browser security, business security, banking trojan

The Devil’s in… the browser

This is the fourth in a series of posts about Cyber Defense that happened to real people in real life, costing very real money. It was only just past 1 pm, but Magda was already exhausted. She had recently fired her assistant, so she was now having to personally handle all of the work at her law office. With the aching pain in her head and monstrous hunger mounting in her stomach, Magda thought it was time for a break. She sat at her desk with a salad she had bought earlier that morning and decided she’d watch a short online video her friends had recently told her about. She typed the title in the browser and clicked on a link that took her to the site. A message popped up that the recording couldn’t be played because of a missing plugin. Magda didn’t have much of an idea what the “plugin” was, which wasn’t surprising considering that her computer knowledge was basic at best – she knew enough to use one at work, but that was pretty much all. It was the recently sacked assistant, supported by an outsourced IT firm, who took care of all things related to computers and software. A post-it stuck to Magda’s desk had been unsuccessfully begging her to install an antivirus program. “What was this about?”, Magda tried to remember. At moments like this, she regretted letting the girl go. After some time, she recalled that her assistant had mentioned something about a monthly subscription plan for some antivirus software to protect the computers, tablets and mobile phones. This solution, flexible and affordable for small businesses like Magda’s firm, had also been also recommended by the outsourced IT provider. Despite a nagging feeling that something wasn’t right, she clicked “install”. After a few seconds, the video actually played. Magda was very proud of herself: she had made the plugin thing work! A few days later, she logged into her internet banking system to pay her firm’s bills. As she looked at the balance of the account, she couldn’t believe her eyes. The money was gone! The transaction history showed transfers to accounts that were completely unknown to her. She couldn’t understand how somebody was able to break in and steal her money. The bank login page was encrypted, and besides that, she was the only person who knew the login credentials... At the bank she learnt that they had recorded a user login and transfer orders. Everything had been according to protocol, so the bank had no reason to be suspicious. The bank’s security manager suggested to Magda that she may have been the victim of a hacker’s attack. The IT firm confirmed this suspicion after inspecting Magda’s computer. Experts discovered that the plugin Magda had downloaded to watch the video online was actually malware that stole the login credentials of email accounts, social networking sites and online banking services. Magda immediately changed her passwords and decided to secure them better. She finally had good antivirus software installed, which is now protecting all of the data stored on her computer. She recalled that her bank had long been advising to do that, but she had disregarded their advice. If only she hadn’t... Her omission cost her a lot of money. She was happy, though, that money was all she lost. She didn’t even want to imagine what might have happened if any of her case or clients information had been compromised. That would have been the end of her legal career. "This is why you should always use different browsers for different sorts of tasks," F-Secure Security Advisor Sean Sullivan explains. "Any browser you use for sensitive financial transactions should be used just for that, especially at work." To get an inside look at business security, be sure to follow our Business Insider blog.

July 28, 2015
cyber war, cyber warfare, cyber pearl harbor

What would real ‘cyber war’ look like?

In response to news that the secret records of more than 22 million Americans have been breached, possibly by attackers from China, you may have heard the loaded term being used to describe the unprecedented attack. "Why are we ignoring a cyber Pearl Harbor?" a conservative columnist asked. F-Secure Security Advisor Sean Sullivan joined other experts in explaining that while the Office of Personnel Management hack was a very big deal, it's hyperbole to call it an act of war. Sean argues that the term cyber war should be limited to cyber weapons that cause actual physical damage. It would have to break the so-called "kinetic barrier". There is no international treaty that defines online rules of engagement but he points to NATO's Tallinn Manual on the International Law Applicable to Cyber Warfare, which attempts to apply existing laws to cyber warfare. Cyber attacks present an even more vexing challenge in attributing the author of an attack than stateless terrorism. But regardless the author, any cyber attacks on a hospital, for instance, would be illegal under existing law. Sullivan sees the OPM hack as more likely to be part of another governmental activity that predates the internet: espionage. "Espionage can be a part of warfare, if you think they’re gathering that information for military defense purposes," he said. "Or it can be counterintelligence." He suggests the OPM hack data could be used to find which Americans are, for instance, not working on diplomatic mission and thus might be intelligence. He notes that former NSA contractor Edward Snowden briefly worked at a U.S. embassy. The lack of a background check in that instance could suggest that he was working as a spy under a false identity. There’s a difference between war and warfare, Sean notes. "It could be China is interested in defensive capabilities," he said. "It’s an aspect of warfare. It’s not war." If it were to transgress to the level of war, the results would be severe. "We can assume that China is a rational actor," Sean said. "It wants world power without wrecking the world economy. Military posturing is more likely." He suggests that the U.S. should be much more concerned about the protection of all of its digital data. “I guarantee you that the IRS’ records are just as vulnerable," he said, suggesting that the one thing that may be keeping taxpayers' records safe is the government's tendency to rely upon dated technology like magnetic tape. And at least some powerful U.S. officials agree that more must be done to secure America's private information. But don't expect them to be satisfied with the same sort of restricted networks the private sector relies upon. A bipartisan coalition of senators are backing new legislation that would give the Homeland Security secretary the authority "to detect intrusions on .gov domains and take steps similar to what the National Security Agency can do with the Pentagon," according to Roll Call. Ah, so more powers for the NSA. Isn't that always the endgame these days when the language of war being tossed around? [Image by U.S. Naval War College | Flickr]  

