

How to enable and configure passkeys for your Google account

Oleh bambang raharjoDiposting pada November 3, 2023

Google recently announced that it’s planning on making so-called “passkeys” the default option for logging into Google accounts. So, the next time you sign in to YouTube, Gmail, Google Docs, Google Maps, or any other app from the search giant, you’ll most likely be prompted to create such a passkey.

In this post, we discuss where you can set up passkeys for your Google account, what options are available, and what to do if you encounter difficulties. But first, let’s talk about what this technology actually is and how it works.

What are passkeys?

Passkeys (a combination of “pass” + “key”) are developed by the FIDO Alliance, an organization with a mission to create new authentication standards that will eventually reduce humanity’s reliance on passwords. If you have a hardware access key — often called a YubiKey (as the most popular brand) — you’re already familiar with one of the FIDO Alliance’s developments.

Passkeys are the next stage in the evolution of new authentication technologies. Previous FIDO Alliance developments focused on additional authentication factors — secondary login verification options working in conjunction with universally hated passwords. Passkeys, on the other hand, are designed not to supplement but to entirely replace passwords.

The major tech giants — Apple, Google, and Microsoft — have already integrated support for this technology into their infrastructure and are ready to allow users to abandon passwords. In fact, Google is planning on encouraging users to do so in the near future.

Unfortunately, the FIDO Alliance didn’t provide a standard translation for the term “passkey” from English to any other language. Therefore, companies implementing this authentication mechanism can call it whatever they want, without much regard for their peers. А common term has not yet been chosen in French, Portuguese, or even Spanish.

How Apple, Google, and Microsoft name passkeys in different languages

How passkeys work and why all this is needed

Passkeys completely replace passwords, eliminating the need to create or remember sequences of characters.

Here’s how it works. When a user registers a passkey on a service, a pair of related encryption keys is created — a private key and a public key. This is called public-key cryptography. The basic idea is that if you encrypt something with the public key, it can only be decrypted with the private key.

So, the private key stays on the user’s device, while the public key is sent to the service. These two keys are then used to encrypt the dialog that occurs when a user logs in to the service:

The service sends the user a request encrypted with the public key, containing a very large random number.
The user’s device asks them to confirm that they are indeed the user. Usually, this is done through biometrics, like placing a finger on the sensor or looking into the camera, but a PIN code can also be used.
Upon successful confirmation, the user’s device decrypts the request from the service with the private key and retrieves the random number from it. Without the private key, nobody can decrypt this message correctly and obtain the secret number.
Based on this random number from the service’s request, the user’s device creates a digital signature with a certain algorithm — it calculates a new very large number — and sends it back to the service.
The service, on its end, performs the exact same calculations and compares the results. If the calculated number matches the one it received from the user’s device, the request was decrypted correctly. The user therefore possesses the corresponding private key, and they are must be authorized in the service.

As you can see, under the hood, this mechanism is quite complex. But the good news is that all the cryptographic magic is completely hidden from the user. In practice, it’s very simple: you just need to press the “Log in” button and place your finger on the sensor (or look into the camera). All the complicated work runs in the background on your smartphone or computer.

Why is this even necessary? Passkeys are an attempt to simultaneously strengthen security and simplify the user’s life. The former is achieved by replacing passwords, which are not so reliable, with extremely robust encryption keys. The latter is accomplished by eliminating the need for users to come up with something, remember it, and perform any additional actions for two-factor authentication.

Thus, passkeys are designed — in theory — to provide the highest level of security without requiring any effort from the user.

How to set up access to your Google account with a passkey instead of a password

Now let’s talk about how this all works in practice and how to set up access to your Google account using passkeys. It’s very straightforward. Here’s what you need to do:

Go to your Google account settings. You can do this through any Google service (such as Gmail) or directly through the Google Chrome browser, which you might already have. To do this, click on your avatar in the top right corner of the screen and select Manage your Google Account.

On the page that opens, select Security.

Scroll down to How you sign in to Google section.

Under the list of different sign-in verification and account-recovery options, find the Passkeys button and click on it.

Next, various options are possible, but for starters, I suggest creating a local passkey on your computer, so that you no longer need to enter a password to log in to your Google account in the browser. To do this:

Click on the blue Create a passkey button at the top of the screen.

In the pop-up window, click Continue.

After that, confirm the action using the method you use to unlock your device — in my case, it’s fingerprint recognition.

Congrats! You’ve created a passkey and can now sign in to your Google account in this browser without a password.

Now let’s create another passkey on your smartphone. This allows you to sign in to Google without a password on this smartphone. And this same passkey can be used to sign in on other devices — via Bluetooth.

Before you begin, make sure Bluetooth is enabled on both your smartphone and computer, and grant the browser permission to access it (if this hasn’t been done already). Next, follow these steps:

Return to the Passkeys page and click the white Create a passkey button at the bottom of the screen.

In the pop-up window, select Use another device.

Another pop-up window will appear with a QR code — scan it with your smartphone’s camera.

Then, confirm the creation of the passkey for your smartphone with the method you use to unlock it.

Confirming the passkey registration on iPhone. Source

That’s it! You’ve created a passkey on your smartphone as well. Using it, you can sign in to your Google account without a password on any device. It’s possible to create multiple passkeys — so if you have many devices, you can have a key for each.

Additionally, you can store passkeys using a hardware authenticator — also called security key or YubiKey, after the most well-known brand. However, not all hardware authenticators will work: you need a YubiKey with a built-in login confirmation mechanism — a PIN code or fingerprint. If you try to create a passkey on a YubiKey without such a mechanism, the registration will be successful, but when logging in, you’ll still be asked to enter the account password — defeating the whole purpose of the endeavor.

