Apple’s App Store is considered a reliable platform for downloading apps. So much so, in fact, that users often assume there’s no danger at all: what could possibly be wrong with an app that’s been moderated by Apple? App Store verification is indeed effective, and news about malicious or phishing apps on the platform is uncommon.
All the same, malware creators do occasionally sneak under the App Store’s radar. This post examines three fraudulent apps we’ve found in the official Apple store, and what precautions you can take to avoid a financial hit.
Scam apps in the App Store
The three we’ve found all share a common theme: investment. If the descriptions are to be believed, two are for tracking the current value of cryptocurrency assets. The third seems to be some kind of investment game, which, I quote, “plunges you into the world of financial decisions, making you feel like a real office worker. You will have to make complex financial decisions that will affect your character’s mood and the state of their wallet”.
Scam apps we’ve found in the App Store
When the user opens any of these apps almost anywhere in the world, the program, having checked the location by IP address, shows what was promised in the description: either a simple app for tracking cryptocurrencies, or a mini-game with multiple-choice questions.
But if the user is in Russia, however, the app downloads far less innocuous phishing content. First, the victim is promised a decent income of at least $1000 a month. What’s more, you can start investing supposedly with small amounts — “from $110” — and expect your first profit “in just a few days”; access to the platform is, of course, free.
The promises of fabulous riches are followed by a rather long and detailed questionnaire. The scammers’ aim here is to get you to “invest” a certain amount of time and effort in the process; this is so that, come the key stage of the scam, the victim will be reluctant to give up that investment.
The culmination is a form asking for your first name, surname, and phone number so that “an investment platform specialist can be in touch”. Once the contact information is sent, the phishers promise to call you shortly.
And they’re true to their word. According to user reviews in the App Store, during the phone call with the “specialist”, the hapless user is persuaded to “invest” a certain amount in a highly dubious financial project. The outcome isn’t hard to predict: the fantastic payback never materializes, and the victim’s investment disappears.
Although user reviews of all three malicious apps warn about fraud, only when we reported them did the App Store moderators sit up and take notice. At the time of posting, all three apps have been removed from the App Store.
But how did they even get there in the first place? We can’t give a definite answer, of course — only Apple itself can do so after a thorough investigation. We can only assume that when the apps were being moderated, they only displayed harmless content since they were designed to download the phishing questionnaire from the internet as a regular HTML page. And then, after the apps had been approved and placed in Apple’s official store, the scammers modified the uploaded content.
How to stay safe
The iOS architecture is built to keep user apps as isolated as possible from the rest of a device’s system and also user data. Because of this, there’s no way to create a “classic” antivirus for iOS: it simply won’t have the necessary access to other programs and data running in the system. Apple works on the assumption that App Store moderation protects against malicious apps such as these. But, as we now see, its safeguards can be bypassed by substituting uploaded content with phishing once the app is approved. And because the App Store currently hosts around two million apps, the moderators simply don’t have time to respond quickly to user complaints.
Therefore, the next line of defense becomes all-important. Kaspersky: VPN & Antivirus for iOS with Plus and Premium subscriptions analyzes traffic and promptly detects attempts to open phishing sites on your device. Dangerous pages get blocked straight away and a warning is displayed.
Here’s how Kaspersky: VPN & Antivirus for iOS responds to an attempt by a scam app in the App Store to download phishing content
And although all the scam apps we found this time around singled out users in Russia, the same technologies could just as well be used to target any audience in any country in the world — the only question is when. So, as you can see, iOS needs protection just as much as Android.
Over the first 23 years of this century, the Linux operating system has become as ubiquitous as Windows. Although only 3% of people use it on their laptops and PCs, Linux dominates the Internet of Things, and is also the most popular server OS. You almost certainly have at least one Linux device at home — your Wi-Fi router. But it’s highly likely there are actually many more: Linux is often used in smart doorbells, security cameras, baby monitors, network-attached storage (NAS), TVs, and so on.
At the same time, Linux has always had a reputation of being a “trouble-free” OS that requires no special maintenance and is of no interest to hackers. Unfortunately, neither of these things is true of Linux anymore. So what are the threats faced by home Linux devices? Let’s consider three practical examples.
Router botnet
By running malware on a router, security camera, or some other device that’s always on and connected to the internet, attackers can exploit it for various cyberattacks. The use of such bots is very popular in DDoS attacks. A textbook case was the Mirai botnet, used to launch the largest DDoS attacks of the past decade.
Another popular use of infected routers is running a proxy server on them. Through such a proxy, criminals can access the internet using the victim’s IP address and cover their tracks.
Both of these services are constantly in demand in the cybercrime world, so botnet operators resell them to other cybercriminals.
NAS ransomware
Major cyberattacks on large companies with subsequent ransom demands — that is, ransomware attacks, have made us almost forget that this underground industry started with very small threats to individual users. Encrypting your computer and demanding a hundred dollars for decryption — remember that? In a slightly modified form, this threat re-emerged in 2021 and evolved in 2022 — but now hackers are targeting not laptops and desktops, but home file servers and NAS. At least twice, malware has attacked owners of QNAP NAS devices (Qlocker, Deadbolt). Devices from Synology, LG, and ZyXEL faced attacks as well. The scenario is the same in all cases: attackers hack publicly accessible network storage via the internet by brute-forcing passwords or exploiting vulnerabilities in its software. Then they run Linux malware that encrypts all the data and presents a ransom demand.
Spying on desktops
Owners of desktop or laptop computers running Ubuntu, Mint, or other Linux distributions should also be wary. “Desktop” malware for Linux has been around for a long time, and now you can even encounter it on official websites. Just recently, we discovered an attack in which some users of the Linux version of Free Download Manager (FDM) were being redirected to a malicious repository, where they downloaded a trojanized version of FDM onto their computers.
To pull off this trick, the attackers hacked into the FDM website and injected a script that randomly redirected some visitors to the official, “clean” version of FDM, and others to the infected one. The trojanized version deployed malware on the computer, stealing passwords and other sensitive information. There have been similar incidents in the past, for example, with Linux Mint images.
It’s important to note that vulnerabilities in Linux and popular Linux applications are regularly discovered (here’s a list just for the Linux kernel). Therefore, even correctly configured OS tools and access roles don’t provide complete protection against such attacks.
