Top 7 Predictions for 2013 (if the Internet As We Know It Still Exists)

Will the next year bring a seismic shift in who controls the Internet? Another Mac malware outbreak? Your smart TV being highjacked for a DDoS attack? Whatever 2013 may bring, it’s sure to be an interesting year. Here’s F-Secure Labs’ take on what could be in store for the next year.

Forecast_2013_logo-02

1. The end of the Internet as we know it?
“Depending on the outcome of an important conference taking place now in Dubai, a lot of things could happen in 2013,” says Sean Sullivan, Security Advisor at F-Secure Labs.That event, the World Conference on International Telecommunications, could have a major impact on the Internet as we know it. “The Internet could break up into a series of smaller Internets,” Sullivansays. “Or it may start to be funded differently, with big content providers like Facebook and Google/YouTube having to pay taxes for the content they deliver.”

The WCIT event is a meeting convened by the International Telecommunication Union (ITU) to finalize changes to the International Telecommunications Regulations treaty. In attendance are regulators representing governments from around the world, not all of whom are interested in Internet freedom. There is concern that some regimes would want to shift control of the Internet “from the geeks, and give it to governments,” as Sullivan puts it. New measures are also being proposed in the name of Internet security that privacy advocates suggest would mean the end of anonymity on the Internet.

2. Leaks will reveal more government-sponsored espionage tools
“It’s clear from past leaks about Stuxnet, Flame, and Gauss that the cyber arms race is well underway,” says Mikko Hypponen, Chief Research Officer at F-Secure Labs. While we may not always be aware of nation-states’ covert cyber operations, we can expect that governments are more and more involved in such activity. In 2013, we’ll most likely see more leaks that definitively demonstrate this, and from countries who haven’t previously been seen as a source of attacks. As the arms race heats up, the odds of leaks increase.

3. Commoditization of mobile malware will increase
The Android operating system has solidified in a way that previous mobile operating systems haven’t, extending from phones to tablets to TVs to specialized versions of tablets. The more ubitiquous it becomes, “the easier to build malware on top of it and the more opportunities for criminals to innovate businesswise,” Sullivan says. Mobile malware will become more commoditized, with cybercriminals building toolkits that can be purchased and used by other criminals without real hacking skills. In other words, malware as a service, for Android.

4. Another malware outbreak will hit the Mac world
2011 saw scareware called Mac Defender, and in 2012 Flashback took advantage of flaws in Java. The Labs predict 2013 will bring another Mac malware outbreak that will have some success within the Mac community.

“The author of the Flashback Trojan is still at large and is rumored to be working on something else,” Sullivan says. “And while there have been smart security changes to the Mac OS, there’s a segment of the Mac-using population who are basically oblivious to the threats facing Macs, making them vulnerable to a new malware outbreak.”

5. Smart TVs will become a hacker target
Smart TVs are plugged into the Internet, they’ve got processing power, and since they typically aren’t equipped with security, they’re wide open to attacks. Adding to their vulnerability is that unlike home computers, many smart TVs are directly connected to the Internet without the buffer of a router, which deflects unsolicited traffic. Also, consumers often don’t change the factory default username and password that have been set for web administration, giving easy access to hackers.

“It’s very easy for hackers to scan for smart TVs on the Internet,” says Sullivan. “When found, they only need to use the default username and password, and they’re in.” 2012 already witnessed LightAidra, a breed of malware that infected set top boxes. 2013 could see smart TVs being used for such purposes as click fraud, Bitcoin mining, and DDoS attacks.

6. Mobile spy software will go mainstream
2013 may see a rise in popularity of tracking software, and not just for parental control purposes. There has already been growth in child safety apps that monitor kids’ activities, for example, their Facebook behavior. “Of course this kind of software can also be used to spy on anyone, not just kids,” Sullivan says. “The more smartphones there are, the more people will be seeking out software like this – to find out what their ex is up to, for example.”

7. Free tablets will be offered to prime content customers
Tablets and e-readers are all the rage, and more and more often in closed ecosystems such as the iPad with iTunes or the Kindle with Amazon. As the Kindle price keeps dropping, the Labs predict that 2013 may bring a free e-reader or tablet for prime customers of companies who charge for content, like Amazon or Barnes & Noble. “Closed ecosystems are more secure, but you have to trust the provider to protect your privacy,” says Sullivan.

For ongoing analysis from the F-Secure Labs, follow News from the Lab.