July 24, 2015
BY 
Jeep

3 important questions raised by Wired’s car hack

Wired.com broke a shocking but hardly surprising story on July 21st. The reporter was driving his Jeep on the highway when strange things started to happen. First the fan and radio went on and later the whole car came to a stop. On the highway! Andy Greenburg was not in control of the car anymore. It was controlled remotely by two hackers, Charlie Miller and Chris Valasek, from miles away. They had not tampered with the car, and as a matter of fact never even touched it. All was done by connecting remotely to the vehicle and utilizing a vulnerability in its own software. A highway is not the safest place for this kind of demonstration so they continued with the brakes and steering manipulation in a parking place. Yes, that’s right. Brakes and steering! Scary? Hell yes! This is a great demonstration of security issues with the Internet of Things trend (IoT).  Anything connected to the net can in theory be hacked and misused remotely. IoT is typically associated with “smart” appliances like toasters and fridges, but a car connected to the net is very much IoT as well. And a hacked car is a lot scarier than a hacked fridge. So let’s look at the tree fundamental questions this hack raises. How can this be possible? Car manufacturers were taken with their pants down. They have for decades been thinking deformation zones and airbags when you say security. Now they need to become aware of digital security too. I’m confident that they already have some level of awareness in this field, but the recent Jeep-incident shows that they still have a lot to learn. I’m not only thinking about preventing this from happening in the first place. No system is perfect, and they must also be able to deal with discovered vulnerabilities. A fix for the problem was created, but patching vehicles required a visit to the car dealer. Like taking your computer to the store to have Windows updates applied. No way! This underlines that digital security is about more than just design and quality control. It’s also about incident response and maintenance processes. Good morning car manufacturers and welcome to the world of digital security. You have a lot to learn.   Ok, it can be done, but why? We are now at the “Wow! This is really possible!” –stage. The next stage will be “Ok, but how can this be utilized?” There’s a lot of headlines about how we could be killed by hacked cars. That may be technically possible, but has so far never happened. Hackers and virus writers used to work out of curiosity and do pranks just because it was possible. But that was in the eighties and nineties. Earning money and collecting information are the motives for today’s cyber criminals and spies. Killing you by driving your car off a cliff will not support either of those objectives, but it does make juicy headlines. Locking your car and asking for a ransom to unlock it is however a plausible scenario. Turning on the hands-free microphone to spy on your conversations is another. Or just unlocking it so that it can be stolen. Anyway, the moral of the story is that scary headlines about what car hackers can do are mostly hype. The threat will look very different when or if it becomes reality in the future. Let’s just hope that the car manufacturers get their act together before this becomes a real problem.   Should I be worried? No. Not unless your job is to design software for vehicles. The current headlines are very important wake-up calls for the car industry, but have very little impact on ordinary consumers. Some early incidents, like this Jeep case, will be handled by calling cars to the dealer for an update. But it is clear that this isn’t a sustainable process in the long run. Cars are like appliances, any update process must be fully automatic. And the update process must be much faster than applying the latest software once a year when the car is in for routine maintenance. So any car hooked up to the net also needs an automatic update process. But what about the hackers driving me off a cliff? You said it could be possible, and I don’t want to die. First, does anyone have a motive to kill you? Luckily most of us don't have that kind of enemies. But more important. Doing that may or may not be possible. Car manufacturers may be inexperienced with hacking and IT security, but they understand that any technical system can fail. This is why cars are built with safeguards at the hardware level. The Jeep-hackers could steer the car remotely, but only at low speed. This is natural as the electronically controlled steering is needed for parking assistance, not for highway cruising. Disabling this feature above a certain speed threshold makes perfect sense from safety perspective. But, on the other hand. I can think of several scenarios that could be lethal despite low speed. And the hackers could fool the speedometer to show the wrong speed. What if they can feed an incorrect speed reading into the system that turns off electronic steering? Ok, never say never. But hiring a traditional contract killer is still a better option if someone want's you gone. And there’s naturally no safeguards between software and hardware when the self-driving cars take over. Widespread self-driving cars are still sci-fi, and hacking them is even further away. But we are clearly on a path that leads in that direction. A few wrong turns and we may end up with that problem becoming reality. The good news is on the other hand that all publicity today contribute to improved digital security awareness among vehicle manufacturers. But finally back to today’s reality. It is still a lot more likely for you to be killed by a falling meteorite than by a hacker taking over your car. Not to talk about all the ordinary traffic accidents!   Safe cruising, Micke    

