One of the stranger perils of being a technical writer involves being ambushed at odd moments by people demanding on-the-spot explanations of complex technical concepts. I was out on the town one night and somehow found myself having to explain to a not-too-tech-savvy friend how to differentiate between a virus, a trojan and a worm.
After patiently listening to a lengthy, rambling answer, my friend thought it over for a minute and then asked, “So, why should I care? Why is this important to me? Do I really need to know the difference between different types of malwares?”
My automatic reaction was to say, “Of course you need to!” – but to my surprise, I couldn’t coherently express why I felt that way (though to be fair, I was having trouble thinking clearly about anything that night).
Thinking it over in the sober light of day, I realized that he’d actually asked a pretty good question. For most computer users, the difference between malware types is academic and irrelevant – at least, right up until their computer gets infected. If everything’s working just fine, why in the world should they be able to distinguish between an exploit and a backdoor?
To get a expert’s opinion on this, I relayed my friend’s question to an Analyst in our Response Lab. His reply was (and I’m paraphrasing here):
“Yes, so that if anything happens, you’d know how the computer got infected, how to deal with the infection, and how to prevent it from spreading.”
Now, that’s the condensed version of a technical person’s answer. The real answer was actually a long, in-depth and detailed explanation covering how certain malware types had specific behaviors and particular vectors for distribution, as well as recommendations for dealing with particular types of infection.
And that there was the problem in a nutshell – it’s a lot of information to absorb. It was a thorough answer, but not an easy one to communicate to people with little interest in technicalities. Some parts of the explanation also assumed more computer knowledge than most users would probably have or want.
Having said that, I thought the condensed version of our Analyst’s answer seemed like a helpful, ‘user-friendly’ answer. It summarizes all the main points effectively, puts it in a context most users would understand and – this is important – it isn’t long-winded. I’ll come back to this again a little later.
Trying to find a simple, all-encompassing answer to my friend’s question made me wonder if he really had a point and that users didn’t really need to know something as technical as malware types. So I decided to turn the question around and ask:
“Are there any cases in which ‘the average user’ doesn’t need to know the difference between malware types?”
The following four scenarios were the only ones I could think of where knowing malware types wouldn’t be helpful (if you can think of others, feel free to leave a comment). Of course, I included some reasons why I think knowing malware types would be helpful even in these situations.
If you can honestly claim this, you’re probably what I’d call an Exemplary User: someone who diligently updates the operating system and programs, never installs programs or uses removable media without thoroughly vetting it first, doesn’t download from untrusted sources and basically, just does computer security right.
An Exemplary User can laugh with scorn at looming malware outbreaks. If this describes you, great! You can stop reading now. (Heck, you probably know the malware types already, anyway).
Since the vast majority of users will never qualify for Exemplary Userhood however (myself included), the second best scenario is:
No, I’m not starting a PC versus Mac debate. What I mean is that even if malware does get onto your computer, it needs to find a suitable environment before it can have an effect. A Linux virus that somehow manages to get onto a Windows machine usually can’t do anything except blush sheepishly. Ditto for a backdoor that uses HTTP to connect to a remote site but ends up on a standalone computer without Internet acess.
If your computer happens to be set up so that the majority of malware doesn’t target it or affect it (now you can start the PC/Mac debate), then our query becomes moot. Again, congratulations!
Of course, most people have very little choice in the kind of operating system or programs they have on their computer, particularly business users. Even home users usually have to consider familiarity and affordability over specifically tailoring their computer to be malware resistant. To fix that, most users use antivirus protection. Which leads to reason 3:
Actually, since I work for a computer security company, I’d reeeaaally like it if more people could claim this. And hey – shameless plug – our Internet Security is doing pretty well in independent tests!
Unfortunately, this solution isn’t 100% bulletproof, especially if you’re not an Exemplary User or are just plain unlucky. Sometimes, the antivirus doesn’t catch the malware. Or it makes an error and the wrong file get fingered, causing all sorts of mayhem. Worse still, the antivirus turns out to be rogueware.
In other words, the program you’re depending on to sort out all the problems….doesn’t. What then? Ah, then we move on to reason 4:
OK, so the person fixing an infected computer should be the one with the technical knowledge, true. That person may not be the user, true. If you have someone dependable, willing and trustworthy, who can fix anything that goes wrong…can I have their number? Such a person is a godsend. Treasure him/her.