Basically, it’s no longer advisable to rely on widespread beliefs such as “Linux is less popular and not targeted”, “I don’t visit suspicious websites”, or “just don’t work as a root user”. Protection for Linux-based workstations must be as thorough as for Windows and MacOS ones.
How to protect Linux systems at home
Set a strong administrator password for your router, NAS, baby monitor, and home computers. The passwords for these devices must be unique. Brute forcing passwords and trying default factory passwords remain popular methods of attacking home Linux. It’s a good idea to store strong (long and complex) passwords in a password manager so you don’t have to type them in manually each time.
Update the firmware of your router, NAS, and other devices regularly. Look for an automatic update feature in the settings — that’s very handy here. These updates will protect against common attacks that exploit vulnerabilities in Linux devices.
Disable Web access to the control panel. Most routers and NAS devices allow you to restrict access to their control panel. Ensure your devices cannot be accessed from the internet and are only available from the home network.
Minimize unnecessary services. NAS devices, routers, and even smart doorbells function as miniature servers. They often include additional features like media hosting, FTP file access, printer connections for any home computer, and command-line control over SSH. Keep only the functions you actually use enabled.
Consider limiting cloud functionality. If you don’t use the cloud functions of your NAS (such as WD My Cloud) or can do without them, it’s best to disable them entirely and access your NAS only over your local home network. Not only will this prevent many cyberattacks, but it will also safeguard you against incidents on the manufacturer’s side.
Use specialized security tools. Depending on the device, the names and functions of available tools may vary. For Linux PCs and laptops, as well as some NAS devices, antivirus solutions are available, including regularly updated open-source options like ClamAV. There are also tools for more specific tasks, such as rootkit detection.
For desktop computers, consider switching to the Qubes operating system. It’s built entirely on the principles of containerization, allowing you to completely isolate applications from each other. Qubes containers are based on Fedora and Debian.
By now, as the end of the first quarter of the 21st century draws near, everyone is surely aware that user passwords are digital gold, and that protecting them is a key aspect of ensuring data security and privacy. Yet despite this, not all companies store passwords properly still.
In this post we look at how NOT to store user passwords, and what methods are used by services that take security seriously.
The wrong way: storing passwords in plaintext
The simplest method is to store passwords in an unencrypted database. When a user tries to sign in, authentication is just a matter of matching what they enter against what’s in the database.
But there’s always a risk that attackers might steal this database one way or another — for example, by exploiting vulnerabilities in the database software. Or a password table might get stolen by an ill-intentioned employee with high access privileges. Also leaked or intercepted employee credentials could be used to steal passwords. Put simply, there are plenty of scenarios where things can go pear-shaped. Remember: data stored in open form is precisely that — open.
A slightly better way: encrypted passwords
What if you store passwords in encrypted form? Not a bad idea at first glance, but it doesn’t work great in practice. After all, if you store encrypted passwords in the database, they have to be decrypted each and every time to compare them with user input.
And that means the encryption key will be somewhere close by. If that’s the case, this key can easily fall into hackers’ hands along with the password database. So, that defeats the whole purpose: the cybercriminals will be able to quickly decrypt this database and get passwords in plaintext, so we end up back where we started.
As cryptographers jest in all seriousness, encryption doesn’t solve the problem of data privacy — it just makes it a problem of secure key storage. You can come up with some sort of cunning schemes that may reduce the risks, but in general it won’t be possible to reliably secure passwords this way.
The proper way: storing password hashes
The best method is not to store passwords at all. If you don’t have something — it can’t get stolen, right?
But how to check whether a signing-in user has entered the correct password? That’s where hash functions come into play: special cryptographic algorithms that scramble any data into a fixed-length string of bits in a predictable but irreversible way.
Predictable here means that the same data is always converted into the same hash. And irreversible means that it’s completely impossible to recover the hashed data from the hash. That’s what any online service does if it cares about user data even just a tiny bit and values its reputation.
When a user creates a password during registration — not the password itself but its hash is stored in the database along with the username. Then, during the sign-in process this hash is compared against the hash of the password entered by the user. If they match, it means the passwords are the same.
In the event of a database leak, it’s not the passwords that the attackers get hold of, but their hashes, from which the original data cannot be recovered (irreversibility, remember?). Of course, this is a vast improvement security-wise, but it’s still too soon to rejoice: if the cybercriminals get their hands on the hashes, they might attempt a brute-force attack.
The even better way: salted hashes
After obtaining your database, the hackers might try to extract the passwords through brute force. This means taking a combination of characters, calculating its hash, and looking for matches across all entries in the database. If no matches are found, they’ll try another combination, and so on. If there’s a match, the password that was used to calculate the hash in the database is now known.
Worse still, the process of cracking hashed passwords can be sped up considerably by means of so-called rainbow tables. Rainbow tables are huge data arrays with precalculated hash functions for most frequently met passwords. As such, they make it easy to search for matches in the stolen database. And it’s all done automatically, of course, so the password-cracking process becomes too quick for comfort.
However, there is some good news: it’s impossible to calculate the hashes of all possible character combinations in advance — a complete rainbow table for any hashing algorithm will take up more disk space than there is on the planet. Even for the not-overly-reliable MD5 algorithm, such a hypothetical table would contain (deep breath) 340 282 366 920 938 463 463 374 607 431 768 211 456 records. Which is why only the most common combinations get included in rainbow tables.
To combat the use of rainbow tables, cryptographers came up with a solution that utilizes another important property of hash functions: even the tiniest change in the source text alters the hashing result beyond all recognition.
Before a password hash is computed and written to the database, a random set of characters (called a salt) is added to it. This way, the databased hashes are modified to the extent that even the most basic, obvious and frequently used passwords like “12345678” and “password” cannot be brute-forced with rainbow tables.
The simplest variant uses the same salt for all passwords. But the most hack-resistant one creates a separate salt for each individual record. The beauty of this approach is that salts can be stored in the same database with no additional risk: knowing the salt does not make the attackers’ task much easier. To crack the hashes, they will still have to apply pure brute force — go through every single combination.