July 23, 2015
BY 

Latest Posts

browser security, business security, banking trojan

This is the fourth in a series of posts about Cyber Defense that happened to real people in real life, costing very real money. It was only just past 1 pm, but Magda was already exhausted. She had recently fired her assistant, so she was now having to personally handle all of the work at her law office. With the aching pain in her head and monstrous hunger mounting in her stomach, Magda thought it was time for a break. She sat at her desk with a salad she had bought earlier that morning and decided she’d watch a short online video her friends had recently told her about. She typed the title in the browser and clicked on a link that took her to the site. A message popped up that the recording couldn’t be played because of a missing plugin. Magda didn’t have much of an idea what the “plugin” was, which wasn’t surprising considering that her computer knowledge was basic at best – she knew enough to use one at work, but that was pretty much all. It was the recently sacked assistant, supported by an outsourced IT firm, who took care of all things related to computers and software. A post-it stuck to Magda’s desk had been unsuccessfully begging her to install an antivirus program. “What was this about?”, Magda tried to remember. At moments like this, she regretted letting the girl go. After some time, she recalled that her assistant had mentioned something about a monthly subscription plan for some antivirus software to protect the computers, tablets and mobile phones. This solution, flexible and affordable for small businesses like Magda’s firm, had also been also recommended by the outsourced IT provider. Despite a nagging feeling that something wasn’t right, she clicked “install”. After a few seconds, the video actually played. Magda was very proud of herself: she had made the plugin thing work! A few days later, she logged into her internet banking system to pay her firm’s bills. As she looked at the balance of the account, she couldn’t believe her eyes. The money was gone! The transaction history showed transfers to accounts that were completely unknown to her. She couldn’t understand how somebody was able to break in and steal her money. The bank login page was encrypted, and besides that, she was the only person who knew the login credentials... At the bank she learnt that they had recorded a user login and transfer orders. Everything had been according to protocol, so the bank had no reason to be suspicious. The bank’s security manager suggested to Magda that she may have been the victim of a hacker’s attack. The IT firm confirmed this suspicion after inspecting Magda’s computer. Experts discovered that the plugin Magda had downloaded to watch the video online was actually malware that stole the login credentials of email accounts, social networking sites and online banking services. Magda immediately changed her passwords and decided to secure them better. She finally had good antivirus software installed, which is now protecting all of the data stored on her computer. She recalled that her bank had long been advising to do that, but she had disregarded their advice. If only she hadn’t... Her omission cost her a lot of money. She was happy, though, that money was all she lost. She didn’t even want to imagine what might have happened if any of her case or clients information had been compromised. That would have been the end of her legal career. "This is why you should always use different browsers for different sorts of tasks," F-Secure Security Advisor Sean Sullivan explains. "Any browser you use for sensitive financial transactions should be used just for that, especially at work." To get an inside look at business security, be sure to follow our Business Insider blog.

