Threat report H2 2012

H2_2012_incidents_calendar

Threat report H2 2012

This time of the year is always interesting. It is the time when Labs looks back on the past half-year to summarize what has happened in the threat landscape. I can proudly announce that the report for H2 2012 has been published and is free for you to download and read!

The report is once again packed with highly interesting reading on the threats that we all face when using the net. And this report is not just a repetition of what has been published in the media. A compilation like this makes it easier to spot the trends and the big picture. Thanks guys for putting it all together! And of course for the continuous research effort that it is based on. (I’m not going to list all the names here, the full list of contributors can be found in the report.)

Here’s some teasers…

Botnets. ZeroAccess was easily the most prevalent botnet we saw in 2012, with infections most visible in France, United States and Sweden. It is also one of the most actively developed and perhaps the most profitable botnet of last year. Read more about ZeroAccess and botnets in general at page 15 – 20.

Exploits. Java was the main target for most of the exploit-based attacks we saw during the past half year. This is aptly demonstrated in the statistics for the top 10 most prevalent detections recorded by our cloud lookup systems. Learn more about exploits at page 25-27.

Banking trojans. With regards to banking-trojans, a botnet known as Zeus—which is also the name for the malware used to infect the user’s machines—is the main story for 2012. Browse to page 21-24 to read how the traditional way to rob a bank has become hopelessly old-fashioned.

The web. Common sense is still important when surfing, but it is becoming increasingly difficult to spot the dangerous places. Ad-networks are integrated in an increasing number of sites and can distribute malware through web portals that should be trustworthy. More about the web’s dangerous places at page 28-31.

Mobile devices. Did you know that there is malware on all commonly used mobile platforms? But Android has the questionable honor to lead the pack, and the others are far behind. The full story is on page 35-37.

The threat report covers all this and a lot more. Why not make sure that you are up to date on the threat scenario by continuing to the report. It is highly recommended reading.

Micke

More posts from this topic

Juhannus

How To Prepare Yourself and Your Phone For Juhannus

In Finland, there is this thing called juhannus. A few years ago, our former colleague Hetta described it like this: Well, Midsummer – or juhannus – as it is called in Finnish, is one of the most important public holidays in our calendar. It is celebrated, as you probably guessed, close to the dates of the Summer Solstice, when day is at its longest in the northern hemisphere. Finland being so far up north, the sun doesn’t set on juhannus at all. Considering that in the winter we get the never ending night, it’s no surprise we celebrate the sun not setting. So what do Finns do to celebrate juhannus? I already told you we flock to our summer cottages, but what then? We decorate the cottage with birch branches to celebrate the summer, we stock up on new potatoes which are just now in season and strawberries as well. We fire up the barbecue and eat grilled sausages to our hearts content. We burn bonfires that rival with the unsetting sun. And we get drunk. If that isn't vivid enough, this video may help: [protected-iframe id="f18649f0b62adf8eb1ec638fa5066050-10874323-9129869" info="https://www.facebook.com/plugins/video.php?href=https%3A%2F%2Fwww.facebook.com%2Fsuomifinland100%2Fvideos%2F1278272918868972%2F&show_text=0&width=560" width="560" height="315" frameborder="0" style="border: none; overflow: hidden;" scrolling="no"] And because the celebration is just so... celebratory, it's easy to lose your phone. So here are a few ways to prepare yourself for a party that lasts all night. 1. Don't use 5683 as your passcode. That spells love and it's also one of the first passcodes anyone trying to crack into your phone will try. So use something much more creative -- and use a 6-digit code if you can on your iPhone. You can also encrypt your Android. 2. Write down your IMEI number. If you lose your phone, you're going to need this so make sure you have it written down somewhere safe. 3. Back your content up. This makes your life a lot easier if your party goes too well and it's pretty simple on any iOS device. Just make sure you're using a strong, unique password for your iCloud account. Unfortunately on an Android phone, you'll have to use a third-party app. 4. Maybe just leave it home. Enjoy being with your friends and assume that they'll get the pictures you need to refresh your memory. And while you're out you can give your phone a quick internal "clean" with our free Boost app. [Image by Janne Hellsten | Flickr]

