This time of the year is always interesting. It is the time when Labs looks back on the past half-year to summarize what has happened in the threat landscape. I can proudly announce that the report for H2 2012 has been published and is free for you to download and read!
The report is once again packed with highly interesting reading on the threats that we all face when using the net. And this report is not just a repetition of what has been published in the media. A compilation like this makes it easier to spot the trends and the big picture. Thanks guys for putting it all together! And of course for the continuous research effort that it is based on. (I’m not going to list all the names here, the full list of contributors can be found in the report.)
Here’s some teasers…
Botnets. ZeroAccess was easily the most prevalent botnet we saw in 2012, with infections most visible in France, United States and Sweden. It is also one of the most actively developed and perhaps the most profitable botnet of last year. Read more about ZeroAccess and botnets in general at page 15 – 20.
Exploits. Java was the main target for most of the exploit-based attacks we saw during the past half year. This is aptly demonstrated in the statistics for the top 10 most prevalent detections recorded by our cloud lookup systems. Learn more about exploits at page 25-27.
Banking trojans. With regards to banking-trojans, a botnet known as Zeus—which is also the name for the malware used to infect the user’s machines—is the main story for 2012. Browse to page 21-24 to read how the traditional way to rob a bank has become hopelessly old-fashioned.
The web. Common sense is still important when surfing, but it is becoming increasingly difficult to spot the dangerous places. Ad-networks are integrated in an increasing number of sites and can distribute malware through web portals that should be trustworthy. More about the web’s dangerous places at page 28-31.
Mobile devices. Did you know that there is malware on all commonly used mobile platforms? But Android has the questionable honor to lead the pack, and the others are far behind. The full story is on page 35-37.
The threat report covers all this and a lot more. Why not make sure that you are up to date on the threat scenario by continuing to the report. It is highly recommended reading.
The recent statements from FBI director James Comey is yet another example of the authorities’ opportunistic approach to surveillance. He dislikes the fact that mobile operating systems from Google and Apple now come with strong encryption for data stored on the device. This security feature is naturally essential when you lose your device or if you are a potential espionage target. But the authorities do not like it as it makes investigations harder. What he said was basically that there should be a method for authorities to access data in mobile devices with a proper warrant. This would be needed to effectively fight crime. Going on to list some hated crime types, murder, child abuse, terrorism and so on. And yes, this might at first sound OK. Until you start thinking about it. Let’s translate Comey’s statement into ordinary non-obfuscated English. This is what he really said: “I, James Comey, director of FBI, want every person world-wide to carry a tracking device at all times. This device shall collect the owner’s electronic communications and be able to open cloud services where data is stored. The content of these tracking devices shall on request be made available to the US authorities. We don’t care if this weakens your security, and you shouldn’t care because our goals are more important than your privacy.” Yes, that’s what we are talking about here. The “tracking devices” are of course our mobile phones and other digital gadgets. Our digital lives are already accurate mirrors of our actual lives. Our gadgets do not only contain actual data, they are also a gate to the cloud services because they store passwords. Granting FBI access to mobile devices does not only reveal data on the device. It also opens up all the user’s cloud services, regardless of if they are within US jurisdiction or not. In short. Comey want to put a black box in the pocket of every citizen world-wide. Black boxes that record flight data and communications are justified in cockpits, not in ordinary peoples’ private lives. But wait. What if they really could solve crimes this way? Yes, there would probably be a handful of cases where data gathered this way is crucial. At least enough to make fancy PR and publically show how important it is for the authorities to have access to private data. But even proposing weakening the security of commonly and globally used operating systems is a sign of gross negligence against peoples’ right to security and privacy. The risk is magnitudes bigger than the upside. Comey was diffuse when talking about examples of cases solved using device data. But the history is full of cases solved *without* data from smart devices. Well, just a decade ago we didn’t even have this kind of tracking devices. And the police did succeed in catching murderers and other criminals despite that. You can also today select to not use a smartphone, and thus drop the FBI-tracker. That is your right and you do not break any laws by doing so. Many security-aware criminals are probably operating this way, and many more would if Comey gets what he wants. So it’s very obvious that the FBI must have capability to investigate crime even without turning every phone into a black box. Comey’s proposal is just purely opportunistic, he wants this data because it exists. Not because he really needs it. Safe surfing, Micke
