Ask the expert: Vitaly Kamluk answers questions about malware and security issues

Vitaly Kamluk answers our readers’ questions about malware counteraction and various security issues

Vitaly Kamluk

Vitaly Kamluk has more than 10 years of work experience in IT security and is Principal Security Researcher at Kaspersky Lab. He specializes in malware reverse engineering, computer forensics, and cybercrime investigations. Currently Vitaly lives in Singapore. He was hired on a secondment basis and now works in INTERPOL Digital Forensics Lab, doing malware analysis and investigation support.

We asked our readers to pose questions Vitaly questions. Actually, there were so many questions that we decided to break down this Q&A session into several parts. Today Vitaly will talk about general security issues and solutions.

Is it impossible to create a system immune to malware?

It is possible indeed, but you most likely will not have, say, Facebook in it. I am afraid that we are so used to systems that are easily upgradable and extendable that we won’t accept something radically different, even if it provides excellent security. In other words you would not like it.

Which areas are the most vulnerable to cyberattacks and how do they work?

My colleagues used to say that the most vulnerable area is located between the screen and the desk chair. A lot of attacks succeed thanks to social engineering tricks: making users open access to their systems by their own will. This is the sad statistical truth.

What are the possible dangers of applying “BYOD” bring your own device policy in companies? And what are the suggested solutions to avoid these dangers?

It depends on what you mean by your BYOD policy: restriction or limited permission. There is no danger in restricting external devices except one — it frustrates employees and makes them feel dissatisfied with restricted working environment. Some may even take that as a challenge.

To avoid that make sure that your own working environment is convenient, fast, modern and pleasant to use. Clarify that usage of any external device is not allowed because of high security standards in your organization. Make this tradeoff transparent and acceptable by the employees. Make them respect this strategy, not suffer from it.

What would be the most important measures to consider in order to keep the availability and keep on maintaining cyber security?

Here is a model you may want to consider. Each system is somewhere in the middle of the path from total security to unbound freedom (I prefer to call it flexibility). The closer you are to security the less features are available in your system.

If you rush toward total security you will lose your users as they might not be ready to lose features they are used to. However, regardless of what you do people can adapt to anything. If your plan is to move to the side of total security, it’s better to do it slowly and very gentle to avoid hurting and shocking your users.

Are there still any hidden channels on the Internet?

It depends on what you call a hidden channel. There are ways to transfer information in a covert way by using protocol that is not recognizable by common tools and analytical methods. For example, one can use YouTube video to transfer encrypted bits in form of visual data. There are many other options and it’s limited only with your imagination.

Is Facebook really spying on users?

Facebook is spying on users no more than the users are spying on themselves. That summarizes my opinion on Facebook.

What is the best way to secure our Facebook and email ids?

Few simple rules that can help you enhance you security:

  1. Use strong and unique passwords for all resources.
  2. Don’t use simple password recovery questions and answers.
  3. Enter login/passwords only on your own computers, don’t login on your friends’ computers and certainly don’t do it on publicly available PCs.
  4. Use reliable security software to defend you against password stealers.

Do governments own special systems to record phone calls or do telecom companies themselves do that?

I’m not representing any government or any part of it, but from my feeling governments would rather command than learn custom protocols, maintain big data storages and implement efficient search engines. I hope that answers your question. 😉

Kaspersky Lab has found a cyber spying implant in the HDD firmware. If I work too far from your office what can I do to check data storage devices at work? How does this spyware implant into firmware and can I protect my devices?
Yes, we had an article about malicious implants aiming to reprogram the victim’s hard drives. I’m afraid even if you lived next to Kaspersky Lab office, it would not solve the problem. Currently it’s almost impossible to check HDD firmware for virus infection.

Using software tools to receive the current firmware code, you ask the HDD firmware microcode to produce its own copy. If your microcode is modified you’ll get false results without any signs of malicious code. Unfortunately we can only rely on preventive measures to protect Windows OS from viruses.

But the situation is not so bad as it seems. It’s not cheap and easy to create stable firmware modifications. That’s why there will be no similar mass attack in the nearest future.

How to act if you suspect that your computer is infected or have a security breach?

First of all, I need to say that it’s good to have suspicions, but avoid being obsessed by them. Some of the most efficient ways to check if you have malware include:

  1. Scan your system with reliable AV solution — that may save you a lot of time. But don’t think that automated scan can give you 100% reliability, so keep looking.
  2. Check your process list for suspicious and uninvited ‘guests’: I think users should know all processes running on their system by heart.
  3. Check for list of automatically started apps. There is a free Windows app for that called Sysinternals Autoruns tool.
  4. Finally, an advanced check includes attaching your computer to another one (connected to the Internet) and recording all network traffic that passes through. This should reveal suspicious activity even if it’s not visible from compromised system.

Which Windows files are vulnerable?

Big and fat, small and thin — both can be vulnerable. All kidding aside, Microsoft does their best, really, but Windows OS is huge and it’s almost impossible to test it inside out. Besides, unreliable solutions designed by third-party developers also add fuel to the fire.

Google announced Windows vulnerability before Microsoft released a patch, do you have any comment on this?
I don’t know behind the scenes details of that story, but I think that sometimes people forget that they have a common enemy. Microsoft and Google’s common enemy is the cybercriminal world that can use this vulnerability to attack innocent people. Instead of starting internal fight, they’d rather try to understand each other’s concern, find a consensus and fight on the same side of the barricade.

How can I protect among others, my email and blogs on PC and mobile from viruses?

You can secure them but not protect for 100%. Here are five simple rules:

  1. Remove or lock unused applications and software to reduce the surface for potential attacks.
  2. Thoroughly update your system and remaining software.
  3. Use reliable and unique passwords on every resource.
  4. Be vigilant installing new software: check who develops the apps, where have you got it (from developers’ headquarter or shady third-party site) and what users say about it. You should also follow your security solution recommendations.
  5. Set up a virtual machine without network connection to open suspicious emails with attachments.