It’d be nice to receive this warning during the key registration process — not when you’re about to use it to log in to your account

Backup plan: passwords and one-time codes from the app

The login confirmation mechanism using passkeys is highly automated — with all the complicated procedures isolated from the user. So, as long as everything is working fine, logging in with passkeys is really convenient and easy. However, this isolation also has a downside: when something doesn’t work, it’s nearly impossible to understand what went wrong, why, and how to fix it.

For example, one of the passkeys I created flat-out refused to work for passwordless login. I couldn’t figure out the problem: in my Google account settings it was displayed as active, but it just… didn’t work. Fortunately, I had plenty of other access verification options enabled for that account.

Something went wrong. Thanks, Captain Google!

So, for now, I prefer to think of passkeys as a backup login option that can occasionally save time. But in my opinion, it’s too early to discount passwords and two-factor authentication for Google accounts. Something tells me they might still come in handy when the passkey suddenly doesn’t work. Most likely, that will happen at the worst possible time.

The good news is that since you’ll be entering your Google account password less frequently now, you won’t need to memorize it. Consequently, you can make the character combination as secure as possible — that is, very long and completely random, say, 32 or even 64 characters. And Kaspersky Password Manager can generate and remember it for you.

By the way, in the password manager, you can also receive one-time codes for two-factor authentication — this feature was recently added to Kaspersky Password Manager.

#enable #configure #passkeys #Google #account

Preparing for your child’s first gadget: a comprehensive checklist

Oleh bambang raharjoDiposting pada November 1, 2023

In this post, we go through a thorough checklist based on our recommendations for how to prepare and what to do with your child’s first gadget, which were developed by Kaspersky in collaboration with Dr. Saliha Afridi, clinical psychologist. To make this challenge easier for you, we’ve included a link to download the handbook in PDF format at the end of this post.

What should I do before give a gadget to my kid?

Create a child account
Disable in-app purchases
Install essential apps
Adjust app privacy
Use a digital parenting app (like Kaspersky Safe Kids)
Set age-appropriate filters
Block unknown calls

How do I introduce a new gadget to my child?

Establish family rules and good tech-habits
Create tech-free zones and times
Promote non-tech activities
Limit your kid’s phone usage during:
- meals
- bedtime
- family gatherings and outings
- homework and studying
- hosting social gatherings
- engaging in outdoor activities
- morning routines

What online safety rules should my child know?

Set clear ground rules about what they can and can’t do online
Teach them privacy basics and tell them about the risks of oversharing
Emphasize that they should never share personal info or login details
Advise children to use non-personal usernames

What are the main online risks I should tell my kid about?

Watch out for phishing scams
Avoid unauthorized game downloads
Ignore intrusive ads and surveys
Exercise caution regarding links and email attachments
Seek help if uncomfortable or suspicious regarding something online
Use unique passwords, and consider Kaspersky Password Manager for security

How do I help my children avoid online strangers?

Telling them to say no to unknown friend requests
Telling them to become suspicious if someone asks personal questions
Maintaining open communication about your kids’ online activities

What online gaming safety advice should I give?

Play with friends you know
Enable a “gaming mode” for safety
Download games only from trusted stores
Ignore chat-room links
Never share passwords – even with friends

My kid is being bullied on the Internet. What should I do?

Listen to them without interrupting
Make them feel both safe and understood
Take screenshots of harmful content
Discourage retaliation
Update privacy settings, change passwords, block or report the bully
Report to the school
Consider professional help for stress-related signs

My kid is bullying others online. What should I do?

Stay calm, gather evidence, and understand the context
Get your child’s side of the story
Help them see the impact on others
Encourage an apology to the victim
Without being overly invasive, consider using digital parenting apps
Promote responsible online behavior
Seek professional help if necessary

What questions should I ask my child to ensure their online experience is safe?

What’s interesting online today?
Anything confusing encountered?
Do you chat or game with strangers?
How do you choose what to share?
Have you ever felt uncomfortable online?
Are there any new apps or websites you enjoy?
Do you know how to handle inappropriate messages?
Have you ever seen someone being unkind online? How did you react?

How do I monitor my kids online without invading their privacy?

Talk about their online experience
Engage in their online activities together
Use safety-focused parenting apps
Explain why certain controls are needed
Shift from monitoring to mentoring
Stay updated on digital trends and share insights

What are signs of a negative impact of devices on my kids?

Lower grades
Less physical and social activity
Eye strain, poor sleep, bad posture
More irritability, withdrawal
Neglecting hobbies, responsibilities
Anxiety, depression, low self-esteem
Shorter attention span, memory issues

We’ve explored the crucial steps for empowering both you and your child in the digital realm. For your convenience, download our PDF handbook — a practical resource to help you navigate your child’s tech journey with confidence.

#Preparing #childs #gadget #comprehensive #checklist

Preparing for your child’s first gadget: what you need to know

Oleh bambang raharjoDiposting pada Oktober 31, 2023

Sooner or later (most) parents inevitably get round to buying their kids their own electronic device. According to Kaspersky’s research, 61 percent of children get their first device between the ages of eight and 12, and, perhaps surprisingly, in 11 percent of cases, they’re given their own cellphone or tablet before they turn five. It’s essential for parents to know the guidelines for introducing a device into their kids’ lives for the first time.

Together with clinical psychologist Dr. Saliha Afridi, Kaspersky is presenting cybersecurity and psychological considerations that parents would do well to be aware of before giving their kids their very first tech gadgets.

What to do before giving a gadget to a child?