July 28, 2015
cyber war, cyber warfare, cyber pearl harbor

In response to news that the secret records of more than 22 million Americans have been breached, possibly by attackers from China, you may have heard the loaded term being used to describe the unprecedented attack. "Why are we ignoring a cyber Pearl Harbor?" a conservative columnist asked. F-Secure Security Advisor Sean Sullivan joined other experts in explaining that while the Office of Personnel Management hack was a very big deal, it's hyperbole to call it an act of war. Sean argues that the term cyber war should be limited to cyber weapons that cause actual physical damage. It would have to break the so-called "kinetic barrier". There is no international treaty that defines online rules of engagement but he points to NATO's Tallinn Manual on the International Law Applicable to Cyber Warfare, which attempts to apply existing laws to cyber warfare. Cyber attacks present an even more vexing challenge in attributing the author of an attack than stateless terrorism. But regardless the author, any cyber attacks on a hospital, for instance, would be illegal under existing law. Sullivan sees the OPM hack as more likely to be part of another governmental activity that predates the internet: espionage. "Espionage can be a part of warfare, if you think they’re gathering that information for military defense purposes," he said. "Or it can be counterintelligence." He suggests the OPM hack data could be used to find which Americans are, for instance, not working on diplomatic mission and thus might be intelligence. He notes that former NSA contractor Edward Snowden briefly worked at a U.S. embassy. The lack of a background check in that instance could suggest that he was working as a spy under a false identity. There’s a difference between war and warfare, Sean notes. "It could be China is interested in defensive capabilities," he said. "It’s an aspect of warfare. It’s not war." If it were to transgress to the level of war, the results would be severe. "We can assume that China is a rational actor," Sean said. "It wants world power without wrecking the world economy. Military posturing is more likely." He suggests that the U.S. should be much more concerned about the protection of all of its digital data. “I guarantee you that the IRS’ records are just as vulnerable," he said, suggesting that the one thing that may be keeping taxpayers' records safe is the government's tendency to rely upon dated technology like magnetic tape. And at least some powerful U.S. officials agree that more must be done to secure America's private information. But don't expect them to be satisfied with the same sort of restricted networks the private sector relies upon. A bipartisan coalition of senators are backing new legislation that would give the Homeland Security secretary the authority "to detect intrusions on .gov domains and take steps similar to what the National Security Agency can do with the Pentagon," according to Roll Call. Ah, so more powers for the NSA. Isn't that always the endgame these days when the language of war being tossed around? [Image by U.S. Naval War College | Flickr]  