The more online services adopt this non-storage of passwords method, the less likely a mass theft of user credentials (and the subsequent trouble associated with account hacking) will occur.
When I was growing up, I never gave much thought to the communications between my parents and my teachers. Typically, there was a back-to-school night; if ever I did something wrong, the communication was made in a phone call from the teacher or principal; and there were letters/results that needed to be signed by my parents.
Now, if you were raised in the 80s/90s and are a little bit like me, there’s a chance that your parents didn’t always see these letters/results and the letters maybe had a forged signature or two. To be fair, karma caught up with me on a few occasions and my son wrote a note to his teacher once as well signing it with “Love, name redacted’s Mom”.
While my son’s note gave all involved a chuckle, in all seriousness, technology has now enabled communications between parents and teachers and also teachers and their students. Likewise, there are multiple ways for students to connect with other students. With all these tech-enabled communications for school, there are multiple “human element” fail points – so being a security company with a blog, we’d be remiss not to offer some tips to keep you and your kids safe and sound.
Parent to teacher
Who remembers the pandemic? You know, the one that introduced us to the lovely world of remote learning. At the time, it was nice to see how the educational system was flexible enough to embrace technology quickly and assure that the kiddos’ education could continue.
Fast-forward a few years to today and the technology still has a firm grip within the school systems. As a resident of the U.S., my children are now using Chromebooks vs textbooks and there are various apps that the teachers use to keep us up to date on progress. There are a number of these apps and they’ll vary from case to case, but ours are Remind and Google Classroom.
While these platforms are very integrated and easy, they still also tie into emails. So parents should be extra careful to make sure that the sender and the links within mails aren’t malicious.
Student to teacher
The above-listed apps are also used for students to communicate with teachers; however, they also have the added level of an internal email that could be used to communicate with the teachers directly. While email in Google’s ecosystem should be locked down and be more of an internal messenger, it’s good practice to let kids know they should be cautious of what they’re sending to teachers, as well as the links that teachers are sending along that direct them outside their school’s ecosystem.
Student to student
Perhaps the most tricky part of kids going to tech-enabled school is that we live in a tech-enabled society. This means that (almost) everyone has a smartphone or other connected device and the ills that come with them – including messaging apps, social networks, a camera and SMS.
Perhaps the biggest risk that we have when discussing schools and tech is the phones within the pockets of our little ones. There are simply too many avenues for sharing that our kids can take advantage of. As parents, we need to make sure that we have them set up with a device that’s secure. And before you say it, NO – the device is not secure out of the box, despite marketing messaging. You should make sure that you install a reliable security solution on any device your kids use to help add in a layer of extra protection. Here are some tips that can help further securing the phone.
Sharing is not always caring
This final tip is for both parents and kids. Repeat after me: Sharing is not always caring.
While many applications provide the ability to share what you’ve received via various channels, when it comes to schooling, this should be avoided. Also, as mentioned, our phones are the biggest risk to us.
We literally have at our fingertips the ability to broadcast our opinions, thoughts, pictures, videos… even what we’re doing on the toilet in real time and to the whole world. Sure, this is empowering, but it is also something that could come back to hurt us.
This is a lesson we need to remember as parents and also to impart to our children. Being prudent is a huge part of life: not everything needs to be shared. We all need to take a minute to take a step back and think about what we’re doing before hitting send.
Now, before I preach to the choir, I’ll admit that I often post stupid things: you can see this on my X, for example; however, I still think before hitting send. As parents, we need to let our kids know that the stuff they post could not only get them in trouble (broadcasting fights, illegal activity, etc.), but also that there are things that could hurt them well down the line in the employment space. As they say… the internet never forgets!
Early this year I gave you five reasons to avoid desktop versions of messengers. The fact that many such applications use the Electron framework is one of them. This means that such a messenger works as an additional browser in your system, and its updates are quite difficult to control.
But, as I wrote in that post, it has become clear the problem is much more widespread — affecting not only messengers but hundreds of other apps as well. Chances are, because of Electron-based apps, you have a many more browsers than you think in your system this very minute…
What is Electron, and why do application developers want to use it?
Electron is a cross-platform desktop application development framework that employs web technologies — mostly HTML, CSS, and JavaScript. It was originally created by GitHub for its source code editor Atom (hence its original name — Atom Shell). Later on the framework was renamed Electron, ultimately evolving into an extremely popular tool used to create desktop applications for various operating systems, including Windows, macOS, and Linux.
Main page of the Electron framework official site. Source
Electron itself is based on the Chromium browser engine, which is responsible for displaying web content within a desktop application. So any Electron application is effectively a single website opened in the Chromium browser.
Users usually have no idea at all how the thing works. From their point of view, an Electron application is just another program you install, run in the usual way, give access to some files, occasionally update to the newest version, and so on.
Why has Electron grown so popular with developers? The idea is mainly this: no matter what digital service one might want to create, a web version is still needed. And the Electron framework allows you to develop just the web version and, based on it, produce full-fledged apps for all the desktop operating systems out there.
Electron’s other convenience features include making installation packages, their diagnostics, publication to app stores, and automatic updates.
Et tu autem, Brute! You can find Electron in apps you least expect to
Summing up, the Electron framework is popular among developers — most particularly as it allows to greatly accelerate and simplify the application development process for all desktop operating systems in one go.
Issues with Electron-based applications
Electron-based applications have a number of drawbacks. The most obvious from the users’ perspective is their sluggishness. Electron-based software is usually resource-intensive and suffers from excessive file size. No wonder: each such app carries its whole home on its back like a snail a full-blown Chromium browser. In effect, it operates through that browser — serving as a sort of intermedium.
Next issue: web browsers are a favorite target of cybercriminals. It’s worth repeating: inside every Electron-based app there’s a separate instance of the Chromium web browser. This means your system may have a dozen additional browsers installed, all of which present a tempting target for criminals.
New, serious vulnerabilities pop up almost weekly in a popular browser like Chrome/Chromium: so far this year more than 70 high, and three critical severity-level vulnerabilities have been found in Chromium as of the time of writing. Worse yet, exploits for the world’s most popular browser’s vulnerabilities appear really quick. This means that a good part of Chrome/Chromium holes are not just abstract bugs you treat as a matter of routine — they’re vulnerabilities that can be used for attacks by cybercriminals out in the wild.