Set up a Child Account before giving your offspring their first gadget. Whether it’s a phone or a tablet, it’s crucial to ensure the age-appropriateness and safety of the gadget. Even if it’s a brand-new gift, prioritize setting up this feature. A Child Account acts as a safeguard on the device, preventing things like downloads of mature content or songs with explicit content. For detailed guidance on creating a kid’s account, refer to our guide for Android or the one for iOS.

Install all the basic applications that support either communication or geo-location (like messenger and map apps), plus learning applications. And don’t forget to set up the privacy and confidentiality settings in each of the installed applications, so that the child, for example, isn’t discoverable via their phone number by unknown individuals. Tools like Privacy Checker can assist you in tailoring the optimal protection settings for various devices and platforms.

Remember to install a digital parenting app as well. This will empower you to curate content, monitor the amount of time your kid spends on specific apps (and set limits if needed), and track their current location.

How to introduce a new device into a child’s life?

Walk them through the device’s functionalities as well as the potential dangers when gifting them a new gadget. This is an opportune moment to explore its features and understand its potential pitfalls.

Craft a set of family usage rules together. In this conversation, it’s important to foster an understanding and consensus about the responsibilities and expectations tied to device ownership. To ensure a healthy balance, establish tech-free zones and times — perhaps during dinner or the hours leading up to bedtime. Designate moments for non-tech hobbies like reading, outdoor games, or puzzles, which can act as beneficial alternatives to screen time. Periodically revisiting and refining these rules as your kid grows and technology advances is key.

And remember — unless a kid shows a healthy level of engagement with real-life activities and in-person socializing, don’t introduce a smartphone or social media. One way they can earn a device is by showing that they’re capable of doing the “non-negotiables” regularly and consistently. These include sleep, exercise, homework, socializing, eating healthily, and wakeful resting periods.

How to talk to a child about online safety?

Encourage open communication from the outset. Engage junior in conversations about their online experiences — ensuring they feel safe to share both the good and the bad experiences.

Stay up to date with the latest digital trends and threats as well as high-profile cyberbullying or data breaches. Share this information with your child in a way they understand. You can learn the latest cybersecurity news via our blog.

Bring up the permanence of online actions. This includes how things shared online stay there forever and can affect their reputation and future opportunities. Kids should be especially careful about information they share about themselves: never giving out their address, geolocation or login credentials and passwords. Additionally, they should avoid using their real names as user IDs, as these can be potential clues for attackers to discover their other social media accounts. Help them understand the concept of privacy and the potential risks of sharing too much information.

Teach your kid that accepting friend requests from unfamiliar individuals in real life should be avoided. It’s crucial to explain that if someone they don’t know is persistently trying to find out personal information about them or their parents, it’s a cause for concern. Your child shouldn’t feel they’re being rude or impolite if they don’t respond to a request for friendship. In social networks, just like in life, there needs to be privacy.

By having such conversations and educating your children about online risks in a non-confrontational manner, you raise your kids being more likely to approach you when they encounter something questionable online. You should make sure they maintain a stance of curiosity — not judgment or fear. Your reactions will determine how open they feel about sharing in the future.

And a digital parenting app serves here as a valuable tool to enable you to monitor your kids’ online searches and activity, ensuring a safer online experience.

What are the main risks I should tell my child about?

In our digital age, kids are vulnerable to cybercriminals, often because they’re unfamiliar with essential cybersecurity principles and common scam tactics. It’s our duty as guardians to educate them on these matters before they inadvertently fall prey to them.

For instance, guide your kid in identifying deceptive commercials, bogus survey requests, counterfeit lotteries, and other schemes that can jeopardize their personal data. Help them grasp the reality that, while it might be tempting to download a Barbie movie ahead of its official release, offers like these could be ploys by cybercriminals aimed at pilfering data or even siphoning money from their parents’ cards. A reliable security solution can detect and block any phishing websites or any malicious software.

Instill in your child the habit of being critical and cautious when online. Teach them to pause before clicking when it comes to dubious links, unfamiliar email attachments, or messages from unknown entities. Discuss the appropriate permissions apps should have on their devices. For example, there’s no valid reason for a Calculator app to request geolocation access.

Make conversations about cybersecurity more enjoyable and interesting by discussing the topic through games and other entertaining formats. Most importantly, instill confidence in them to approach a trusted adult when faced with unsettling or suspicious situations online.

How to check that you’re prepared?

Once a gadget appears, your family’s life will inevitably undergo a transformation, as your kid will be drawn into the realm of the internet. Rather than forbidding it, it’s advisable to guide them on proper online behavior — if used correctly, a gadget can really help kids learn and grow. However, this can only happen if they know when and how to alert their parents about any online threats they come across – whether they’re receiving strange messages from adults, requests for personal information, or stumbling upon phishing sites.

Learning, however, is a gradual process, and it doesn’t guarantee perfection from the start. Mistakes will naturally occur, such as your kid accidentally downloading malware or engaging with suspicious individuals or struggling with screen time management. Nonetheless, your role as a parent is to provide support and assistance in their learning process. Only this way can you help your child be safe online.

To get ready for the challenge, we suggest taking a peek at our complete handbook for parents about getting your kid’s first gadget.

#Preparing #childs #gadget

How to increase VPN speed — and why you need a fast VPN

Oleh bambang raharjoDiposting pada Oktober 30, 2023

We’ve published many posts on the security and privacy benefits of setting up a VPN on your computer, your smartphone, or even your entire home network. But there are lesser-known advantages that come to the fore if your VPN is super speedy. Want to know about them? Then let’s get started!