July 24, 2015
Jeep

Wired.com broke a shocking but hardly surprising story on July 21st. The reporter was driving his Jeep on the highway when strange things started to happen. First the fan and radio went on and later the whole car came to a stop. On the highway! Andy Greenburg was not in control of the car anymore. It was controlled remotely by two hackers, Charlie Miller and Chris Valasek, from miles away. They had not tampered with the car, and as a matter of fact never even touched it. All was done by connecting remotely to the vehicle and utilizing a vulnerability in its own software. A highway is not the safest place for this kind of demonstration so they continued with the brakes and steering manipulation in a parking place. Yes, that’s right. Brakes and steering! Scary? Hell yes! This is a great demonstration of security issues with the Internet of Things trend (IoT).  Anything connected to the net can in theory be hacked and misused remotely. IoT is typically associated with “smart” appliances like toasters and fridges, but a car connected to the net is very much IoT as well. And a hacked car is a lot scarier than a hacked fridge. So let’s look at the tree fundamental questions this hack raises. How can this be possible? Car manufacturers were taken with their pants down. They have for decades been thinking deformation zones and airbags when you say security. Now they need to become aware of digital security too. I’m confident that they already have some level of awareness in this field, but the recent Jeep-incident shows that they still have a lot to learn. I’m not only thinking about preventing this from happening in the first place. No system is perfect, and they must also be able to deal with discovered vulnerabilities. A fix for the problem was created, but patching vehicles required a visit to the car dealer. Like taking your computer to the store to have Windows updates applied. No way! This underlines that digital security is about more than just design and quality control. It’s also about incident response and maintenance processes. Good morning car manufacturers and welcome to the world of digital security. You have a lot to learn.   Ok, it can be done, but why? We are now at the “Wow! This is really possible!” –stage. The next stage will be “Ok, but how can this be utilized?” There’s a lot of headlines about how we could be killed by hacked cars. That may be technically possible, but has so far never happened. Hackers and virus writers used to work out of curiosity and do pranks just because it was possible. But that was in the eighties and nineties. Earning money and collecting information are the motives for today’s cyber criminals and spies. Killing you by driving your car off a cliff will not support either of those objectives, but it does make juicy headlines. Locking your car and asking for a ransom to unlock it is however a plausible scenario. Turning on the hands-free microphone to spy on your conversations is another. Or just unlocking it so that it can be stolen. Anyway, the moral of the story is that scary headlines about what car hackers can do are mostly hype. The threat will look very different when or if it becomes reality in the future. Let’s just hope that the car manufacturers get their act together before this becomes a real problem.   Should I be worried? No. Not unless your job is to design software for vehicles. The current headlines are very important wake-up calls for the car industry, but have very little impact on ordinary consumers. Some early incidents, like this Jeep case, will be handled by calling cars to the dealer for an update. But it is clear that this isn’t a sustainable process in the long run. Cars are like appliances, any update process must be fully automatic. And the update process must be much faster than applying the latest software once a year when the car is in for routine maintenance. So any car hooked up to the net also needs an automatic update process. But what about the hackers driving me off a cliff? You said it could be possible, and I don’t want to die. First, does anyone have a motive to kill you? Luckily most of us don't have that kind of enemies. But more important. Doing that may or may not be possible. Car manufacturers may be inexperienced with hacking and IT security, but they understand that any technical system can fail. This is why cars are built with safeguards at the hardware level. The Jeep-hackers could steer the car remotely, but only at low speed. This is natural as the electronically controlled steering is needed for parking assistance, not for highway cruising. Disabling this feature above a certain speed threshold makes perfect sense from safety perspective. But, on the other hand. I can think of several scenarios that could be lethal despite low speed. And the hackers could fool the speedometer to show the wrong speed. What if they can feed an incorrect speed reading into the system that turns off electronic steering? Ok, never say never. But hiring a traditional contract killer is still a better option if someone want's you gone. And there’s naturally no safeguards between software and hardware when the self-driving cars take over. Widespread self-driving cars are still sci-fi, and hacking them is even further away. But we are clearly on a path that leads in that direction. A few wrong turns and we may end up with that problem becoming reality. The good news is on the other hand that all publicity today contribute to improved digital security awareness among vehicle manufacturers. But finally back to today’s reality. It is still a lot more likely for you to be killed by a falling meteorite than by a hacker taking over your car. Not to talk about all the ordinary traffic accidents!   Safe cruising, Micke    

July 23, 2015
business, security, software, usb drives

This is the third in a series of posts about Cyber Defense that happened to real people in real life, costing very real money. Tomasz was a finance graduate, fresh out of university. This wasn’t what he had dreamed of studying, but he expected to find a well-paid job afterwards. This is why he started working in a branch of a local cooperative bank. The job wasn’t very demanding. During the day he didn’t have to deal with many customers, which suited him just fine. It did annoy him a bit that his work computer was only connected to an internal network and not the Internet, as with every other computer in the bank. This protocol protected the system from unauthorised outside access, which is crucial for a bank. It also, however, meant that employees were not able to check their private email accounts or access newsfeeds on social networking sites. One day, Tomasz noticed his computer behaving in a strange way. The machine was slow and crashed repeatedly, not to mention the error messages flashing on his screen. It was of no use for work. Things got even worse when the monitor simply went dark. Despite trying numberous times, Tomasz couldn’t turn it on again. He didn’t want to waste his precious time so he called the IT department about the problem. It turned out that he wasn’t the only one. All of the computers at the bank had gone crazy. The branch had to be closed down for four hours. A ten-person IT team responded to the crisis, launching a backup system. After several hours they were able to restore all computers to working order. What had happened was that a virus had infected the network. The head of the IT department wanted to know whose computer was attacked first. An internal investigation revealed that the malware came from Tomasz’s machine and the source of the infection was one of the bank’s flash drives. A few weeks earlier, Tomasz had copied his holiday photos to the drive to show them to his colleagues. The virus entered the device’s memory when the photos were copied from Tomasz’s private laptop. He was quickly called into his boss’s office. Tomasz knew all too well that he had violated security protocol. He knew that he would be punished, but how harshly? In the end, Tomasz was officially reprimanded and a note was placed on his file. Considering that his negligence cost the bank several thousand euro, this was merely a slap on the wrist. However, because of his recklessness, Tomasz had endangered sensitive data stored in the bank’s system, not to mention his own future career. Your business can be smart enough to prevent your own Tomasz from causing you heartache. "Your network can be set up so only administrators can add new hardware," F-Secure Security Advisor Sean Sullivan explained. "And why shouldn't it be?" For more insight into how to keep your business safe, check out our Business Insider blog. Cheers, Sandra