Even in fine print, Chromium vulnerabilities found so far in 2023 take up several screens. Source
For the standalone Chrome browser, this isn’t such a serious problem. Google is very quick to release patches and rather persistent in convincing users to install them and restart their browser (it even thoughtfully re-opens all their precious tabs after restarting so they don’t need to fear updating).
Things are very different for the Electron-based apps. A Chromium browser built into such an app will only get patched if the app’s vendor has released a new version and successfully communicated to users the need to install it.
So it appears that, with a bunch of installed Electron apps, not only do you have multiple browsers installed on your system, but also little to no control over how updated and secure those browsers are, or how many unpatched vulnerabilities they contain.
The framework’s creators know full well about the problem, and strongly recommend that app developers release patches on time. Alas, users can only hope that those recommendations are followed.
And here’s a fresh example: On September 11, Google fixed the CVE-2023-4863 vulnerability in Google Chrome. At that point, it was already actively exploited in the wild. It allows a remote attacker to perform an out of bounds memory write via a crafted HTML page, which can lead to the execution of arbitrary code. Of course, this bug is present in Chromium and all Electron-based applications. So, all companies using it in their applications will have to work on updates.
Which desktop applications are based on Electron?
Not many folks seem to know how incredibly common Electron-based desktop applications are. I’ll bet you are using more than one of them. Check them out yourself:
1Password
Agora Flat
Asana
Discord
Figma
GitHub Desktop
Hyper
Loom
Microsoft Teams
Notion
Obsidian
Polyplane
Postman
Signal
Skype
Slack
Splice
Tidal
Trello
Twitch
Visual Studio Code
WhatsApp
WordPress Desktop
I personally use around a third of the apps from the list (but, for the record, none of them as desktop applications).
That list is not exhaustive at all though, representing only the most popular Electron-based applications. In total there are several hundred such applications. A more or less complete list of them can be found on a special page on the official website of the framework (but, it seems, not all of them are listed even there).
The list of Electron-based desktop applications comprises several hundred online services, including about 20 really popular ones. Source
Security considerations
So how to avoid the threats posed by uncontrolled browsers that thoughtful developers are now unpredictably embedding into desktop apps? I have three main tips regarding this:
Minimize the number of Electron-based apps as much as possible. It’s not as difficult as it seems: the very fact of using the framework normally suggests that the service has an extremely advanced web version, which is most likely on a par with the desktop application in terms of features and convenience.
Try to inventory all Electron-based apps used by your company’s employees, and prioritize their updates. More often than not, these are collaboration applications of different forms and shades — from Microsoft Teams, Slack, and Asana, to GitHub and Figma.
Use a reliable security solution. It will help you repel attacks in those periods when vulnerabilities are already known and being exploited but the patches haven’t yet been issued. By the way, Kaspersky products have an exploit protection system: it helps our experts detect the exploitation of new, as yet unknown vulnerabilities, and warns the developers of the corresponding programs about these holes.
After Elon Musk “broke” his Twitter (now known as X) and Mark Zuckerberg released his Threads, there’s been a lot of talk on the internet about something called the Fediverse. Many see it as humanity’s last hope to escape the current social network mess.
In this post, we take look at what this Fediverse is, how it works, what it offers users right now, and what it may change in the near future.
What’s wrong with regular social networks?
Let’s start with why Fediverse is needed in the first place. The main problem with today’s social networks is that they’ve become too closed and self-absorbed (not to mention there are an awful lot of them). Often, you’re not even able to access a significant portion of a social network’s content if you’re not registered on it — and don’t even think about further interactions on the platform.
For example, to like a post on Twitter or leave a comment on a YouTube video, you have to be registered. When it comes to social networks that are part of Mark Zuckerberg’s empire, it’s even worse: without an account, you usually can’t even get acquainted with the content, let alone like it.
The second major problem with social networks is that they don’t really produce anything themselves. Users create all the content on social networks, which the massive and powerful corporations behind the networks then profit from. And, of course, corporations have absolutely no respect for their users’ privacy — collecting an incredible amount of data about them. This has already led to major scandals in the past, and will most likely result in a whole bunch of problems in the future if nothing changes drastically.
The way things are currently organized, there’s another significant risk associated with the complete lack of user control over the platforms that they are, in fact, creating. Let’s just imagine a huge social network, which just happened to play a significant role in global politics, being taken over by a person with rather peculiar views. Its users are left with no choice but to adapt — or look for another platform with a more reasonable owner.
The Fediverse is designed to solve all these problems of conventional social networks: excessive centralization, complete lack of accountability, content isolation, collection of user data, and violation of user privacy.
The theoretical side: what the Fediverse is, and how it works
The Fediverse (a combination of “federation” and “universe”) is an association of independent social networks, which allows users to interact with each other in much the same way as they would within a single platform. That is — read, subscribe/follow, like, share content, comment, and so on.
And each platform participating in the Fediverse is federated itself: it consists of a community of independent servers (referred to as “instances” within the Fediverse).
An essential feature of the Fediverse is therefore decentralization. Each instance within the Fediverse has its owners (who independently create and maintain the server and bear all expenses for its operation), its own user community, rules, moderation system, and often some sort of theme.
The specially designed ActivityPub protocol is used for interaction among all these independent instances. ActivityPub is developed by the organization that specializes in creating common protocols that the internet runs on — the World Wide Web Consortium (W3C).
Mastodon.social is the largest instance of Mastodon, the largest social network in the Fediverse
Anyone can create their own instance within the Fediverse. All you have to do is:
Rent or set up a server at home;
Install the appropriate server software on it (usually open-source, free);
Connect to the internet;
Pay for the domain;
Create a community, and develop its rules, theme, and so on.
It’s important to note that a significant portion of the Fediverse, at least for now, runs on pure enthusiasm, and sometimes on donations from supporters or some occasional banners. There’s currently no sustainable commercial model here, and it seems that there is no intention to implement one yet.
How the Fediverse works for the average user
From an ordinary user’s perspective, they register on one of the servers that belong to a particular social network that’s part of the Fediverse. Then with this same account they can interact with users from any other servers within the Fediverse network, as if you can use a Twitter account to comment on a YouTube video or follow someone on Instagram. This removes the boundaries between different social networks, along with the need to create separate accounts in each of them.