1. Watch foreign sports or TV shows

A familiar situation for many sports fans: having moved abroad or simply gone on vacation, you find to your annoyance that your beloved football/soccer/baseball/cricket/rugby… team’s games aren’t broadcast on TV there. The same catastrophe befalls fans of domestic TV shows that aren’t popular abroad. This issue may be solved if you can subscribe to digital broadcasts of whatever matches or shows you like in your hometown, but in other regions that service is likely to be blocked. However, the good news is that Kaspersky Secure Connection lets you watch what you paid for — wherever you are. To do this, when away, you need to select a VPN server in your home country and connect to it. That way you’ll be assigned a “native” IP address that will virtually teleport you home. You just need to make sure that both your local internet connection and VPN are up to it speed-wise. For fast VPN secrets, see the end of this post.

2. Bypass bandwidth throttling

In mobile networks, public places, and sometimes even home connections, ISPs limit communication speed, which is known as bandwidth throttling. You may notice this when visiting sites with videos or downloading large files: your internet runs much slower. This allows ISPs to save bandwidth and reduce the load on the network, but it also restricts your rights. Thanks to Kaspersky Secure Connection, which encrypts your traffic, providers and other third parties can’t see exactly what you do online or what sites you visit, and so they cannot throttle your bandwidth – however, if your ISP slows down all activities for all subscribers (blanket throttling), there’s no escape.

3. Play in the region of preference

Servers of many multiplayer games are distributed all over the world. Connecting from a certain region, you will play on the nearest server. This is done to minimize lag for all players, unite players from the same time zone, and lessen the language barrier in game chats. But this approach can cause issues too: for example, you might play at an “unsociable” hour, which means few suitable gaming partners on the nearest servers, or your team has settled on a very specific game server. Going online through Kaspersky Secure Connection in the desired region guarantees a connection to the best server for your needs. Of course, VPN speed is critical here to ensure low lag and fast data exchange, so slow VPNs and VPN protocols are a big no-no for gamers — which is why we especially recommend that gamers use our VPN, recognized for high speeds in independent tests.

On game consoles, setting up a VPN can be tricky, so console owners find it easier to set up VPN directly on the router — more on this at the end of the post.

4. Sidestep price policies

In many stores and service organizations, the price for the same goods and services differs significantly from country to country due to variances in pricing policies or simply different sales schedules. At the time of posting, Black Friday and Singles’ Day (11.11) are on the horizon, to name just a couple of shop fests. You can cash in on seasonal offers and save money by connecting to a VPN server in the desired country and thus changing your IP address. That done, logging into the regional versions of online stores, you’ll see local promotions and enjoy the best discounts.

To take full advantage of this, your VPN service should offer a wide variety of servers in different countries. For example, our VPN has more than a hundred of these, including in such exotic locations as Bangladesh, Liechtenstein, and Malaysia. With such a wide selection, finding the right server in the list can be tough, which is why the latest version of Kaspersky Secure Connection lets you add servers to a Favorites tab and quickly select the one you need.

5. Shop with peace of mind

Public networks — be it Wi-Fi at an airport, hotel, cafe, train, or bus — pose a number of risks to your devices. Among them are: third-party ads on websites; data harvesting of your online activities; the already mentioned slowdown when watching videos; and potential interception of payment information and passwords. It’s a real stinger to pay for extra baggage or window seats on your phone, only to see unexpected debits from your account after landing, right?

Over an encrypted VPN channel, none of that can happen. Nearby cybercriminals, cafe owners, and unscrupulous Wi-Fi providers can neither see nor intercept your online activity.

What’s more, our VPN can be configured to automatically turn the VPN on when connecting to unprotected Wi-Fi networks, plus you can customize the VPN settings for each Wi-Fi access point saved on your device individually. This makes it easy to configure which Wi-Fi networks need VPN protection, keeping you safe at all times.

And one other thing: if the VPN connection drops, Kaspersky VPN can automatically block all your network traffic until reconnection, ensuring your data doesn’t leak to an unsecured network.

6. Open geo-blocked websites

For both legal and security reasons, some sites choose to shut out connections from other countries. For example, many online stores aren’t accessible in countries they don’t ship goods to. The same goes for many municipal or government services provided online — access from abroad isn’t possible. If you need to use such sites, you need to point your VPN to a server in the respective country.

7. Open websites despite blocking

The opposite scenario to geo-blocking is when you arrive in a country where, say, Google or Instagram is blocked. By connecting to a VPN server in another country, you can continue to use your usual accounts and services.

Geo-blocking often creates the nuisance of having to constantly turn your VPN on and off to access certain sites or use certain apps. Kaspersky Secure Connection comes in handy here, too. By configuring rules for Smart Protection (on Android only) and Split Tunneling (on Android, Windows and macOS), you can forget about the need to keep toggling the VPN: it will activate automatically for selected apps, sites, or site categories (such as payment systems, banking sites, or online stores) or bypass VPN for apps added to the exceptions list.

What makes Kaspersky VPN the fastest?

Gaming, watching videos, downloading large files, and even conference calling all require a lightning-quick VPN connection with minimal latency and high data-transfer rates. Besides a fast enough internet connection, this requires three other jigsaw pieces: a high-performance VPN server with a strong communication channel; a sufficiently powerful client (your phone, computer, or router); and an optimized communication protocol between these two pieces.

To make our VPN the undisputed speed champion (it outperformed all six of the other VPNs in an independent test), we use the fastest servers (10 Gbps) and connect to them over the most powerful protocols: Catapult Hydra and WireGuard. According to our internal tests, Catapult Hydra is five to seven times faster than the common OpenVPN protocol in terms of connection speed and ensures exceptional privacy protection without data leaks.

Where and how to use VPN?