July 22, 2015
AshleyMadison

The user register of AshleyMadison has been hacked. You don’t know what that is? Well, that’s perfectly fine. It’s a dating site for people who want to cheat on their spouses. Many dislike this site for moral reasons, but there is apparently a demand for it. The Canadian site has some 37 million users globally! Some user data has already been leaked out and the hackers, calling themselves Impact Team, have announced that they will leak the rest unless the site shuts down. So this hack could contribute to many, many divorces and a lot of personal problems! "We will release all customer records, profiles with all the customers' sexual fantasies, nude pictures and conversations and matching credit card transactions, real names and addresses." The Impact Team This is one hack in a long row, not the first and certainly not the last site hack where user data is leaked. But it is still remarkable because of the site’s sensitive nature. Think about it. What kind of information do you store in web portals and what bad could happen if that data leaks out? If you are cheating on your spouse, then that is probably one the most precious secrets you have. Disclosure of it could have devastating effects on your marriage, and maybe on your whole life. Millions of users have put their faith in AshleyMadison’s hands and trusted them with this precious secret. AshleyMadison didn’t misuse the data deliberately, but they failed to protect it properly. So it’s not that far-fetched to say that they cheated on the cheaters. What makes the AshleyMadison hack even worse is the site’s commercial nature. Users typically pay with a credit card issued in their own name. They can appear anonymously to their peers, but their true identities are known to the site owner, and stored in the database. So any leaked information can be linked reliably to real people. The sad thing is that the possibility of a leak probably never even crossed the mind of these 37 million users. And this is really the moral of the story. Always think twice before storing sensitive information in a data system. You must trust the operator of the system to not misuse your data, but also to have the skills, motivation and resources to protect it properly. And you have very poor abilities to really verify how trustworthy a site is. This is not easy! Refraining from using a site is naturally the ultimate protection. But we can’t stop using the net altogether. We must take some risks, but let’s at least think about it and reflect over what a compromised site could mean. This hack is really interesting in another way too. AshleyMadison is a highly controversial site as cheating is in conflict with our society’s traditional moral norms. The hack is no doubt a criminal act, but some people still applaud it. They think the cheaters just got what they deserved. What do you think? Is it right when someone takes the law in his own hands to fight immorality? Or should the law be strictly obeyed even in cases like this? Can this illegal hacking be justified with moral and ethical arguments? [polldaddy poll=8989656]       Micke   Image: Screenshot from www.ashleymadison.com  