However, in reality, it’s not as simple as it sounds: Fediverse instances are often quite closed communities, not particularly welcoming to outsiders, and registration can often be inaccessible. Logging into one social network with an account from another is usually not possible at all. Moreover, there’s no way to search across instances in the Fediverse.
So, basically, yes, you can indeed access the content of (almost) any Fediverse user without leaving the instance where you’re registered. You can probably even comment, like, or repost that user’s content, all while staying within the comfort and familiarity of your own instance. But there’s one catch — you need to know the address of that user. And knowing it isn’t so simple because, as mentioned above, there’s no search function in the Fediverse.
Pixelfed — A federated alternative to Instagram
Explaining the Fediverse by analogy
Most people use the analogy of email to explain the Fediverse: it doesn’t matter which server you’re registered with, you can still send an email to anyone; for example, to your mom’s Gmail account from your work address at bigcorp.com. But personally, I think email is not the best analogy here — it’s too simple and uniform. In my opinion, it’s much better to describe the Fediverse in terms of the good old telephone system.
The global telephone system integrates a bunch of different technologies, from rotary dial phones connected to analog switching centers, to smartphones on the cutting-edge 5G network, and from virtual IP telephony numbers to satellite-link communication. For the end user, the technological solution underlying any particular network is completely unimportant. And there can be any number of these networks. They all support a single protocol for basic interaction, making them compatible with each other — you can call any number, whether it’s virtual or satellite.
Similarly, in the Fediverse, whether a platform is primarily text-based, video streaming, or graphic, it can participate in the project and its users can “call” other platforms.
This is how one of the instances of the microblogging platform Pleroma looks. Source
However, the compatibility of telephone networks is far from complete. Each network may have its own special services and features — try sending an emoji to your great-grandmother’s landline phone. And on top of universal addressing (the international phone number format) there are often some local quirks: all those 0s or 00s instead of a normal country code, the possibility of not entering any codes at all when calling within a specific network (such as a city or office network), different formats for recording numbers (various dashes, brackets, and spaces, which can easily confuse people unfamiliar with local rules), and so on.
Again, the same goes for the Fediverse: while its platforms are generally connected and compatible at the top level, the user experience and functionality vary greatly from one platform to another. To figure out how to make long-distance calls perform a certain action on a given service, you often have to delve into the local specifics. It might actually be impossible to “call” certain instances because, while they formally support all the necessary technologies, they’ve decided to isolate themselves from the outside world for some reason.
In general, compared to email, the Fediverse is a much more diverse and less standardized collection of relatively unique instances. But despite this uniqueness, these instances do allow their users to interact with each other to some extent since they all support a common protocol.
Lemmy — one of the Reddit analogs in the Fediverse
The practical side: which services are compatible with the Fediverse now, and which ones will be in the future
Now let’s turn to the practical side of the issue — what social networks are already operating within the Fediverse. Here’s a list of the most significant ones:
Mastodon — The largest and most popular social platform within the Fediverse, accounting for about half of its active users. It’s a microblogging social network — a direct Twitter analogue.
Misskey and Pleroma — Two other microblogging platforms that attract users with their atmosphere and cozy interface. Misskey was created in Japan, which has ensured its high popularity among fans of anime and related topics.
Misskey — microblogging with a Japanese twist
PixelFed — A social networking platform for posting images. It’s a Fediverse version of Instagram but with a focus on landscape photography rather than glamorous golden poolside selfies.
PeerTube — A video streaming service. I’d like to say it’s the local equivalent of YouTube. However, since creating video content is so expensive, this analogy doesn’t completely hold up in reality.
Funkwhale — An audio streaming service. This can be considered a local version of Soundcloud or Spotify — with the same caveat as PeerTube.
Lemmy and Kbin — Social platforms for aggregating links and discussing them on forums. Sounds complicated, but they’re basically federated versions of Reddit.
Of course, these aren’t all the platforms within the Fediverse. You can find a more comprehensive list here.
A glimpse into the global future of the Fediverse
Another service worth mentioning that currently supports the ActivityPub protocol is the content management system WordPress. Some time ago an independent developer created a plugin for WordPress to ensure compatibility with this protocol.
Recently, Automattic, the company that owns both WordPress and Tumblr, acquired the plugin and hired its developer. Meanwhile, at the end of last year, Tumblr also announced future support for ActivityPub. Apparently, Automattic really believes in the potential of the Fediverse. Mozilla, Medium, and Flipboard are also now showing serious interest in the Fediverse.
But the most important — and quite unexpected — development for the federation of decentralized social networks was the promise made by Mark Zuckerberg’s company to add ActivityPub support to the recently launched social network Threads. It’s not yet been specified when exactly this will happen or in what form; however, if or when it does, several hundred million people from Threads/Instagram may suddenly join the existing few million Fediverse users.
What will this sudden popularity lead to? This isn’t such a simple question. Many long-time Fediverse users are visibly concerned about a possible invasion of “tourists”, and how these newcomers — accustomed to the noise of “big” social networks — will impact the communities that have been so carefully cultivated within the project.
How will the Fediverse cope with these sudden changes? Only time will tell. But one thing’s for sure: the further development and evolution of the Fediverse will be very interesting to watch…
In large companies, as a rule the average employee isn’t often asked for an opinion on their career aspirations, areas of interest, or accomplishments outside their job description. It tends to happen once a year — for the performance review. However, many would like to share their thoughts with management much more often. So, when an invitation to take a self-evaluation lands in the inbox, they jump at the chance without hesitation. And this is what cybercriminals exploit in the latest spear-phishing campaign.
Phishing email with invitation
Seemingly from HR, an email arrives containing an elaborate description of the employee self-evaluation procedure, which “promotes candid dialogue between staff members and their managers/supervisors”. It goes on to say that “you can learn a lot about your strengths and shortcomings … to reflect on your successes, areas for development, and career objectives”. All in all, quite a convincing piece of corporate spiel.