You can install a VPN on your smartphone, computer, tablet, and sometimes even your TV or game console. Most routers also support a VPN connection, giving you the benefits of a VPN across your entire home network all at once. Which of these scenarios is better?

For travel and business trips, setting up a VPN on your phone and laptop is a priority. If gaming or online bargain hunting is your thing, it’s best to install a VPN on your Windows or Mac computer.

For TVs, game consoles, and simultaneous VPN use on multiple devices, the encrypted channel is best deployed directly on the router. Our VPN supports the ability to connect routers using the WireGuard and OpenVPN protocols: the former delivers maximum speed even on relatively weak router models; the latter provides maximum compatibility even with older models. Simply go to the VPN section on the My Kaspersky portal, and under VPN for routers, create a configuration file by selecting the protocol and server in the desired country. Then upload it to your router’s control panel — and every device in your home network will automatically enjoy all the benefits of VPN.

Where to find the best VPN deal?

You can get Kaspersky Secure Connection either as a standalone product or as part of a Kaspersky Plus or Kaspersky Premium subscription. Besides super-fast VPN, your subscription comes with full protection for all devices — both computers and smartphones.

Fine print

Some countries prohibit the use of VPN as a technology, while others ban specific VPN usage. In addition, the license agreements of various online services explicitly prohibit the use of VPNs to bypass their regional restrictions. You should research the legal position in your specific case before opting for a VPN.

#increase #VPN #speed #fast #VPN

SAS 2023: Key Research | Kaspersky official blog

Oleh bambang raharjoDiposting pada Oktober 27, 2023

At the international Security Analyst Summit conference, our Kaspersky Global Research and Analysis Team (GReAT) experts presented some extremely exciting research. We will not repeat each of them in detail, just briefly outline the most interesting facts.

StripedFly spyware platform

Almost a detective story about a malware that previously was detected as a regular Monero cryptocurrency miner, but in fact was a cover for a complex modular threat capable of infecting computers running both Windows and Linux. Various StripedFly modules can steal information from a computer, take screenshots, record audio from a microphone, and intercept Wi-Fi passwords. However, it is useful not only for spying — it also got modules that can function as ransomware and for cryptocurrency mining.

What is interesting is that the threat can spread using the EthernalBlue exploit, although that vector was patched back in 2017. In addition, StripedFly can use stolen keys and passwords to infect Linux and Windows systems with an SSH server running. A detailed study with indicators of compromise can be found on the Securelist blog.

Operation Triangulation details

Another Security Analyst Summit report was dedicated to ongoing research into the Operation Triangulation, which among other things, targeted our employees. A detailed analysis of the threat allowed our experts to detect five vulnerabilities in the iOS system used by this threat actor. Four of them (CVE-2023-32434, CVE-2023-32435, CVE-2023-38606 and CVE-2023-41990) were zero-day vulnerabilities. They affected not only the iPhone, but also iPod, iPad, macOS, Apple TV and Apple Watch. It also turned out that in addition to infecting devices via iMessage, attackers could attack the Safari browser. In this post you can read details on how our experts analyzed this threat.

New Lazarus campaign

The third report by GReAT experts was devoted to new attacks carried out by Lazarus APT. This group is now targeting software developers (some of which have been attacked multiple times) and is actively employ supply chain attacks.

Through vulnerabilities in legitimate software for encrypting web communications Lazarus infects the system and deploys a new SIGNBT implant, the main part of which operates in memory only. It serves to study the victim (get network settings, names of processes and users), as well as launch additional malicious payload. In particular, it downloads an improved version of the already known LPEClient backdoor, which also runs in memory and in turn launches malware capable of stealing credentials or other data. Technical information about the new tools of Lazarus APT group, as well as indicators of compromise, can also be found on the Securelist blog.

TetrisPhantom attack

In addition, experts provided details of the TetrisPhantom attack aimed at government agencies in the APAC region. TetrisPhantom relies on compromising of certain type of secure USB drives that provide hardware encryption and is commonly used by government organizations. While investigating this threat, experts identified an entire spying campaign that uses a range of malicious modules to execute commands, collect files and information from compromised computers and transfer them to other machines also using secure USB drives. Some details about this campaign can be found in our quarterly report on APT threats.

#SAS #Key #Research #Kaspersky #official #blog

Can you use emojis in passwords?

Oleh bambang raharjoDiposting pada Oktober 26, 2023

No one likes passwords. They take ages to enter, are hard to remember, and the need for a number, symbol, uppercase letter, and a couple of hen’s teeth only makes creating them all the more difficult. But if you use the same password everywhere, or limit yourself to simple short (read — weak) passwords, sooner or later you’ll get hacked. How to combine ease of input, memorability, and hack resistance? An interesting, if unusual, way is to use emojis — yes, those same smileys 😁 and other cute icons 🔐 we love to use in chats and posts.

On today’s computers and smartphones, emojis are just as much full-fledged symbols as letters in alphabets and punctuation marks. That’s because they’re part of the Unicode standard (see here for a full list of standardized emojis), so in theory, they can be used in any text — including in passwords.

Why use emojis in passwords

Since there are a great many emojis in existence, your password can be twice as short.

When intruders try to brute-force a password containing letters, numbers, and punctuation marks, there are fewer than a hundred variations for each symbol they need to pick. But there are more than 3600 standardized emojis in Unicode, so adding one to your password forces hackers to go through around 3700 variants per symbol. So, in terms of complexity, a password made up of five different emoticons is equivalent to a regular password of nine characters’ while seven emojis is equivalent to a strong password of 13 “regular” characters.