July 21, 2015
hacking team, hack like a champion, why hacking team matters

Hacking is in the news. The U.S. recently disclosed that it was the victim of what may the biggest, most consequential hack ever. We hacked some politicians. And a group called "Hacking Team" was hacked itself. Brian Krebs reports: Last week, hacktivists posted online 400 GB worth of internal emails, documents and other data stolen from Hacking Team, an Italian security firm that has earned the ire of privacy and civil liberties groups for selling spy software to governments worldwide. The disclosure of a zero-day vulnerability for the Adobe Flash Player the team has used has already led to a clear increase of Flash exploits. But this story has a larger significance, involving serious questions about who governs who can buy spyware surveillance software companies and more. Our Chief Research Office Mikko Hyppönen has been following this story and tweeting insights and context. Reporters from around the world have asked him to elaborate on his thoughts. Here's a look at what he's been telling them 1) What is your opinion about the Hacking Team story? This is a big story. Companies like Hacking Team have been coming to the market over the last 10 years as more and more governments wanted to gain offensive online attack capability but did not have the technical know-how to do it by themselves. There's lots of money in this business. Hacking Team customers included intelligence agencies, militaries and law enforcement. Was what Hacking Team was doing legal? Beats me. I'm not a lawyer. Was what Hacking Team was doing ethical? No, definitely not. For example, they were selling hacking tools to Sudan, whose president is wanted for war crimes and crimes against humanity by the International Criminal Court. Other questionable customers of Hacking Team include the governments of Ethiopia, Egypt, Morocco, Kazakhstan, Azerbaijan, Nigeria and Saudi Arabia. None of these countries are known for their great state of human rights. List of Hacking Team customers: Australia - Australian Federal Police Azerbaijan - Ministry of National Defence Bahrain - Bahrain Chile - Policia de Investigation Colombia - Policia Nacional Intelligencia Cyprus - Cyprus Intelligence Service Czech Republic - UZC Cezch Police Ecuador - Seg. National de intelligencia Egypt - Min. Of Defence Ethiopia - Information Network Security Agency Honduras - Hera Project - NICE Hungary - Special Service National Security Kazakstan - National Security Office Luxembourg - Luxembourg Tax Authority Malaysia - Malaysia Intelligene Mexico - Police Mongolia - Ind. Authoirty Anti Corruption Morocco - Intelligence Agency Nigeria - Bayelsa Government Oman - Excellence Tech group Oman Panama - President Security Office Poland - Central Anticorruption Bureau Russia - Intelligence Kvant Research Saudi Arabia - General Intelligence Presidency Singapore - Infocomm Development Agency South Korea - The Army South Korea Spain - Centro Nacional de Intelligencia Sudan - National Intelligence Security Service Thailand - Thai Police - Dep. Of Correction Tunisia - Tunisia Turkey - Turkish Police USA - FBI Uzbekistan - National Security Service 2) What happens when a company of this kind is a victim of an hacking attack and all of its technology assets are published online?  This was not the first time something like this happened. Last year, Gamma International was hacked. In fact, we believe they were hacked by the same party that hacked Hacking Team. When a company that provides offensive hacking services gets hacked themselves, they are going to have a hard time with their customers. In the case of Hacking Team, their customer list was published. That list included several secretive organizations who would rather not have the world know that they were customers of Hacking Team. For example, executives of Hacking Team probably had to call up the Russian secret intelligence and tell them that there's been a breach and that their customership was now public knowledge. The Hacking Team leak also made at least two zero-exploits public and forced Adobe to put out emergency patches out for Flash. This is not a bad thing by itself: it's good that unknown vulnerabilities that are being exploited become public knowledge. But Adobe probably wasn't happy. Neither was New York Times, as they learned that Hacking Team was using a trojanized iOS app that claimed to be from New York Times to hack iPhones. 3) Is it possible to be protected from malware provided by companies like Hacking Team? Yes. We've added detection for dozens of Hacking Team trojans over the years. Hacking Team had a service where they would update their product to try to avoid signature-based antivirus detections of their programs. However, they would have much harder time in avoiding generic exploit detections. This is demonstrated by their own internal Wiki (which is now public). Let me attach a screenshot from their Wiki showing how we were able to block their exploits with generic behavioural detection: Cheers, Sandra [Image by William Grootonk | Flickr]

July 13, 2015
adobe flash, uninstall, auto-update, click-to-play

Time to update Adobe Flash if you use it. So if you do, do it now. Of course, it always feels like time to update Flash. As an internet user, it's become all of our collective part-time job. It's a reminded that while the software is free, your time isn't. This particular update was necessitated by an event you may have heard about. "The flaw was disclosed publicly over the weekend after hackers broke into and posted online hundreds of gigabytes of data from Hacking Team, a controversial Italian company that’s long been accused of helping repressive regimes spy on dissident groups," Brian Krebs explained. The Hacking Team hack raised interesting questions about government surveillance and helped rattle nerves this week as computer systems kept planes out of the air and shut down the New York Stock Exchange -- freak incidents that are completely unrelated, according to disclosures thus far. But it doesn't take events like this remind us Flash exploits are so common that they're part of the business model of criminal operations like the Angler exploit kit. The key to security is always running the latest version of everything. So how do you get yourself out of the business of constantly mitigating Adobe Flash risks? Here are three ways. 1. Quit it. This is Brian Krebs' solution. He's lived without it for more than a month as an experiment. "It is among the most widely used browser plugins, and it requires monthly patching (if not more frequently)," Krebs said. And did he notice life without it? "...not so much." So instead of updating, you can just get rid of it. 2. Auto-update. If you're going to keep it, this is the minimum precaution our Security Advisor Sean Sullivan recommends. This will make sure you're getting all the updates and will prevent you, hopefully, from being tricked into downloading malware posing as an update. So turn those "background upgrades" on. 3. Click-to-play. If you're doing number 2, you probably want to do this too. Click-to-play means Flash elements run when you tell them to. Here's how to do it in all your browsers. Not only does this expose you to fewer risks, it makes the internet less annoying and can make your browser quicker. So why not? So what did you choose? Let us know in the comments. Cheers, Jason  

