Last Friday we welcomed the president of Estonia Toomas Hendrik Ilves and a delegation of eleven to our headquarters in Helsinki. In our nearly 25 year history it was the first time we’d ever welcomed a foreign head of state. And we could not be more honored by the one who chose to visit us first.
President Ilves was recently named by TechCrunch one of 20 Most Innovative People In Democracy 2012. He and President Barack Obama were the only two elected leaders on the list. They called Estonia, ” the most technologically advanced democracy on Earth.”
Why? “…citizens vote online, enjoy universal access to medical records, and can perform most government services without leaving their laptops (Estonians filed their taxes online long before it was popular in the U.S.).”
As a result cyber security is a constant concern and an area the president understands well. Tallinn, Estonia is the home of the NATO Cooperative Cyber Defence Centre of Excellence.
Our Vice Preside of Consumer Security Maria Nordgren briefed the president about F-Secure and then our Chief Research Office Mikko Hypponen presented on cyberthreat landscape as seen from the F-Secure Labs.
Stuxnet, Flame, cyberwarfare and all the risks that countries face online all came up in the discussion that went on for hours. The president visited the famous F-Secure Labs.
In the President Ilves tweet documenting the visit he noted that he spent more time discussing cyber security with Mikko than he did meeting with the president of Finland.
“Sorry for the inconvenience, I'm in Limassol, Cyprus. I am here for a week and I just lost my bag containing all my important items, phone and money at the bus station. I need some help from you. Thanks” Many of you have seen these messages and some of you already know what the name of the game is. Yes, it’s another type of Internet scam, an imposter scam variant. I got this message last week from a photo club acquaintance. Or to be precise, the message was in bad Swedish from Google translate. Here’s what happened. First I got the mail. Needless to say, I never suspected that he was in trouble in Limassol. Instead I called him to check if he was aware of the scam. He was, I wasn’t the first to react. Several others had contacted him before me and some were posting warnings to his friends on Facebook. These scams start by someone breaking in to the victim’s web mail, which was Gmail in this case. This can happen because of a bad password, a phishing attack, malware in the computer or a breach in some other system. Then the scammer checks the settings and correspondence to find out what language the victim is using. The next step is to send a message like the above to all the victim’s contacts. The victim had reacted correctly and changed the Gmail password ASAP. But I wanted to verify and replied to the scam mail anyway, asking what I can do to help. One hour later I got this: “Thanks, I need to borrow about 1000 euros, will pay you back as soon as I get home. Western Union Money Transfer is the fastest option to wire funds to me. All you need to do is find the nearest Western Union shop and the money will be sent in minutes. See details needed WU transfer below. Name: (Redacted) Address: Limassol, Cyprus you must email me the reference number provided on the payment slip as soon as you make the transfer so I can receive money here. Thank you,” Now it should be obvious for everyone how this kind of scam works. Once the scammers get the reference number they just go to Western Union to cash in. Most recipients will not fall for this, but the scammers will get a nice profit if even one or two contacts send money. But wait. To pull this off, the scammers need to retain control over the mail account. They need to send the second mail and receive the reference number. How can this work if the victim had changed his password? This works by utilizing human’s inability to notice tiny details. The scammers will register a new mail account with an address that is almost identical to the victim’s. The first mail comes from the victim’s account, but directs replies to the new account. So the conversation can continue with the new account that people believe belongs to the victim. The new address may have a misspelled name or use a different separator between the first and last names. Or be in a different domain that is almost the same as the real one. The two addresses are totally different for computers, but a human need to pay close attention to notice the difference. How many of you would notice if a mail address changes from say Bill.Gates@gmail.com to BiII_Gates@mail.com? (How many differences do you notice, right answer at the end?) To be honest, I was sloppy too in this case and didn’t at first see the tiny difference. In theory