Some new emojis in Unicode

Emojis are easier to memorize. Instead of a meaningless jumble of letters and numbers, you can compose a logical sentence and create an emoji puzzle based on it. For this you can use an emoji translator or a chatbot like ChatGPT.

An emoji translator or ChatGPT can create an emoji-based puzzle-password on a given topic

Hackers don’t brute-force emojis. Various hacking tools and dictionaries for cracking passwords include combinations of words, numbers, and common substitutions like E1iteP4$$w0rd, but not (yet?) emojis. So when an attacker goes through a leaked password database, your account protected with a 👁️🐝🍁👁️🥫🪰 (“I believe I can fly”) password is very likely safe.

All this sounds too good to be true. So what are the downsides of emoji passwords? Alas, they’re sizeable.

Why not use emojis in passwords?

Not all services accept emoji passwords.

We carried out a little account-creation experiment using a password consisting of several standard emojis. It was rejected by both Microsoft/Outlook and Google/Gmail. However, Dropbox and OpenAI happily accepted it, so basically it’s a matter of experimentation.

Not every service will accept an emoji password

You’ll have to test your emoji password immediately to make sure it works. Even if you’re able to create an account with it, it may not pass verification when signing in.

Emojis are harder to enter. On smartphones, entering emoji is simplicity itself. On desktop computers, however, it can be a bit more troublesome — though not excessively so (see below for details). In any case, you’ll have to find the emojis you need in a long list, making sure to select the right picture from several similar ones. If you cross-platform, remember to check you can enter these emojis on both your computer and smartphone for all services you use.

Recent emojis give you away. Many smartphone keyboards display frequently used emojis at the top of the list. This information is unlikely to help online hackers, but friends or family may be able to guess or snoop on your password.

Recent emoji can reveal a lot about you to prying eyes

How to create a password with emojis

A reasonable compromise would be to add an emoji or two to your password to up its complexity. The rest of the password can then be alphanumeric, and less fancy. Of course, using emojis is no substitute for traditional security tips: using long passwords, a password manager and two-factor authentication (2FA). Speaking of which, our password manager can both store passwords with emojis and generate 2FA codes.

Emoji password and 2FA code in Kaspersky Password Manager

How to enter emoji passwords

The input method depends on your device and operating system. Smartphones have a special keyboard section for this, while on computers you can use one of these options:

In Windows 10 or 11, press the Win key + period simultaneously to open the emoji table in any input field. In many layouts, the key combination Win + ; also works.
In macOS, the emoji table is available in any application under Edit → Emoji & Symbols. To open the table from the keyboard, hold down Command + Control + Spacebar together.
In Ubuntu Linux (version 18 and higher), you can enter emojis by right-clicking in the input field and selecting Insert Emoji from the context menu. To call up the table from the keyboard, just like in Windows, press Win + period at the same time.
Input by character code. Slow and boring as it may be, this is a reliable way to input any Unicode character — not just emojis. First, look up the code of the respective character in the table, then enter it using a special key combination. In Windows, press and hold Alt, then enter the decimal code from the list on the side numeric keypad. For other OSes the process is described in more detail here.
But the easiest way to enter emoji passwords is to save them in Kaspersky Password Manager and insert them into the required input fields automatically.

#emojis #passwords

Should the c-suite be worried about Gen AI?

Oleh bambang raharjoDiposting pada Oktober 26, 2023

Artificial Intelligence has become something of a buzz-word of late, with start-ups across the globe jumping on the AI train, in the hopes of making the next ChatGPT. But whilst the scramble to create the next big-thing rolls on, employers are looking at how the current crop of tools will be used (and possibly abused) in their businesses.

Are businesses sleep-walking into a cyber-security nightmare, or are concerns around the technology overblown? Recently we conducted some research, asking business leaders their thoughts on generative A.I and its use in their businesses.

A real concern?

But what are the concerns when it comes to AI exactly? After all it’s not a security risk in the same sense as an outdated server or endpoint. To understand this properly, we first have to understand how generative A.I works.

In order to work effectively, AI is constantly being fed data. From this, the tool learns and refines its outputs. But whilst that’s fine for cat pictures or poems, highly sensitive intellectual property or data is another matter entirely.

So, the potential is that staff misuse AI tools and share sensitive data or intellectual property with a third-party. Outside of the fact that you could run into legal problems such as GDPR, you could end up in a position where your business is sharing private data with a tool that disseminates and reuses this data. So, broadly speaking, the concern stems from privacy and data rather than more “traditional” security concerns that IT teams are familiar with.

Two-sides to every coin

However, with this all said many business leaders already think that generative AI is in the building – indeed, some are even using it themselves – our research shows that around a quarter of business leaders such as CEO’s (26%) are already using tools such as ChatGPT themselves.

Whilst many of those surveyed believed that Gen AI is already in their business, most aren’t planning on doing anything about it. In fact, just over a quarter of those surveyed are actually using AI themselves for day to day activities.

What’s the solution?

So whilst we wax lyrical about the concerns of Gen AI, what pragmatic solutions are there, so businesses can continue using tools such as this, whilst mitigating the risks.

To understand this, we need to go back a little bit in time. Ten years ago, BYOD, or Bring Your Own Device was hailed as a game-changer for businesses – allowing them to reduce costs & maintenance. However, businesses quickly realized that there were several issues that BYOD caused, including not having a complete breakdown of the devices on their network and additional issues around data privacy and security. As a result, BYOD in many businesses was either restricted or blocked, or staff had to ensure IT teams had visibility over devices.

So, what does this have to do with Gen AI? Well, as John C. Maxwell once said: “You can’t trust what you don’t understand”. Business leaders need to learn more about the pros and cons of generative A.I to see if it truly deserves a place in their business.