More posts from this topic

Facebook videos

How far are you ready to go to see a juicy video? [POLL]

Many of you have seen them. And some of you have no doubt been victims too. Malware spreading through social media sites, like Facebook, is definitively something you should look out for. You know those posts. You raise your eyebrows when old Aunt Sophie suddenly shares a pornographic video with all her friends. You had no idea she was into that kind of stuff! Well, she isn’t (necessary). She’s just got infected with a special kind of malware called a social bot. So what’s going on here? You might feel tempted to check what “Aunt Sophie” really shared with you. But unfortunately your computer isn’t set up properly to watch the video. It lacks some kind of video thingy that need to be installed. Luckily it is easy to fix, you just click the provided link and approve the installation. And you are ready to dive into Aunt Sophie’s stuff. Yes, you probably already figured out where this is going. The social bots are excellent examples of how technology and social tricks can work together. The actual malware is naturally the “video thingy” that people are tricked to install. To be more precise, it’s usually an extension to your browser. And it’s often masqueraded as a video codec, that is a module that understands and can show a certain video format. Once installed, these extensions run in your browser with access to your social media accounts. And your friends start to receive juicy videos from you. There are several significant social engineering tricks involved here. First you are presented with content that people want to see. Juicy things like porn or exposed celebrities always work well. But it may actually be anything, from breaking news to cute animals. The content also feels safer and more trustworthy because it seems to come from one of your friends. The final trick is to masquerade the malware as a necessary system component. Well, when you want to see the video, then nothing stops you from viewing it. Right? It’s so easy to tell people to never accept this kind of additional software. But in reality it’s harder than that. Our technological environment is very heterogeneous and there’s content that devices can’t display out of the box. So we need to install some extensions. Not to talk about the numerous video formats out there. Hand on heart, how many of you can list the video formats your computer currently supports? And which significant formats aren’t supported? A more practical piece of advice is to only approve extensions when viewing content from a reliable source. And we have learned that Facebook isn’t one. On the other hand, you might open a video on a newspaper or magazine that you frequently visit, and this triggers a request to install a module. This is usually safe because you initiated the video viewing from a service that shouldn’t have malicious intents. But what if you already are “Aunt Sophie” and people are calling about your strange posts? Good first aid is going to our On-line Scanner. That’s a quick way to check your system for malware. A more sustainable solution is our F-Secure SAFE. Ok, finally the poll. How do you react when suddenly told that you need to download and install software to view a video? Be honest, how did you deal with this before reading this blog?   [polldaddy poll=9394383]   Safe surfing, Micke   Image: Facebook.com screenshot      

April 22, 2016
BY 
5588953445_51dcf922aa_o_crop

Why are Android bugs so serious?

Yet another big vulnerability in the headlines. The Metaphor hack was discovered by Israel-based NorthBit and can be used to take control over almost any Android device. The vulnerability can be exploited from video files that people encounter when surfing the web. It affects all versions of Android except version 6, which is the latest major version also known as Marshmallow. But why is this such a big deal? Severe vulnerabilities are found all the time and we receive updates and patches to fix them. A fast update process is as a matter of fact a cyber security cornerstone. What makes this issue severe is that it affects Android, which to a large extent lack this cornerstone. Android devices are usually not upgraded to new major versions. Google is patching vulnerabilities, but these patches’ path to the devices is long and winding. Different vendors’ practices for patching varies a lot, and many devices will never receive any. This is really a big issue as Android’s smartphone market share is about 85% and growing! How is this possible? This underlines one of the fundamental differences between the Android and iOS ecosystems. Apple’s products are planned more like the computers we are used to. They are investments and will be maintained after purchase. iOS devices receive updates, and even major system upgrades, automatically and free of charge. And most users do install them. Great for the security. Android is a different cup of tea. These devices are mostly aimed at a cheaper market segment. They are built as consumables that will be replaced quite frequently. This is no doubt a reasonable and cost-saving strategy for the vendors. They can focus on making software work on the currently shipping devices and forget about legacy models. It helps keeping the price-point down. This leads to a situation where only 2,3% of the Android users are running Marshmallow, even half a year after release. The contrast against iOS is huge. iOS 9 has been on the market about the same time and already covers 79% of the user base. Apple reported a 50% coverage just five days after release! The Android strategy backfires when bugs like Metaphor are discovered. A swift and compete patch roll-out is the only viable response, but this is not available to all. This leaves many users with two bad options, to replace the phone or to take a risk and keep using the old one. Not good. One could think that this model is disappearing as we all grow more and more aware of the cyber threats. Nope, development actually goes in the opposite direction. Small connected devices, IoT-devices, are slowly creeping into our homes and lives. And the maintenance model for these is pretty much the same as for Android. They are cheap. They are not expected to last long, and the technology is developing so fast that you would be likely to replace them anyway even if they were built to last. And on top of that, their vendors are usually more experienced in developing hardware than software. All that together makes the IoT-revolution pretty scary. Even if IoT-hacking isn’t one of the ordinary citizen’s main concerns yet. So let’s once again repeat the tree fundamental commands for being secure on-line. Use common sense, keep your device patched and use a suitable security product. If you have a system that provides regular patches and updates, keep in mind that it is a valuable service that helps keeping you safe. But it is also worth pointing out that nothing as black and white. There are unfortunately also problematic update scenarios.   Safe surfing, Micke     Photo by etnyk under CC