June 22, 2016
Porn blog post image

4 People who can see what Porn you Watch, and 4 Tips to Stop it

In the grand scheme of things, there certainly are more important facets to online privacy than keeping one’s porn habits private (government overreach, identity theft, credit card fraud to name a few). However, adult browsing histories are one of the secrets in their online lives people want to protect the most, so it might be disconcerting to know that porn browsing is not as private as one might think. A large majority of web users are lulled into a false sense of security by incognito mode or private browsing, but this is only one of the steps needed toward becoming private online. Here are a few people who have access to this info, along  with a few easy tips that can be taken to prevent this from happening. 1. Anyone on the same hotspot No one is suggesting you should watch porn at your local coffee shop (in fact, please don’t). However, what people surf in places like the privacy of their hotel room should probably stay there. With that in mind, the following statement might be more than a little disconcerting: What you do on Wi-Fi can be usually be seen by pretty much anyone connected to that hotspot. It doesn't require great hacking skills to see what other people connected to the same network are doing. Only traffic on encrypted websites starting with https is always secure, and almost no adult sites fall under this category. 2. Foreign web service providers When traveling, it's easy to forget that what might be culturally acceptable in one country can land you in hot water with the authorities in another. Whether on public Wi-Fi or roaming on the network of a foreign internet service provider, they may be bound by law to report anyone surfing adult material. The personal freedom we enjoy to surf anything we want online is so second nature to many of us by now, we easily forget the same isn't true for others. 3. Analytics and advertisers (often one and the same) It might not bee too surprising to hear that most companies aren't exactly jumping at the chance to be associated with adult websites. For this reason, networks that serve ads to adult websites don't serve ads to "normal" websites, making porn sites mostly self-contained when it comes to using your private information for advertising purposes. Unfortunately, your adult browsing can still be connected to you. Many adult websites implement analytic services, as well as "like" and "share" buttons, that feed into major advertisers such as Google and Facebook. 4. Your employer (in the U.S. and many other countries) Now, we are DEFINITELY not suggesting you watch naughty stuff at work. I mean, they call it NSFW for a reason. However, that doesn’t change the fact that in some countries, companies have an uncomfortable amount of rights to spy on their workers. It’s natural that employers don’t want their workers doing anything illegal, but you still have a right to privacy, even on a work network. What are your options? So what can you do to prevent privacy intrusions? The first and most obvious choice is to not supply any personal information to adult websites. A lot of porn sites require registration in order to comment on videos (if that's your thing) or to view content in higher quality. Keeping a separate email address for adult websites is therefore highly recommended. The other obvious choice is to always have private browsing on, as this prevents cookie-based tracking and embarrassing browsing histories from being saved on your computer. A slightly more technical but still very easy tip is to disable JavaScript from your browser settings while surfing adult websites. A lot of websites don't function without JavaScript, but all the adult websites we tried for research purposes work just fine. JavaScript makes it much easier  to do something called device fingerprinting. This frustratingly intrusive method of snooping involves the use of scripts to identify your computer based on variables such as your screen size, operating system and number of installed fonts. It might not seem like it, but there are enough variables to make most devices in the world completely unique. But the simplest and most efficient method of controlling your privacy is to use a VPN. A VPN (virtual private network) encrypts all your traffic, meaning no one is able to intercept it and see what sites you visit or what you download. It also hides your real IP address, the unique number which can easily be used to identify you online. A top-tier VPN like Freedome also contains extra features like anti-tracking to stop advertising networks from identifying you, and malware protection to automatically block webpages that contain malicious code. The app is easy to use, and available on most platforms. Online privacy is not a difficult or expensive  goal to achieve, and by following these few steps you will be able to surf what you want without worry.

June 13, 2016
BY 
Could the Sony and Hacking Team hacks have been detected sooner?