To learn more about our findings, you can read the whole report here.

#csuite #worried #Gen

Three most dangerous Android features

Oleh bambang raharjoDiposting pada Oktober 25, 2023

Android is a well-designed operating system that gets better and more secure with each new version. However, there are several features that may put your smartphone or tablet at serious risk of infection. Today, we take a look at the three that are the most dangerous of all — and how to minimize the risks when using them.

Accessibility

Accessibility is an extremely powerful set of Android features originally designed for people with severe visual impairments. To use smartphones, they need special apps that read on-screen text aloud, and respond to voice commands and convert them into taps on UI controls.

For those with visual impairments, this function is not just useful — it’s essential. But the very modus operandi of Accessibility is to grant an app access to everything that’s going on in others. This violates the principle of strict isolation, which is a core security feature of Android.

And it’s not just tools for helping the visually impaired that take advantage of the Accessibility feature. For example, mobile antiviruses often use it to keep an eye out for anything suspicious taking place in other apps.

But every coin has a flip side. For example, malicious apps can requests permission to access this feature set too. This isn’t surprising, since such access makes it easy to spy on everything on your smartphone: read messages, steal credentials and financial data, intercept one-time transaction confirmation codes, and so on.

What’s more, access to this feature allows cybercriminals to perform user actions on the smartphone, such as tapping buttons and filling out forms. For instance, malware can fill out a transfer form in a banking app and confirm it with a one-time code from a text message, all on its own.

Therefore, before you give an app access to Accessibility, always think carefully: do you really trust its developers?

Install unknown apps

By default, only the official store app has the right to install other programs on Android. Given an unmodified version of the system, this is, of course, Google Play. But together with (or instead of) Google Play, smartphone developers often use their own — such as Huawei AppGallery or Samsung Galaxy Store. Indeed, Android is a democratic operating system with no strict limitations on app download sources. You can easily allow any app to download and install programs from anywhere. But it’s just as easy to get your smartphone infected with something nasty this way too, which is why we don’t recommend using it.

Official stores are usually the safest sources for downloading apps. Before being published in an official store, apps are subjected to security checks. And if it later transpires that malware has sneaked in, the dangerous app is quickly kicked out of the store.

Sure, even Google Play is not totally immune to malware (alas, it gets in more often than we’d like). Still, official stores at least try to keep their house in order — unlike third-party sites where malware is endemic, and the owners couldn’t care less. A case in point: attackers once even managed to infect the third-party Android app store itself.

The most important thing to remember is this: if you do decide you absolutely must download and install something on your Android smartphone not from the official app store — don’t forget to disable the ability to do so immediately after the installation. It’s also a good idea to scan your device afterward with a mobile antivirus to make sure no malware’s appeared; the free version of our Kaspersky Security & VPN will do the job just fine.

Superuser rights (rooting)

Less popular than the two features above — but by no means less dangerous — is the ability to gain superuser rights in Android. This process is popularly known as “rooting” (“root” is the name given to the superuser account in Linux).

The designation is appropriate since superuser rights give superpowers to anyone who gets them on the device. For the user, they open up the usually forbidden depths of Android. Superuser rights grant full access to the file system, network traffic, smartphone hardware, installation of any firmware, and much more.

Again, there’s a downside: if malware gets on a rooted smartphone, it too acquires superpowers. For this reason, rooting is a favored method of sophisticated spyware apps used by many government intelligence agencies — as well as cutting-edge stalkerware that’s accessible to regular users.

Therefore, we strongly discourage rooting your Android smartphone or tablet — unless you’re an expert with a clear understanding of how the operating system works.

How Android users can stay safe

Lastly, a few tips on how to stay safe:

Be wary of apps that request access to Accessibility.
Try to install apps only from official stores. Yes, you can come across malware there too, but it’s still much safer than using alternative sites where no one is responsible for security.
If you do install an app from a third-party source, don’t forget to disable “Install unknown apps” immediately afterward.
Never use rooted Android unless you fully understand how root permissions work.
Make sure you install reliable protection on all your Android devices.
If you use the free version of our security solution, remember to manually run a scan from time to time. In the paid version of Kaspersky Security & VPN, scanning takes place automatically.

#dangerous #Android #features

Vulnerability in Confluence Data Center and Confluence Server

Oleh bambang raharjoDiposting pada Oktober 23, 2023

Recently, CISA, the FBI, and MS-ISAC issued a joint advisory urging all organizations that use Confluence Data Center and Confluence Server to update the software immediately due to a major vulnerability. Here’s what the problem is and why this advisory is on point.

CVE-2023-22515 in Confluence Data Center and Confluence Server

The vulnerability in question, designated CVE-2023-22515, has received the maximum CVSS 3.0 threat score of 10.0, as well as critical status. The vulnerability allows an attacker, even if unauthenticated, to restart the server configuration process. By exploiting CVE-2023-22515, they could create accounts with administrator rights on a vulnerable Confluence server.

CVE-2023-22515: high severity level and high exploitability. Source

Only organizations using on-premises Atlassian Confluence Data Center and Confluence Server are at risk. Confluence Cloud customers are not affected. Nor does the vulnerability impact Confluence Data Center and Confluence Server versions earlier than 8.0.0. Below is the full list of vulnerable versions according to Atlassian:

0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4
1.0, 8.1.1, 8.1.3, 8.1.4
2.0, 8.2.1, 8.2.2, 8.2.3
3.0, 8.3.1, 8.3.2
4.0, 8.4.1, 8.4.2
5.0, 8.5.1

Exploitation in the wild and PoC on GitHub

The main problem is that the vulnerability is extremely easy to exploit. This is made worse by the fact that a successful attack on a vulnerable server doesn’t require access to an account on it, which significantly expands the scope for attacker activity.