it is also possible that webmail servers may leave active sessions open and let the scammers keep using the hacked account for a while after the password has been changed. I just tested this on Gmail. They close old sessions automatically pretty quickly, but it is anyway a good idea to use the security settings and manually terminate any connection the scammers may have open. I exchanged a couple of mails with this person the day after. He told that the scammers had changed the webmail user interface to Arabic, which probably is a hint about where they are from. I was just about to press send when I remembered to check the mail address. Bummer, the scammer’s address was still there so my reply would not have reached him unless I had typed the address manually. The account’s reply-to was still set to the scammer’s fake account. OK, let’s collect a checklist that helps identifying these scams. If someone asks for urgent help by mail, assume it’s a scam. These scams are a far more common than real requests for help. We are of course all ready to help friends, but are YOU really the one that the victim would contact in this situation? Are you close enough? How likely is it that you are close enough, but still had no clue he was travelling in Cyprus? Creating urgency is a very basic tool for scammers. Something must be done NOW so that people haven't got time to think or talk to others. The scammers may or may not be able to write correct English, but other languages are most likely hilarious Google-translations. Bad grammar is a strong warning sign. Requesting money using Western Union is another red flag. Wire transfer of money provides pretty much zero security for the sender, and scammers like that. Many scammers in this category try to fake an embarrassing situation and ask the recipient to not tell anyone else, to reduce the risk that someone else sees through it. These messages often state that the phone is lost to prevent the recipient from calling to check. But that is exactly what you should do anyway. Next checklist, how to deal with a situation where your account has been hijacked and used for scams. Act promptly. Change the mail account’s passwords. Check the webmail settings and especially the reply-to address. Correct any changed settings. Check for a function in the web mail that terminates open sessions from other devices. Gmail has a “Secure your account” -wizard under the account’s security settings. It’s a good idea to go through it. Inform your friends. A fast Facebook update may reach them before they see the scammer’s mail and prevent someone from falling for it. It also helps raising awareness. And finally, how to not be a victim in the first place. This is really about account security basics. Make sure you use a decent password. It’s easier to maintain good password habits with a password manager. Activate two-factor authentication on your important accounts. I think anyone’s main mail account is important enough for it. Learn to recognize phishing scams as they are a very common way to break into accounts. Maintain proper malware protection on all your devices. Spyware is a common way to steal account passwords. The last checklist is primarily about protecting your account. But that’s not the full picture. Imagine one of your friends falls for the scam and loses 1000 € when your account is hacked. It is kind of nice that someone cares that much about you, but losing money for it is not nice. Yes, the criminal scammer is naturally the primarily responsible. And yes, people who fall for the scam can to some extent blame themselves. But the one with the hacked account carries a piece of responsibility too. He or she could have avoided the whole incident with the tools described above. Caring about your account security is caring about your friends too! And last but not least. Knowledge is as usual the strongest weapon against scams. They work only as long as there are people who don’t recognize the scam pattern. Help fighting scam by spreading the word! Safe surfing, Micke PS. The two mail addresses above have 3 significant differences. 1. The name separator has changed from a dot to an underscore. 2. The domain name is mail.com instead of gmail.com. 3. The two lower case Ls in Bill has been replaced with capital I. Each of these changes is enough to make it a totally separate mail address. Image by Yumi Kimura