March 18, 2016
BY 
Tracker Mapper

Want to Pwn Internet Trackers? Here’s How

A recent PEW report says that 86 percent of people have taken action to avoid online surveillance, including simple things like clearing their browser cache, as well as using more effective methods, such as using a VPN (virtual private network). The same report says that 61 percent of participants indicated that they’d like to do more. Many people understand their privacy is at risk when they do things online, and want to do something about it. But that’s easier said than done. Not only do you have to have the will to make it happen, but you have to know where to start. Who do you want to protect your privacy from anyway? Facebook? The NSA? Nosey neighbors? PEW’s report says that 91 percent of people agree or strongly agree that consumers have lost control over personal information that is collected and used by companies. So if you want to take this control back, the first thing you need to do is figure out who’s stalking you online. F-Secure’s Freedome VPN, which you can try for free, has baked-in tracking protection technologies to help people protect their privacy while they’re surfing online. It also has Tracker Mapper – a feature that people can use to control how they expose themselves to Internet trackers. Tracker Mapper has been available for Macs and Windows PCs for about half a year, and was just launched for Freedome’s Android and iOS apps. So how does using Tracker Mapper help you control your online privacy? Here’s our Chief Research Officer, Mikko Hyppönen, talking about how online tracking threatens people’s privacy, and how Freedome (and Tracker Mapper) can help people protect themselves. [youtube=https://www.youtube.com/watch?v=X1F8sHjCBx0&w=560&h=315] I ran a little experiment to help me learn how to limit my exposure to trackers while planning a vacation. I used Alexa to help me find some popular travel websites that I could use to shop for deals on hotels. After that, I turned on Tracker Mapper (which is turned off by default, because we respect the fact that people don’t want apps to create logs without permission) so I could find out which of these websites used the most tracking to study me as I used their site. I chose 5 of the more popular sites, and then I spent about 10 minutes on each, and left a bit of extra time so I could check out the results in between. The whole thing took me about an hour, giving me a one-hour log of the tracking attempts Freedome blocked while I browsed these sites. Tracker Mapper creates an interactive visualization of the blocked tracking attempts, and gives you information on what trackers attempted to monitor you on different websites. It also shows how these trackers link together to create a network capable of monitoring you as you navigate from website to website. These are screenshots showing how Tracker Mapper visualizes online tracking, as well some of the statistics it provides. The capture on the left shows the entire overview of the session (which lasted exactly one hour). The shot in the middle shows the sites I visited ordered by the most tracking attempts. The capture on the right shows the actual trackers that attempted to track me during my session, ordered by the number of blocked attempts. Based on this, Trip Advisor appears to have made the most tracking attempts. But you can learn even more about this by combining Tracker Mapper with a bit of online digging. You can tap on the different “bubbles” in Tracker Mapper to pull up statistics about different websites and tracking services. The first screen capture shows how many tracking attempts from different services were blocked when I visited Trip Advisor. The next two show the most prominent tracking services Freedome blocked – the tracker that TripAdvisor has integrated into its website (www.tripadvisor.com), and a tracking tag from Scorecard Research (b.scorecardresearch.com). As you might have guessed, TripAdvisor’s own tracking service is only used on their website (it’s what’s called “first-party tracking”). That’s why Tracker Mapper doesn’t show any connections between it and other websites. The second one, Scorecard Research, is used on both Trip Advisor and Lonely Planet. That’s why there are lines connecting it with both (it’s what’s called “third-party tracking”). Scorecard research is a marketing research firm that provides tracking and analytic services by having websites host their “tags”, which collect information about those website’s visitors. The Guardian has an excellent write-up about Scorecard Research, but what’s missing from the Guardian story is that you can opt-out of Scorecard Research’s tracking. Basically, they put a cookie on your browser, which isn’t an uncommon way for tracking companies to allow web surfers to protect their privacy (and oddly enough, a common way for them to track you). Stripping trackers out of websites lets people take control of who’s monitoring what they do online. PEW’s survey found that this idea of control is central to people’s concerns about online privacy - 74 percent of respondents said it’s important to control who can get information, and 65 percent said its important to control what information is collected. However, opting out of every tracking service (and for every browser you use) by installing opt-out cookies isn’t as convenient as using Freedome. And as F-Secure Security Advisor Sean Sullivan pointed out in this blog post, it actually works much better for your browsing (one experiment found that Freedome can reduce the time it takes to load web pages by about 30 percent, and decrease data consumption by about 13 percent). You can download Freedome for a free trial and find out for yourself if how it can help you control your online privacy. And right now, you can win free annual subscriptions, as well as cool swag (like stylish hoodies) by posting a screenshot showing your blocked tracking attempts to F-Secure’s Facebook wall, or on Instagram with F-Secure tagged. The contest is open till March 23rd, and 5 winners will be randomly drawn after it ends.

March 16, 2016
BY