The key feature of the attack is that vulnerable versions of Confluence Data Center and Confluence Server allow attackers to change the value of the bootstrapStatusProvider.applicationConfig.setupComplete attribute to false without authentication on the server. By doing so, they reinitialize the server setup stage and are free to create their own administrator accounts.

Key feature of Confluence Data Center and Confluence Server vulnerability exploitation. Source

Please note that this isn’t just theory — real attacks are already being carried out. A week after information about CVE-2023-22515 was made public, the Microsoft Threat Intelligence team observed an APT group exploiting this vulnerability.

Microsoft Threat Intelligence alert about CVE-2023-22515 exploitation in the wild. Source

As mentioned above, this vulnerability in Confluence Data Center and Confluence Server is extremely easy to exploit. This means that not only highly skilled APT hackers can exploit it, but even bored schoolkids too. A Proof of Concept exploit for CVE-2023-22515 has already appeared on GitHub, complete with a Python script for easy-as-pie exploitation — on a mass-scale: all an attacker need do is input a list of target server addresses into the script.

How to secure your infrastructure against CVE-2023-22515

If possible, you should update your Confluence Data Center or Confluence Server to a version with the vulnerability already patched (8.3.3, 8.4.3, 8.5.2), or to a later version within the same branch.

If unable to update, it’s recommended to remove vulnerable Confluence servers from public access; that is, disable access to them from external networks until the update is installed.

If this too cannot be done, an interim measure is to mitigate the threat by blocking access to configuration pages. More details can be found in Atlassian’s own advisory. It notes, however, that this option doesn’t eliminate the need to update Confluence Data Center or Confluence Server: it only temporarily thwarts a known attack vector.

Additionally, organizations that use both Confluence Data Center and Confluence Server are advised to check whether this vulnerability has already been used in attacks against them. Some indications of CVE-2023-22515 exploitation are:

Suspicious new members of the confluence-administrators group
Unexpected newly created user accounts
Requests to /setup/*.action in network access logs
Presence of /setup/setupadministrator.action in an exception message in atlassian-confluence-security.log in the Confluence home directory.

Keep in mind that gaining control over Confluence through CVE-2023-22515 exploitation is unlikely to be the attackers’ primary goal. Instead, it will likely serve as a foothold to launch further attacks on the company’s information systems.

To monitor suspicious activity in corporate infrastructure, use an EDR (Endpoint Detection and Response) solution. If your in-house information security team lacks the resources, you can outsource the job to an external service, which will continuously search for threats targeting your organization and respond to them in a timely manner.

#Vulnerability #Confluence #Data #Center #Confluence #Server

Why you shouldn’t scan QR codes in emails

Oleh bambang raharjoDiposting pada Oktober 20, 2023

There’ve been more and more cases of users receiving emails seemingly from large internet companies (for example, Microsoft or its cloud service Office 365) containing QR codes. The body of these emails have a call to action: in a nutshell, scan the QR code to maintain access to your account. This post examines whether it’s worth reacting to such messages.

Scan the QR code, or face the inevitable

A typical email of this kind contains a notification saying your account password is about to expire, after which you’ll lose access to your mailbox, and so the password must be changed for which you need to scan the QR code in the email and follow the instructions.

The password must be reset by scanning the QR code

Another email could warn the recipient that their “authenticator session has expired today”. To avoid this, the user is advised to “quickly scan the QR Code below with your smartphone to re-authenticate your password security”. Otherwise access to the mailbox could be lost. 

“Authenticator session has expired” — for a quick fix, scan the QR code

A further example: the message kindly informs the reader: “This email is from a trusted source” — we’ve already talked about why emails stamped “verified” should be treated with caution. The thrust of the message is that “3 important emails” supposedly cannot be delivered to the user due to lack of some kind of validation. Of course, scanning the QR code below will fix the issue.

Important emails can be delivered only by scanning the QR code for “validation”

Clearly, the authors of these emails want to intimidate inexperienced users with high-sounding words.

They’re also likely hoping that the recipient has heard something about authenticator apps — which do indeed use QR codes — so that their mere mention may stir some vague associations in their mind.

What happens if you scan the QR code in the email

The link in the QR code takes you to a rather convincing replica of a Microsoft login page.

Scanning the QR code takes you to a phishing site that steals entered credentials

Of course, all credentials entered on such phishing pages end up in cybercriminal hands. And this jeopardizes the accounts of users who fall for such tricks.

An interesting detail is that some phishing links in QR codes lead to IPFS resources. IPFS (InterPlanetary File System) is a communication protocol for sharing files that has much in common with torrents. It allows you to publish any files on the internet without domain registration, hosting, or other complications.

In other words, the phishing page is located directly on the phisher’s computer and is accessible via a link through a special IPFS gateway. Phishers use the IPFS protocol because it’s much easier publish and much harder to remove a phishing page than blocking a “regular” malicious website. As such, the links live longer.

How to guard against phishing QR codes

No decent authentication system will suggest scanning a QR code as your only option. Therefore, if you receive an email asking you to, say, confirm something, or sign in to your account again, or reset your password, or perform some similar action, and this email only contains a QR code, you’re probably dealing with phishing. You can safely ignore and delete such an email.

And for those times when you need to scan a QR code of an unknown source, we recommend our security solution with its secure QR code scanner function. It will check the contents of QR codes and warn you if there’s anything bogus inside.

#shouldnt #scan #codes #emails

Tag: antivirus software