Still, even if you’re that lucky, it’s often a great help to the actual technician if the user can pinpoint the probable cause. Knowing what type of dastardly program is screwing around with the computer gives the technician a good place to start investigating, and maybe also some idea of how to fix it.
Or, to use an analogy, it’s the difference between driving to a workshop and telling the mechanic, “My car’s making a funny sound”, and saying, “The fan belt’s busted.”‘
If you’re not in one of the 4 ‘Ideal Situations’ listed above, then it would probably be helpful for you to know the different kinds of malicious programs that can damage your computer, because…well, refer to condensed Analyst’s answer above.
Realistically though, learning about malware types, even superficially, requires investing time and energy that not every user can spare – which is why technical writers (ahem) have to find ways of communicating these concepts in ways that are interesting and easily accessible for everyone. Which brings us back to the condensed Analyst’s answer. It’s short, to the point and gives just enough information without being overwhelming. And if more information is asked for, well that’s the time to start going in-depth.
Personally, I like it – but since my part of my work deals with malware types anyway, I freely admit to being biased about this. So really, the best people to evaluate how useful that answer is – You, dear reader. So how about it? Do you think the condensed Analyst’s answer is a helpful, informative reply?
Oh and since we’re on the topic, here are the Types F-Secure uses to classify the samples – the good, the bad and the merely suspicious. You can also find plenty of other sites with excellent information on this topic – for example, HowStuffWorks.com has great articles explaining how trojans, viruses and worms work.
"Securing the future" is a huge topic, but our Chief Research Officer Mikko Hypponen narrowed it down to the two most important issues is his recent keynote address at the CeBIT conference. Watch the whole thing for a Matrix-like immersion into the two greatest needs for a brighter future -- security and privacy. [youtube https://www.youtube.com/watch?v=VFoOvpaZvdM] To get started here are some quick takeaways from Mikko's insights into data privacy and data security in a threat landscape where everyone is being watched, everything is getting connected and anything that can make criminals money will be attacked. 1. Criminals are using the affiliate model. About a month ago, one of the guys running CTB Locker -- ransomware that infects your PC to hold your files until you pay to release them in bitcoin -- did a reddit AMA to explain how he makes around $300,000 with the scam. After a bit of questioning, the poster revealed that he isn't CTB's author but an affiliate who simply pays for access to a trojan and an exploit-kid created by a Russian gang. "Why are they operating with an affiliate model?" Mikko asked. Because now the authors are most likely not breaking the law. In the over 250,000 samples F-Secure Labs processes a day, our analysts have seen similar Affiliate models used with the largest banking trojans and GameOver ZeuS, which he notes are also coming from Russia. No wonder online crime is the most profitable IT business. 2. "Smart" means exploitable. When you think of the word "smart" -- as in smart tv, smartphone, smart watch, smart car -- Mikko suggests you think of the word exploitable, as it is a target for online criminals. Why would emerging Internet of Things (IoT) be a target? Think of the motives, he says. Money, of course. You don't need to worry about your smart refrigerator being hacked until there's a way to make money off it. How might the IoT become a profit center? Imagine, he suggests, if a criminal hacked your car and wouldn't let you start it until you pay a ransom. We haven't seen this yet -- but if it can be done, it will. 3. Criminals want your computer power. Even if criminals can't get you to pay a ransom, they may still want into your PC, watch, fridge or watch for the computing power. The denial of service attack against Xbox Live and Playstation Netwokr last Christmas, for instance likely employed a botnet that included mobile devices. IoT devices have already been hijacked to mine for cypto-currencies that could be converted to Bitcoin then dollars or "even more stupidly into Rubbles." 4. If we want to solve the problems of security, we have to build security into devices. Knowing that almost everything will be able to connect to the internet requires better collaboration between security vendors and manufacturers. Mikko worries that companies that have never had to worry about security -- like a toaster manufacturer, for instance -- are now getting into IoT game. And given that the cheapest devices will sell the best, they won't invest in proper design. 5. Governments are a threat to our privacy. The success of the internet has let to governments increasingly using it as a tool of surveillance. What concerns Mikko most is the idea of "collecting it all." As Glenn Glenwald and Edward Snowden pointed out at CeBIT the day before Mikko, governments seem to be collecting everything -- communication, location data -- on everyone, even if you are not a person of interest, just in case. Who knows how that information may be used in a decade from now given that we all have something to hide? Cheers, Sandra