July 10, 2015
Wi-Fi security, Wi-Fi Hack, Wi-Fi VPN

Some are calling last year's hack of United States' Office of Personnel Management a "cyber Pearl Harbor," which is hyperbole. But it's definitely a disaster. The penetration of OPM's computer networks gives someone -- maybe China? -- access to the private data of millions of U.S. government employees, including clearance forms that may include details of these employee's most sensitive mental, physical and financial problems. And the worst part is the government's excuse for who's to blame for the hack. "I don't believe anyone is personally responsible," Office of Personnel Management director Katherine Archuleta said at a Senate hearing. "We have legacy systems that are very old." The U.S. government has been systematically starved of information technology advancements since the Office of Technology Assessment was shut down in the budget battle of 1995. So someone is definitely responsible if this was the result of the kind of systemic failure that the OPM's Inspector General has been warning about for years. But using old technology isn't unique to governments, though the U.S. government seems to specialize in it. Watch this video about a recent Wi-Fi experiment we conducted with penetration testing expert Mandalorian Security Services and the Cyber Security Research Institute: [protected-iframe id="c1d2fa70e39bc4719c0fceb59c88a3b0-10874323-9129869" info="https://www.youtube-nocookie.com/embed/qk2RPOBpZvc?rel=0" width="640" height="360" frameborder="0"] Most of us follow the basics of security. We keep our system and security software updated. Our passwords are strong and stored safely. Hopefully you even use separate browsers for financial transactions and basic surfing/networking. But how many of us -- including the UK politicians in this video -- assume we're secure on public Wi-Fi without taking security precautions. The hacks depicted in this experiment only took 3 hours to set up and once the equipment was in place, tablets and mobile phones could be hacked in less than 30 minutes. Sometimes as quickly as 5. The information that can be obtained this way isn't as damaging as the OPM attack but it's not negligible either. It includes: • Detailed browsing history • Internet phone calls – Voice Over Internet Protocol – recorded calls • Email accounts • All email history and contacts • Online financial services • Social media accounts • All social media data How could this affect the victim of a hack? If you're politician, profoundly. “So if someone hacked it and put out messages that were detrimental, horrible or whatever, it would be a very bad thing for me in my job," Mary Honeyball, a Labour MEP for London, said. "I think that the possibility that someone could put out an unauthorised communication before an election who just wants to cause trouble is really unacceptable." Getting fired for something you've said is bad. Losing your office or job for something you didn't say would be infinitely worse. There's also the possibility of private information being used for extortion, which has been suggested as a potential worse case scenario consequence of the OPM hack. Cybercrime is a numbers game and the numbers when it comes to Wi-Fi are astounding. The Wi-Fi Alliance suggests that 1 out of 4 homes globally run a Wi-Fi network. According to Strategy Analytics, some 800 million households worldwide will have adopted Wi-Fi by 2016. In your home you can take steps to secure your network with a WPA2 password. But there hundreds of millions of public Wi-Fi hotspots around the world. And most of them are not properly secured. What can you do about it? "People shouldn’t be afraid to use public Wi-Fi – it’s a fantastic service," our Security Advisor Sean Sullivan said. "But they must understand that there are risks and it is their responsibility to protect themselves. This is simply done using a piece of software called a Virtual Private Network (or VPN). For phones and tablets, these are available as an app. Our Freedome VPN will encrypt all data travelling from the device to the network, meaning that the hacker will steal nothing of use. Simply turning it on gives you the best protection you can possibly have to stay safe over public Wi-Fi, so you can focus on what you’re doing instead of worrying about staying safe.” To find out more about this hack, check out this podcast: [audio wav="https://fsecureconsumer.files.wordpress.com/2015/07/final-podcast-f-secure-politicians-hack.wav"][/audio] And you can also watch our first hack experiment on the dangers of public Wi-Fi. Cheers, Sandra [Image by Johan Viirok | Flickr]

July 9, 2015