Email to employees inviting them to undergo a self-evaluation
Convincing it may be, but all the same the email does contain a few identifiable red flags regarding phishing. For starters, take a look at the domain name in the sender’s address. That’s right, it doesn’t match the name of the company. Of course, it’s possible that your HR department might be using a contractor unknown to you — but why would “Family Eldercare” be providing such services? Even if you don’t know that this is a non-profit organization that helps families care for elderly relatives, the name should ring an alarm bell.
What’s more, the email says that the survey is “COMPULSORY for EVERYONE”, and must be completed “by End Of Day”. Even if we leave aside the crude and faulty capitalization, the focus on urgency is always a reason to stop and think — and check with the real HR department whether they sent it.
Fake self-evaluation form
Those who miss the flags and click through to the form are faced with a set of questions that may actually have something to do with assessing their performance. But the crux of the phishing operation lies in the last three of those questions — which ask the victim to provide their email address, and enter their password for authentication and then re-enter it for confirmation.
Last three questions of the fake questionnaire
This is actually a smart move on the phishers’ part. Typically, phishing of this type leads straight from the email to a form for entering corporate credentials on a third-party site, which puts many on their guard straight away. Here, however, the request for a password and email address (which commonly doubles up as a username) is disguised as part of the form — and at the very end. By this stage the victim’s vigilance is well and truly lulled.
Also note how the word “password” is written: two letters are replaced with asterisks. This is to bypass automatic filters set to search for “password” as a keyword.
How to stay safe
To stop company employees falling for phishing, keep them informed of all the latest tricks (for example, by forwarding our posts about phishing ploys). If you prefer a more systematic approach, carry out regular trainings and checks, for example with our Kaspersky Automated Security Awareness Platform.
Ideally, employees should never even see most phishing thanks to technical means: install security solutions with anti-phishing technology both at the corporate mail gateway level and on all work devices used for internet access.
“Security” and “overtime” go hand in hand. According to a recent survey, one in five CISOs works 65 hours a week, not the 38 or 40 written in their contract. Average overtime clocks in at 16 hours a week. The same is true for the rank-and-file infosec employees — roughly half complain of burnout due to constant stress and overwork. At the same time, staff shortages and budget constraints make it very hard to do the obvious thing: hire more people. But there are other options! We investigated the most time-consuming tasks faced by security teams, and how to speed them up.
Security alerts
The sure winner in the “timewaster” category is alerts generated by corporate IT and infosec systems. Since these systems often number in the dozens, they produce thousands of events that need to be handled. On average, a security expert has to review 23 alerts an hour — even off the clock. 38% of respondents admitted to having to respond to alerts at night.
What to do
Use more solutions from the same vendor. A centralized management console with an integrated alert system reduces the number of alarms and speeds up their processing.
Implement automation. For example, an XDR solution can automate typical analysis/response scenarios and reduce the number of alerts by combining disparate events into a single incident.
Leverage an MSSP, MDR service or commercial SoC. This is the most efficient way to flexibly scale alert handling. Full-time team members will be able to focus on building overall security and investigating complex incidents.
Emails with warnings
Notices from vendors and regulators and alerts from security systems get sent to the infosec team by email — often to a shared inbox. As a result, the same messages get read by several employees, including the CISO, and the time outlays can run to 5–10 hours a week.
What to do
Offload as many alerts as possible to specialized systems. If security products can send alerts to a SIEM or a dashboard, that’s better than email.
Use automation. Some typical emails can be analyzed using simple scripts and transformed into alerts in the dashboard. Emails that are unsuited to this method should be analyzed, scored for urgency and subject matter, and then moved to a specific folder or assigned to a designated employee. You don’t need an AI bot to complete this task; email-processing rules or simple scripts will do the job.
These approaches dramatically reduce the number of emails that require reading and fully manual processing by multiple experts.
Emails flagged by employees
Let’s end the email topic with a look at one last category of attention-seeking messages. If your company has carried out infosec training or is experiencing a major attack, many employees will consider it their duty to forward any suspicious-looking emails to the infosec team. If you have lots of eagle-eyed colleagues on your staff, your inbox will be overflowing.
What to do
Deploy reliable protection at the mail gateway level — this will significantly reduce the number of genuine phishing emails. With specialized defense mechanisms in place, you’ll defeat sophisticated targeted attacks as well. Of course, this will have no impact on the number of vigilant employees.
If your email security solution allows users to “report a suspicious email”, instruct your colleagues to use it so they don’t have to manually process such alerts.
Set up a separate email address for messages with employees’ suspicions so as to avoid mixing this category of emails with other security alerts.
4. If item 2 is not feasible, focus your efforts on automatically searching for known safe emails among those sent to the address for suspicious messages. These make up a large percentage, so the infosec team will only have to check the truly dangerous ones.
Prohibitions, risk assessments, and risk negotiations
As part of the job, the CISO must strike a delicate balance between information security, operational efficiency, regulatory compliance, and resource limitations. To improve security, infosec teams very often ban certain technologies, online services, data storage methods, etc., in the company. While such bans are inevitable and necessary, it’s important to regularly review how they impact the business and how the business adapts to them. You may find, for example, that an overly strict policy on personal data processing has resulted in that process being outsourced, or that a secure file-sharing service was replaced by something more convenient. As a result, infosec wastes precious time and energy clambering over obstacles: first negotiating the “must-nots” with the business, then discovering workarounds, and then fixing inevitable incidents and problems.
Even if such incidents do not occur, the processes for assessing risks and infosec requirements when launching new initiatives are multi-layered, involve too many people, and consume too much time for both the CISO and their team.
What to do
Avoid overly strict prohibitions. The more bans, the more time spent on policing them. 2. Maintain an open dialogue with key customers about how infosec controls impact their processes and performance. Compromise on technologies and procedures to avoid the issues described above. 3. Draw up standard documents and scenarios for recurring business requests (“build a website”, “collect a new type of information from customers”, etc.), giving key departments a simple and predictable way to solve their business problems with full infosec compliance.
Handle these business requests on a case-by-case basis. Teams that show a strong infosec culture can undergo security audits less frequently — only at the most critical phases of a project. This will reduce the time outlays for both the business and the infosec team.