It's like a press conference anyone can join from anywhere. And even if you don't have a question, you can upvote the ones you don't like and downvote the ones you do. President Obama did one. Snoop Dogg/Snoop Lion did one. An astronaut did one from outer space. And our Mikko Hypponen will sit down for his second Reddit AMA on December 2 at 8 AM ET. If you have something you've wanted to ask him about online security, great. If not, here are five resources that document some of Mikko's more than two decades in the security industry to prod you or prepare you. 1. Check out this 2004 profile of his work from Vanity Fair. 2. Watch his 3 talks that have been featured on TED.com. [protected-iframe id="7579bbf790267cc081ac7d92d951262c-10874323-9129869" info="https://embed-ssl.ted.com/talks/mikko_hypponen_fighting_viruses_defending_the_net.html" width="640" height="360" frameborder="0" scrolling="no" webkitallowfullscreen="" mozallowfullscreen="" allowfullscreen=""] [protected-iframe id="fdf818f4afa2f7dcb179c5516c44918c-10874323-9129869" info="https://embed-ssl.ted.com/talks/mikko_hypponen_three_types_of_online_attack.html" width="640" height="360" frameborder="0" scrolling="no" webkitallowfullscreen="" mozallowfullscreen="" allowfullscreen=""] [protected-iframe id="54be2fe9bce28ae991becbe3d4291e56-10874323-9129869" info="https://embed-ssl.ted.com/talks/mikko_hypponen_how_the_nsa_betrayed_the_world_s_trust_time_to_act.html" width="640" height="360" frameborder="0" scrolling="no" webkitallowfullscreen="" mozallowfullscreen="" allowfullscreen=""] 3. Check out his first AMA, which took place just after his first talk at TEDglobal was published. 4. Take a trip to Pakistan with Mikko to meet the creators of the first PC virus. [protected-iframe id="8c0605f62076aa901ed165dbd3f4fcd7-10874323-9129869" info="//www.youtube-nocookie.com/v/lnedOWfPKT0?version=3&hl=en_US&rel=0" width="640" height="360"] 5. To get a sense of what he's been thinking about recently, watch his most recent talk at Black Hat "Governments as Malware Creators". [protected-iframe id="54b24406f022e81b15ad6dadf2adfc93-10874323-9129869" info="//www.youtube-nocookie.com/v/txknsq5Z5-8?hl=en_US&version=3&rel=0" width="640" height="360"] BONUS: Make sure you follow him on Twitter to get a constant stream of insight about online security, privacy and classic arcade games. Cheers, Sandra
Yet another high-profile vulnerability in the headlines, Shellshock. This one could be a big issue. The crap could really hit the fan big time if someone creates a worm that infects servers, and that is possible. But the situation seems to be brighter for us ordinary users. The affected component is the Unix/Linux command shell Bash, which is only used by nerdy admins. It is present in Macs as well, but they seem to be unaffected. Linux-based Android does not use Bash and Windows is a totally different world. So we ordinary users can relax and forget about this one. We are not affected. Right? WRONG! Where is your cloud content stored? What kind of software is used to protect your login and password, credit card number, your mail correspondence, your social media updates and all other personal info you store in web-based systems? Exactly. A significant part of that may be on systems that are vulnerable to Shellshock, and that makes you vulnerable. The best protection against vulnerabilities on your own devices is to make sure the automatic update services are enabled and working. That is like outsourcing the worries to professionals, they will create and distribute fixes when vulnerabilities are found. But what about the servers? You have no way to affect how they are managed, and you don’t even know if the services you use are affected. Is there anything you can do? Yes, but only indirectly. This issue is an excellent reminder of some very basic security principles. We have repeated them over and over, but they deserve to be repeated once again now. You can’t control how your web service providers manage their servers, but you can choose which providers you trust. Prefer services that are managed professionally. Remember that you always can, and should, demand more from services you pay for. Never reuse your password on different services. This will not prevent intrusions, but it will limit the damage when someone breaks into the system. You may still be hurt by a Shellshock-based intrusion even if you do this, but the risk should be small and the damage limited. Anyway, you know you have done your part, and its bad luck if an incident hurts you despite that. Safe surfing, Micke PS. The best way to evaluate a service provider’s security practices is to see how they deal with security incidents. It tells a lot about their attitude, which is crucial in all security work. An incident is bad, but a swift, accurate and open response is very good. Addition on September 30th. Contrary to what's stated above, Mac computers seem to be affected and Apple has released a patch. It's of course important to keep your device patched, but this does not really affect the main point of this article. Your cloud content is valuable and part of that may be on vulnerable servers.