If you read our post about why you should travel with glitter nail polish, you know we love unconventional OPSEC advice that keep strangers out of your business. That's why this quote in a recent GQ profile of Kim Kardashian, which was first pointed out by LA Times editor Amy Fiscus, stood out: "She's frighteningly organized: She tells me that before bed she deletes every single text message and e-mail from her phone, unless it's something she still needs to respond to." Is this good OPSEC? We asked one of our resident experts Camillo Särs and he was intrigued. "Yes – the practice of deleting any unnecessary copies as soon as possible is definitely good OPSEC," he explained. "Clearly that is not the actual intent here, but effective, nevertheless!" So be like the woman who broke the internet, and consider getting rid of anything you don't need to keep as soon as possible. And if you're about to go on vacation, here's a quick OPSEC tip for your email out-of-office message, which could be helping criminals trying to phish you. Is there an OPSEC tip you picked up that you've picked up and feel like sharing? Let us know in the comments.
Mikko Hyppönen -- our Chief Research Officer and probably the most famous code warrior ever to come out of Finland -- likes to point out that he was born the same year as the internet. Jani -- the ten-year-old from Helsinki who made international news by earning Instagram's top bug bounty prize for uncovering a security flaw in the photo-sharing site -- was born a couple a years after Facebook was invented in 2004 and just four years before Instagram went online in 2010. And he's already made some history. Jani discovered a flaw in the site that would have allowed him -- or anyone -- to delete content from any user from the site, even stars with tens of millions of followers including Taylor Swift, Selena Gomez and Beyonce. Like any good white-hat hacker he didn't take advantage of the vulnerability. Instead, he reported the bug to Facebook, which now owns the app, directly. His maturity paid off. Even though he is not technically old enough to use the site according Instagram's terms and conditions, he's become the youngest person ever to win a $10,000 bug bounty, which he's used to purchase a soccer ball, a bike and other essential gear for being ten. To celebrate his feat, F-Secure Labs invited Jani to visit our headquarters for a hamburger and a tour. The visit gave our experts a chance to share their stories about how they were drawn to cybersecurity. Mikko learned to love computers from his mother who was in the industry. Päivi was guided into the field by her father and discovered that she has a passion for rooting out spam. When Tomi was a kid striving to learn the rules of the coin games his friends played so he could hack them and win, he recognized that he didn't see the world like everyone else. Jani has already discovered the same thing. Though he finds plenty of time for school and playing with his friends, he spends 2-3 hours during his off days hunting for vulnerabilities and looking out for new bug bounty programs -- like our own -- that allow him to test his skills. How did he find the vulnerability in Instagram? First he created two accounts. He posted a comment using one account and then just using the publicly available content id number he was able to delete the comment using the other. Immediately he recognized the potential for such a flaw to be exploited. Mikko and Tomi were impressed by how Jani used Linux and Burp Suite -- a tool that pros like the analysts in our Labs use to analyze network traffic -- to help identify the bug. While he used to be interested in a career in video games, Jani says he's now thinking about becoming a cybersecurity specialist. Mikko and Tomi advised him to finish school and stay on the right side of the law. They also invited him to spend a week or two working at the Labs to see how he likes the job, when he's old enough. He's planning on taking them up on the offer, saying that F-Secure looks like a "fun and cool" place to work. Nice. We're always looking for new talent and even Mikko may retire one day.
Cyber espionage is more and more likely to play a significant role in the extraordinarily consequential elections taking place in 2016. First Russian-backed hackers breached the network of the Democratic National Committee and stole opposition research on likely Republican nominee for president Donald Trump. Now the Clinton Foundation -- established by the family of likely Democratic nominee for president Hillary Clinton -- seems to have been hacked. Any organization with some geo-political importance should assume assume they're next. And the smart ones were already worried. "One British government official I spoke to commented that they would be disappointed if nobody would see them relevant enough to engage in spying," says our cyber security advisor Erka Koivunen. Even before F-Secure Labs sounded the alarm about the Russian-backed "Dukes" gang last year, government officials had been aware of the cyber espionage being enabled by Advanced Persistent Threats. Anywhere there's an event of international import -- like the 2016 U.S. election or the "Brexit" vote on June 23, which will decide if the United Kingdom will stay in the European Union -- you can bet hackers are aiming to get data that hasn't been made public. For the U.S. election, campaign offices or any organization related to the candidates are prime targets. "It can be se said that all the campaign groups, the Democratic National Committee, the Republican National Committee and various Super PACs are operating in a 'high-risk mode'," Erka explains. The details of the attacks help point a finger at the likely culprits “The forensic tools they apparently used after the fact is what gave them the drop on their attackers,” Erka tells our Business Security Insider blog. “Organizations like the DNC are high-profile targets at the moment so they should have been monitoring their network carefully, and the RNC and others involved in the upcoming US election should take note and make sure they have the ability to detect attacks as they unfold. Relying entirely on forensic work has limitations, but it’s better than nothing and in this case the investigators were able to get evidence to help determine what happened and how the breach occurred, which lead to educated guesses about who was responsible.” Though the perpetrators of both the DNC and Clinton Foundation attacks seem to be Russian, the risk of intrusion comes from both domestic rivals and international foes. You may remember that the U.S.'s Watergate scandal that led to the resignation of President Richard Nixon began with a physical breach of the DNC's offices. And foreign leaders -- such as Vladimir Putin -- are very interested in any dirt Democrats may have discovered on Trump, who is new to politics. Campaign and foundation networks -- with large, transient and constantly stressed staffs -- are the perfect target for the sort of tactics groups like the Dukes have used to fool users into inviting them into their network, including spearfishing. For the Brexit vote, "campaign organizations would not be the primary target," Erka says. "Instead, EU’s and member states’ governments' plans to respond to either outcome would be highly interesting to nation-states," he adds. "The negotiation positions are the most valuable assets the governments both in the UK and in other member states have. Knowledge about those will be useful even for the more mundane purpose of financial speculation." Are such attacks taking place now? "We can confirm that there is activity taking place towards the UK government. As this is happening on a continuous fashion it is however extremely difficult to tell whether it is specifically attributable to the referendum." So what should groups protecting data that other countries are after do? "I would encourage campaigns like the DNC to plan and deploy a continuous monitoring scheme that would give out timely indication of not only the breach but also attempts to penetrate the controls and gain foothold," Erka says. "Expect to be breached and make sure the evidence is preserved in a separately controlled place." Without such a scheme attacks could last, as the DNC one seems to have, for well over a year. "Without access to 'offline' monitoring data you will have a slim change of conducting any investigation without tipping the attackers as they have a plan to hide their tracks, leave quickly and come back when the dust has settled," he says. Hackers are a lot like roaches. If you don't clear them out completely, you may not see them anymore but they know how to right back in. "Once in, these guys will have no difficulty in coming back again. They either leave backdoors that they can exploit or at least know the target well enough and literally inside out that they can plan their next inject by choosing several possible vectors." So you have two choices if you're involved in international politics: protect your network or hope you're so irrelevant that no one bothers to hack you.