Checklists, reports, and guidance documents
Considerable time is spent on “paper security” — from filling out forms for the audit and compliance departments to reviewing regulatory documents and assessing their applicability in practice. The infosec team may also be asked to provide information to business partners, who are increasingly focused on supply chain risks and demanding robust information security from their counterparties.
What to do
Invest time and effort in creating “reusable” documents, such as a comprehensive security whitepaper, a PCI Report on Compliance, or a SOC2 audit. Having such a document helps not only with regulatory compliance, but also with responding quickly to typical requests from counterparties.
Hire a subspecialist (or train someone from your team). Many infosec practitioners spend a disproportionate amount of time formulating ideas for whitepapers. Better to have them focus on practical tasks and have specially trained people handle the paperwork, checklists, and presentations.
Automate processes — this helps not only to shift routine control operations to machines but to correctly document them. For example, if the regulator requires periodic vulnerability scan reports, a one-off resource investment in an automatic procedure for generating compliant reports would make sense.
Selecting security technologies
New infosec tools appear monthly. Buying as many solutions as possible won’t only balloon the budget and the number of alerts, but also create a need for a separate, labor-intensive process for evaluating and procuring new solutions. Even leaving tenders and paperwork aside, the team will need to conduct market research, evaluate the contenders in depth, and then carry out pilot implementation.
What to do
Try to minimize the number of infosec vendors you use. A single-vendor approach tends to improve performance in the long run. 2. Include system integrators, VARs, or other partners in the evaluation and testing process when purchasing solutions. An experienced partner will help weed out unsuitable solutions at once, reducing the burden on in-house infosec during the pilot implementation.
Security training
Although various types of infosec training are mandatory for all employees, their ineffective implementation can overwhelm the infosec team. Typical problems: the entire training is designed and delivered in-house; a simulated phishing attack provokes a wave of panic and calls to infosec; the training isn’t tailored to the employees’ level, potentially leading to an absurd situation where infosec itself undergoes basic training because it’s mandatory for all.
What to do
Use an automated platform for employee training. This will make it easy to customize the content to the industry and the specifics of the department being trained. In terms of complexity, both the training materials and the tests adapt automatically to the employee’s level; and gamification increases the enjoyment factor, raising the successful completion rate.
Videocalls became much more widespread after the COVID-19 pandemic began, and they continue to be a popular alternative to face-to-face meetings. Both platforms and users soon got over the teething problems, and learned to take basic security measures when hosting videoconferences. That said, many online participants still feel uncomfortable knowing that they might be recorded and eavesdropped on all the time. Zoom Video Communications, Inc. recently had to offer explanations regarding its new privacy policy, which states that all Zoom videoconferencing users give the company the right to use any of their conference data (voice recordings, video, transcriptions) for AI training. Microsoft Teams users in many organizations are well aware that turning on recording means activating transcription as well, and that AI will even send premium subscribers a recap. For those out there who discuss secrets on videocalls (for instance in the telemedicine industry), or simply have little love for Big Tech Brother, there are less known but far more private conferencing tools available.
What can we protect ourselves against?
Let’s make one thing clear: following the tips below isn’t going to protect you from targeted espionage, a participant secretly recording a call, pranks, or uninvited guests joining by using leaked links. We already provided some videoconferencing security tips that can help mitigate those risks. Protecting every participant’s computer and smartphone with comprehensive cybersecurity — such as Kaspersky Premium — is equally important.
Here, we focus on other kinds of threats such as data leaks from the videoconferencing platform, misuse of call data by the platform, and the harvesting of biometric information or conference content. There are two possible engineering solutions to these: (i) hosting the conference entirely on participant computers and servers, or (ii) encrypting it, so that even the host servers have no access to the meeting content. The latter option is known as end-to-end encryption, or E2EE.
Signal: a basic tool for smaller group calls
We have repeatedly described Signal as one of the most secure private instant messaging apps around, but Signal calls are protected with E2EE as well. To host a call, you have to set up a chat group, add everyone you want to call, and tap the videocall button. Group videocalls are limited to 40 participants. Admittedly, you’re not getting any business conveniences such as call recording, screen sharing, or corporate contact-list invitations. Besides, you’ll need to set up a separate group for each meeting, which works well for regular calls with the same people, but not so much if the participants change every time.
Signal lets you set up videoconferences for up to 40 participants in a familiar interface
WhatsApp and Facetime: just as easy — but not without their issues
Both these apps are user-friendly and popular, and both support E2EE for videocalls. They share all the shortcomings of Signal, adding a couple of their own: WhatsApp is owned by Meta, which is a privacy red flag for many, while Facetime calls are only available to Apple users.
Jitsi Meet: self-hosted private videoconferencing
The Jitsi platform is a good choice for large-scale, fully featured, but still private meetings. It can be used for hosting meetings with: dozens to hundreds of participants, screen sharing, chatting and polling, co-editing notes, and more. Jitsi Meet supports E2EE, and the conference itself is created at the moment the first participant joins and self-destructs when the last one disconnects. No chats, polls or any other conference content is logged. Finally, Jitsi Meet is an open-source app.
Jitsi Meet is a user-friendly, cross-platform videoconferencing tool with collaboration options. It can be self-hosted or used for free on the developer’s website
Though the public version can be used for free on the Jitsi Meet website, the developers strongly recommend that organizations deploy a Jitsi server of their own. Paid hosting by Jitsi and major hosting providers is available for those who’d rather avoid spinning up a server.
Matrix and Element: every type of communication — fully encrypted
The Matrix open protocol for encrypted real-time communication and the applications it powers — such as Element — are a fairly powerful system that supports one-on-one chats, private groups and large public discussion channels. The Matrix look-and-feel resembles Discord, Slack and their forerunner, IRC, more than anything else.
Connecting to a Matrix public server is a lot like getting a new email address: you select a user name, register it with one of the available servers, and receive a matrix address formatted as @user:server.name. That allows you to talk freely to other users including those registered with different servers.
Even a public server makes it easy to set up an invitation-only private space with topic-based chats and videocalls.
The settings in Element are slightly more complex, but you get more personalization options: chat visibility, permission levels, and so on. Matrix/Element makes sense if you’re after team communications in various formats, such as chats or calls, and on various topics rather than just a couple of odd calls. If you’re simply looking to host a call from time to time, Jitsi works better — the call feature in Element even uses Jitsi code.