We were recently asked a series of questions about how Freedome protects private data by TorrentFreak.com. Since we believe transparency and encryption are keys to online freedom, we wanted to share our answers that explain how we try to make the best privacy app possible. 1. Do you keep ANY logs which would allow you to match an IP-address and a time stamp to a user of your service? If so, exactly what information do you hold and for how long? We do not keep any such logs. If ever required by law under a jurisdiction, we would implement such a system, but only where applicable and keeping storage time to the minimum required by law of that respective jurisdiction. Note also that no registration is required to use our service, so any log information would generally map to an anonymous, random user ID (UUID) and the user’s public IP address. 2. Under what jurisdiction(s) does your company operate? Freedome is a service provided from Finland by a Finnish company, and manufactured and provided in compliance with applicable Finnish laws. 3. What tools are used to monitor and mitigate abuse of your service? We have proprietary tools for fully automated traffic pattern analysis, including some DPI for the purpose of limiting peer-to-peer traffic on some gateway sites. Should we detect something that is not in line with our acceptable use policy, we can rate limit traffic from a device, or block a device from accessing the VPN service. All of this is automated and happens locally on the VPN gateway. 4. Do you use any external email providers (e.g. Google Apps) or support tools ( e.g Live support, Zendesk) that hold information provided by users? We do not use any external email providers, but our users can, for example, sign up for beta programs with their email address and send us feedback by email. The email addresses are used only to communicate things like product availability. In the future, paying customers can also use our support services and tools such as chat. In those cases, we do hold information that customers provide us voluntarily. This information is incident based (connected to the support request) and is not connected to any other data (e.g. customer information, marketing, licensing, purchase or any Freedome data). This data is purely used for managing and solving support cases. 5. In the event you receive a DMCA takedown notice or European equivalent, how are these handled? There is no content in the service to be taken down. Freedome is a data pipeline and does not obtain direct financial benefit from user content accessed while using the service. While some of the other liability exclusions of DMCA (/ its European equivalent) apply, the takedown process itself is not really applicable to (this) VPN service. 6. What steps are taken when a valid court order requires your company to identify an active user of your service? Has this ever happened? The law enforcement data requests can effectively be done directly only to F-Secure Corporation in Finland. If a non-Finnish authority wants to request such data from F-Secure, the request will be done by foreign authorities directly to Finnish police or via Interpol in accordance to procedures set out in international conventions. To date, this has never happened for the Freedome Service. 7. Does your company have a warrant canary or a similar solution to alert customers to gag orders? We do not have a warrant canary system in place. Instead, Freedome is built to store as little data as possible. Since a warrant canary would be typically triggered by a law enforcement request on individual user, they are more reflective on the size of the customer base and how interesting the data in the service is from a law enforcement perspective. They are a good, inventive barometer but do not really measure the risk re: specific user’s data. 8. Is BitTorrent and other file-sharing traffic allowed on all servers? If not, why? BitTorrent and other peer-to-peer file sharing is rate limited / blocked on some gateway servers due to acceptable use policies of our network providers. Some providers are not pleased with a high volume of DMCA takedown requests. We use multiple providers (see Question #12) and these blocks are not in place on all the servers. 9. Which payment systems do you use and how are these linked to individual user accounts? There are multiple options. The most anonymous way to purchase is by buying a voucher code in a retail store. If you pay in cash, the store will not know who you are. You then enter the anonymous voucher code in the Freedome application, and we will then confirm from our database that it is a valid voucher which we have given for sale to one of our retail channels. The retail store does not pass any information to us besides the aggregate number of sold vouchers, so even if you paid by a credit card, we do not get any information about the individual payment. For in-app (e.g., Apple App Store, Google play) purchases you in most cases do need to provide your details but we actually never receive those, we get just an anonymous receipt. The major app stores do not give any contact information about end users to any application vendors. When a purchase is made through our own e-store, the payment and order processing is handled by our online reseller, cleverbridge AG, in Germany. Our partner collects payment information together with name, email, address, etc. and does store these, but in a separate system from Freedome. In this case we have a record who have bought Freedome licenses but pointing a person to any usage of Freedome is intentionally difficult and against our policies. We also don’t have any actual usage log and therefore could not point to one anyway. 