Hacks in the Headlines: Two Huge Breaches That Could Have Been Detected

The Sony hack of late 2014 sent shock waves through Hollywood that rippled out into the rest of the world for months. The ironic hack of the dubious surveillance software company Hacking Team last summer showed no one is immune to a data breach - not even a company that specializes in breaking into systems. After a big hack, some of the first questions asked are how the attacker got in, and whether it could have been prevented. But today we're asking a different question: whether, once the attacker was already in the network, the breach could have been detected. And stopped. Here's why: Advanced attacks like the ones that hit Sony and Hacking Team are carried out by highly skilled attackers who specifically target a certain organization. Preventive measures block the great majority of threats out there, but advanced attackers know how to get around a company's defenses. The better preventive security a company has in place, the harder it will be to get in…but the most highly skilled, highly motivated attackers will still find a way in somehow. That's where detection comes in. Thinking like an attacker If an attacker does get through a company's defensive walls, it's critical to be able detect their presence as early as possible, to limit the damage they can do. There has been no official confirmation of when Sony's actual breach first took place, but some reports say the company had been breached for a year before the attackers froze up Sony's systems and began leaking volumes of juicy info about the studio's inner workings. That's a long time for someone to be roaming around in a network, harvesting data. So how does one detect an attacker inside a network? By thinking like an attacker. And thinking like an attacker requires having a thorough knowledge of how attackers work, to be able to spot their telltale traces and distinguish them from legitimate users. Advanced or APT (Advanced Persistent Threat) attacks differ depending on the situation and the goals of the attacker, but in general their attacks tend to follow a pattern. Once they've chosen a target company and performed reconnaissance to find out more about the company and how to best compromise it, their attacks generally cover the following phases: 1. Gain a foothold. The first step is to infect a machine within the organization. This is typically done by exploiting software vulnerabilities on servers or endpoints, or by using social engineering tactics such as phishing, spear-phishing, watering holes, or man-in-the-middle attacks. 2. Achieve persistence. The initial step must also perform some action that lets the attacker access the system later at will. This means a persistent component that creates a backdoor the attacker can re-enter through later. 3. Perform network reconnaissance. Gather information about the initial compromised system and the whole network to figure out where and how to advance in the network. 4. Lateral movement. Gain access to further systems as needed, depending on what the goal of the attack is. Steps 2-4 are then repeated as needed to gain access to the target data or system. 5. Collect target data. Identify and collect files, credentials, emails, and other forms of intercepted communications. 6. Exfiltrate target data. Copy data to the attackers via network. Steps 5 and 6 can also happen in small increments over time. In some cases these steps are augmented with sabotaging data or systems. 7. Cover tracks. Evidence of what was done and how it was done is easily erased by deleting and modifying logs and file access times. This can happen throughout the attack, not just at the end. For each phase, there are various tactics, techniques and procedures attackers use to accomplish the task as covertly as possible. Combined with an awareness and visibility of what is happening throughout the network, knowledge of these tools and techniques is what will enable companies to detect attackers in their networks and stop them in their tracks. Following the signs Sony may have been breached for a year, but signs of the attack were there all along. Perhaps these signs just weren't being watched for - or perhaps they were missed. The attackers tried to cover their tracks (step 7) with two specific tools that forged logs and file access and creation times - tools that could have been detected as being suspicious. These tools were used throughout the attack, not just at the end, so detection would have happened well before all the damage was done, saving Sony and its executives much embarrassment, difficult PR, lost productivity, and untold millions of dollars. In the case of Hacking Team, the hacker known as Phineas Fisher used a network scanner called nmap, a common network scanning tool, to gather information about the organization’s internal network and figure out how to advance the attack (step 3). Nmap activity on a company internal network should be flagged as a suspicious activity. For moving inside the network, step 4, he used methods based on the built-in Windows management framework, PowerShell, and the well-known tool psexec from SysInternals. These techniques could also potentially have been picked up on from the way they were used that would differ from a legitimate user. These are just a few examples of how a knowledge of how attackers work can be used to detect and stop them. In practice, F-Secure does this with a new service we've just launched called Rapid Detection Service. The service uses a combination of human and machine intelligence to monitor what's going on inside a company network and detect suspicious behavior. Our promise is that once we've detected a breach, we'll alert the company within 30 minutes. They'll find out about it first from us, not from the headlines. One F-Secure analyst sums it up nicely: "The goal is to make it impossible for an attacker to wiggle his way from an initial breach to his eventual goal." After all, breaches do happen. The next step, then, is to be prepared.   Photo: Getty Images

May 31, 2016
BY