Ask the expert: Vitaly Kamluk answers questions about malware and security issues

July 9, 2015

Vitaly Kamluk has more than 10 years of work experience in IT security and now he is Principal Security Researcher at Kaspersky Lab. He specializes in malware reverse engineering, computer forensics, and cybercrime investigations. Currently Vitaly lives in Singapore. He was hired on a secondment basis and now works in INTERPOL Digital Forensics Lab, doing malware analysis and investigation support.

We encouraged our readers to ask Vitaly questions, and there were so many that we decided to break down this Q&A session into several parts. Today, Vitaly will talk about general security issues and solutions.

Is it impossible to create a system immune to malware?

It is possible indeed, but you most likely will not have, say, Facebook on it. I am afraid that we are so used to systems that are easily upgradeable and extendable, we won’t accept something radically different, even if it provides excellent security. In other words: You will not like it.

Which areas are the most vulnerable to cyberattacks and how do they work?

My colleagues use to say that the most vulnerable area is located between the screen and the desk chair. A lot of attacks succeed thanks to social engineering tricks: making users open access to their systems on their own will. This is the sad statistical truth.

What are the possible dangers of applying a “BYOD” (bring your own device) policy in companies? And what are the suggested solutions to avoid these dangers?

It depends on what you mean by BYOD policy: restriction or limited permission. Apparently there is no danger in restricting external devices except one — it frustrates employees and makes them feel dissatisfied with their restricted working environment. Some may even take that as a challenge.

To avoid that, make sure your own working environment is convenient, fast, modern and pleasant to use. Clarify that usage of any external device is not allowed because of high security standards in your organization. Make this tradeoff transparent and acceptable by the employees. Make them respect this strategy, not suffer from it.

What would be the most important measures to consider in order to keep availability and maintaining of cyber security?

Each system is somewhere in the middle of the path from total security to unbound freedom. The closer you are to security the less features are available in your system

Here is a model you want to consider: Each system is somewhere in the middle of the path from total security to unbound freedom (I prefer to call it flexibility). The closer you are to security, the less features are available in your system.

If you rush toward total security you will lose your users as they might not be ready to lose features they are used to. However, regardless of what you do, people can adapt to anything. So if your plan is to move to the side of total security, it’s better to do it slowly and gently to avoid hurting and shocking your users.

Are there still any hidden channels on the Internet?

It depends on what you call a hidden channel. There are ways to transfer information in a covert way by using protocol that is not recognizable by common tools and analytical methods. For example, one can use a Youtube video to transfer encrypted bits in the form of visual data. There are many other options and it’s limited only to your imagination.

Is Facebook really spying on users?

Facebook is spying on users no more than the users are spying on themselves. That summarizes my opinion on Facebook.

What is the best way to secure our Facebook and email IDs?

A few simple rules that can help you enhance your security:

  1. Use strong and unique passwords for all resources.
  2. Don’t use simple password recovery questions and answers.
  3. Enter login/passwords only on your own computers, don’t login on your friends’ computers and certainly don’t do it on publicly available PCs.
  4. Use reliable security software to defend against password stealers.

Do governments own special systems to record phone calls or do telecom companies themselves do that?

I’m not representing any government or any part of it, but it’s my opinion that governments would rather command than learn custom protocols, maintain big data storages and implement efficient search engines. I hope that answers your question. ;-)

Kaspersky Lab has found a cyber spying implant in the HDD firmware. If I work too far from your office what can I do to check data storage devices at work? How does this spyware implant into firmware and can I protect my devices?

Yes, we had an article about malicious implants aiming to reprogram the victim’s hard drives. I’m afraid even if you lived next to the Kaspersky Lab office, it would not solve the problem. Currently it’s almost impossible to check HDD firmware for virus infection.

Using software tools to receive the current firmware code, you ask the HDD firmware microcode to produce its own copy. If your microcode is modified you’ll get false results without any signs of malicious code. Unfortunately, we can now only rely on preventive measures to protect Windows OS from viruses.

But the situation is not as bad as it seems. It’s not cheap and easy to create stable firmware modifications. That’s why there will be no similar mass attack in the near future.

How should you act if you suspect that your computer is infected or has a security breach?

First of all, I need to say that it’s good to have suspicions, but avoid being obsessed by them. Some of the most efficient ways to check if you have malware include:

  1. Scan your system with reliable AV solution — that may save you a lot of time. But don’t think that automated scan can give you 100% reliability, so keep looking.
  2. Check your process list for suspicious and uninvited ‘guests’: I think users should know all processes running on their system by heart.
  3. Check your list of automatically started apps. There is a free Windows app for that called Sysinternals Autoruns tool.
  4. Finally, an advanced check includes attaching your computer to another one (connected to the Internet) and recording all network traffic that passes through. This should reveal suspicious activity even if it’s not visible from the compromised system.

Which Windows files are vulnerable?

Big and fat, small and thin — both can be vulnerable. All kidding aside, Microsoft does their best, really, but Windows OS is huge and it’s almost impossible to test it inside out. Besides, unreliable solutions designed by third-party developers also add fuel to the flame.

Google announced a Windows vulnerability before Microsoft released a patch, do you have any comment on this?

I don’t know behind the scene details of that story, but I think sometimes people forget they have a common enemy. Microsoft and Google’s common enemy is the cybercriminal world that can use this vulnerability to attack innocent people. Instead of starting an internal fight, they should try to understand each other’s concerns, find a consensus, and fight on the same side.

How can I protect – among others – my email and blogs on PC and mobile from viruses?

You can secure them, but not protect them 100%. Here are five simple rules:

  1. Remove or lock unused applications and software to reduce the surface for potential attacks.
  2. Thoroughly update your system and remaining software.
  3. Use reliable and unique passwords on every resource.
  4. Be vigilant when installing new software: check who develops the apps, where they got it (from developers’ headquarter or shady third-party site) and what users say about it. You should also follow your security solution recommendations.
  5. Set up a virtual machine without network connection to open suspicious emails with attachments.