10. What is the most secure VPN connection and encryption algorithm you would recommend to your users? Do you provide tools such as “kill switches” if a connection drops and DNS leak protection? Our application does not provide user selectable encryption algorithms. Servers and clients are authenticated using X.509 certificates with 2048-bit RSA keys and SHA-256 signatures. iOS clients use IPSEC with AES-128 encryption. Other clients (Android, Windows, OS X) use OpenVPN with AES-128 encryption. Perfect Forward Secrecy is enabled (Diffie-Hellman key exchange). We provide DNS leak protection by default, and we also provide IPv6 over the VPN so that IPv6 traffic will not bypass the VPN. Kill switches are not available. The iOS IPSEC client does not allow traffic to flow unless the VPN is connected, or if the VPN is explicitly turned off by the user. The Android app, in “Protection ON” state keeps capturing internet traffic even if network or VPN connection drops, thus there is no traffic or DNS leaks during connection drops. If the Freedome application process gets restarted by the Android system, there is a moment where traffic could theoretically leak outside the VPN. Device startup Android 4.x requires user’s consent before it allows a VPN app to start capturing traffic; until that traffic may theoretically leak. (Android 5 changes this, as it does not forget user’s consent at device reboot.) 11. Do you use your own DNS servers? (if not, which servers do you use?) We do have our own DNS servers. 12. Do you have physical control over your VPN servers and network or are they outsourced and hosted by a third party (if so, which ones)? Where are your servers located? In most locations we utilize shared hardware operated by specialized hosting vendors, but we also have our own dedicated hardware at some locations. Providers vary from country to country and over time. In some countries we also use multiple providers at the same time for improved redundancy. An example provider would be Softlayer, an IBM company whom we use in multiple locations.
Another Internet and Facebook chain letter you no doubt have seen. Paramedics recommend adding a contact record named ICE in your mobile phone. It stands for In Case of Emergency and helps contacting your closest relatives if you have an accident. Sounds great, but let’s take a closer look first. This is actually not a typical hoax chain letter because it’s based on facts. The idea emerged in UK in 2005, and was indeed introduced by paramedics. It’s a novel idea with good intentions and might have worked in the era before the smartphone. But it’s badly outdated now. I sincerely hope that people start circulating updated instructions rather than the original 10 years old idea. Here’s why. First, ICE is a nice idea. But it’s NOT the primary interest of paramedics. Their job is to save your life. They are going to concentrate on that rather than playing with your gadget. But ICE-info may still come in handy later at the hospital when the dust settles a bit. Knowledge of some medical conditions is important to paramedics helping a trauma patient. Persons with conditions of this kind wear special medical IDs, necklaces or bracelets, and paramedics are trained to look for them. This has nothing to do with ICE. Our smartphone is a key to all our on-line accounts, e-mail, Facebook, Twitter, cloud storage, you name it. It MUST be locked with a good password, otherwise you take a huge digital risk. And that unfortunately kills the idea with an ICE phonebook record. It’s not worth leaving the phone unprotected because of the ICE-record. Don’t even consider that! Sometimes good old low-tech solutions are far better than digital technology. This is one of those cases. Write the ICE info on a sticker and put it on your phone or anything you carry with you. ID papers, like your driving license, are probably the best items as they are likely to be brought with you to the hospital. If you are a bit nerdy, like me, you may still want a digital solution. Check your mobile for a function or app that puts free form text on the lock screen and use it for ICE. Some phones may even have a separate ICE function for this purpose. But use it as a complement to the good old sticker, not as a replacement. So to summarize. ICE is in theory a good idea, but not really crucial for your survival. It’s not worth sacrificing your digital safety for it. Especially when you simply need a pen and paper to create an ICE record that is more reliable, safer and easier to use! Safe surfing, Micke PS. Full medical ID can also be put on the mobile’s lock screen, at least on Android and iPhone. I’m not sure if this is a good idea. A solid necklace of stainless steel somehow feels better for stuff that can mean the difference between life and death. A complement to the necklace is of course never wrong but I really hope that nobody who really needs it trust this as their only medical ID! Image by Ragesoss through Wikimedia