Element is a fully featured environment for private conversations, with video chats just one of the available options
Corporations are advised to use the Element enterprise edition, which offers advanced management tools and full support.
Zoom: encryption for the rich
Few know that Zoom, the dominant videoconferencing service, has an E2EE option too. But to enable this feature, you need to additionally purchase the Large Meetings License, which lets you host 500 or 1000 participants for $600–$1080 a year. That makes the price of E2EE at least $50 per month higher than the regular subscription fee.
Zoom supports videoconferencing with E2EE too, but you need an extended license to be able to use it
You can enable encryption for smaller meetings as well, but still only if you have a Large Meeting License. According to the Zoom website, activating E2EE for a meeting disables most familiar features, such as cloud recording, dial-in, polling and others.
Digital wellbeing isn’t just about privacy and protection against online scammers and equipment failure. It’s also about having some level of control over our social networks, our screen time, and what we spend on digital services. These outlays are increasingly taking the form of subscriptions. Sure, recurring payments have long been the standard for cell phone billing, music and video streaming services, watching TV and reading online magazines and newspapers, but these days you can sign up for pretty much anything, including delivery of regular consumer goods — like socks or coffee. In many cases, a subscription is the only way to get hold of apps, games, and other online stuff — ever more services are switching to this model, and the number of subscriptions is snowballing. Even automakers are getting in on the subscription game, and soon it might not be possible to turn on the seat heating or use the sat-nav without subscribing to the respective service.
Almosteveryone underestimates theirsubscription costs. According to this fascinating survey, the average American thinks they spend US$86 per month on subscriptions, when the real figure is a whopping US$219! And besides online, there are other recurring payments: mortgages, loans, utility bills, public transport, gym memberships and the like, all of which need to be budgeted so you don’t suddenly find yourself broke.
Monthly subscription costs: expectation versus reality. (Source)
As trite as it sounds, how to save money couldn’t be simpler: cancel subscriptions you don’t use. No less than 42% of respondents admitted to having stopped using an app or service and then forgetting to stop paying for it. Even active subscriptions, renewed for years without change, become less economical over time: by changing your plan to a newer one, applying a promo code, or looking at competitors, you can save a lot.
But more often there’s another problem: 74% of users forget when payment is due. If the subscription auto-renews, it can burn a large hole in your pocket. If you pay manually, forgetting could result in termination of the service. And that can spell trouble if it’s your phone or something equally important.
Free trial
Another common way to accidentally fork out is by subscribing to apps and services that offer a free trial period. The service takes your card number on sign-up, but doesn’t charge you. After a week, month or whatever length of trial period, the first payment falls due. If during this time you decide the service is not for you, what are the chances you forget to go into the settings and cancel the subscription? As practice shows — very high. Such user forgetfulness is now being exploited by less-than-squeaky-clean developers who sell apps on the App Store and Google Play with exorbitant monthly fees (for example, US$90 per month for a regular calculator!). Such apps are known as fleeceware.
How to manage subscriptions properly
To get the most out of your subscriptions, plan your outlays carefully, never pay for unnecessary services, and follow a few simple rules:
Make a general list of subscriptions so you know exactly what, when and how much you’re paying.
Update the list as soon as you subscribe to a new service. Bear in mind that renewing a subscription may be cheaper or more expensive than the first payment — check the small print!
Check the list on a regular basis (say, monthly) to plan your spending for the coming month.
Checking regularly will help you remember to cancel subscriptions you don’t wish to renew. Note that to cancel a subscription it’s usually not enough to simply uninstall the app — you need to go to your personal account or to a special subsection of the App Store/Google Play to cancel it.
Keep an eye out for sales and promotions, such as Black Friday. They often give discounts on subscription renewals.
Despite their outward simplicity, all these tips have one major drawback: they require a high level of self-discipline and attentiveness. They involve record-keeping and list-updating, and not everyone will have the time or inclination. But there is an easier, more convenient way — in the shape of a specialized subscription management service. Speaking of which, Kaspersky Product Studio recently released such an app, called SubsCrab.
SubsCrab helps you manage subscriptions and save money
SubsCrab makes it easy to keep a list of subscriptions, remember when and how much to pay, and find ways to economize.
A single glance at the SubsCrab home screen will provide all subscription details for the current month, as well as monthly outlays, due dates, and the cost of each subscription
You can add all your subscriptions to the app in one of two ways:
Manually. You yourself select subscriptions from a long list of paid services and payment plans. There are already more than 4000 subscription services and 11,000 related plans in the database.
Mailbox scan. The app searches your mailbox for emails from all known services, and automatically determines the plan and payment date. Email data is not sent anywhere; all processing takes place on your smartphone.
Adding a new subscription to SubsCrab couldn’t be simpler
Future app updates will add two more methods:
Bank statement scan. This feature will only work in the U.S. and some EU countries using the Open Bank API, which is supported by around 15,000 banks. As with email scanning, subscriptions will be searched for locally, and no transaction data will leave your smartphone.
Screenshot scan of subscription page in the App Store or Google Play.
Thereby, the app also makes it easy to add new subscriptions as soon as they appear.
When all your subscriptions are in SubsCrab, the app will remind you about upcoming payments, show your total spending for the selected month or year, and help with general budget planning.
Never miss a payment with SubsCrab Push notifications
Click or tap on any subscription and you’ll see its current settings, but it’s the bottom of the card that’s the really interesting part. That’s where discount promo codes get published, plus a list of alternative services that do the same job. If you want to cut costs, you can try switching to one of these competitor services or find out how to unsubscribe.
Cards are a handy source of subscription details, alternatives, and promo codes
It might sound odd, but SubsCrab itself is a subscription service. The free version lets you manually enter subscriptions from the database, choose alternative services, and get reminders and statistics.
The paid version of SubsCrab can automatically find subscriptions in your mailbox, as well as maintain and analyze multiple subscription lists — for different family members or different tasks (entertainment, work, health, etc.); only this version gives you access to promo codes for tasty discounts on your favorite subscriptions.
And if all this helps you cut costs and take control of hundreds, perhaps thousands of dollars you spend annually and unaccountably on subscriptions, the juice is worth the squeeze.