Would you give up your firstborn child or favorite pet to use free WiFi? Of course not. Sounds crazy, right? But in an independent investigation conducted on behalf of F-Secure, several people agreed to do just that – just to be able to instantly, freely connect to the Internet while on the go. For the experiment, we asked Finn Steglich of the German penetration testing company, SySS, to build a WiFi hotspot, take it out on the streets of London, and set it up and wait for folks to connect. The purpose? To find out how readily people would connect to an unknown WiFi hotspot. (You can view our complete report, see the video and listen to the podcast below.) Thing is, public hotspots are insecure. Public WiFi simply wasn’t built with 21st century security demands in mind. When you use public WiFi without any added security measures, you leak data about yourself from your device. We know it, but we wanted to find out in general how well people out on the street know, whether or not they take precautions, and what kind of data they would actually leak. We also enlisted the help of freelance journalist Peter Warren of the UK’s Cyber Security Research Institute, who came along to document it all. Accompanying the two was Sean Sullivan, F-Secure’s Security Advisor. [protected-iframe id="4904e81e9615a16d107096f242273fee-10874323-40632396" info="//www.youtube-nocookie.com/embed/OXzDyL3gaZo" width="640" height="360" frameborder="0" allowfullscreen=""] Leaking personal information What we found was that people readily and happily connected, unaware their Internet activity was being spied on by the team. In just a half-hour period, 250 devices connected to the hotspot. Most of these were probably automatic connections, without their owner even realizing it. 33 people actively sent Internet traffic, doing web searches, sending email, etc. The team collected 32 MB of traffic – which was promptly destroyed in the interest of consumer privacy. The researchers were a bit surprised when they found that they could actually read the text of emails sent over a POP3 network, along with the addresses of the sender and recipient, and even the password of the sender. Encryption, anyone? If you aren’t already using it, you should be! The Herod clause For part of the experiment, the guys enabled a terms and conditions (T&C) page that people needed to agree to before being able to use the hotspot. One of the terms stipulated that the user must give up their firstborn child or most beloved pet in exchange for WiFi use. In the short time the T&C page was active, six people agreed to the outlandish clause. Of course, this simply illustrates the lack of attention people pay to such pages. Terms and conditions are usually longer than most people want to take time to read, and often they’re difficult to understand. We, of course, won’t enforce the clause and make people follow through with surrendering their loved ones – but this should give us all pause: What are we really signing up for when we check the “agree” box at the end of a long list of T&C’s we don’t read? There's a need for more clarity and transparency about what's actually being collected or required of the user. The problem So what’s really the issue here? What’s going to happen to your data, anyway? The problem is there are plenty of criminals who love to get their hands on WiFi traffic to collect usernames, passwords, etc. It’s easy and cheap enough for them to set up their own hotspot somewhere (the whole hotspot setup only cost SySS about 200 euros), give it a credible-looking name, and just let the data flow in. And even if a hotspot is provided by a legitimate business or organization, criminals can still use “sniffing” tools to spy on others’ Internet traffic. So be warned: Public WiFi is NOT secure or safe. But we’re not saying don’t use it, we’re saying don’t use it without proper security. A good VPN will provide encryption so even if someone tries, they can’t tap into your data. The Solution F-Secure Freedome is our super cool, super simple wi-fi security product, or VPN. Freedome creates a secure, encrypted connection from your device and protects you from snoops and spies, wherever you go and whatever WiFi you use. (Bonus: It also includes tracking protection from Internet marketers, browsing protection to block malicious sites and apps, and lets you choose your own virtual location so you can view your favorite web content even when you’re abroad.) Still don’t believe that public WiFi poses risks? Take a closer look next time you’re faced with a terms and conditions page for public WiFi hotspot. “A good number of open wi-fi providers take the time to tell you in their T&C that there are inherent risks with wireless communications and suggest using a VPN,” Sullivan says. “So if you don't take it from me, take it from them.” Check out the full report here (PDF): Tainted Love - How Wi-Fi Betrays Us Listen to the podcast, featuring interviews with Victor Hayes, the "Father of WiFi," our Sean Sullivan and others: [audio mp3="http://fsecureconsumer.files.wordpress.com/2014/09/wifi_experiment_podcast.mp3"][/audio] Disclaimer: During the course of this experiment, no user was compromised at any point nor user data exposed in a way that it could have been subject to misuse. We have not logged any user information, and during the experiment a lawyer supervised all our activities to avoid breaching any laws. Video by Magneto Films
Yet another high-profile vulnerability in the headlines, Shellshock. This one could be a big issue. The crap could really hit the fan big time if someone creates a worm that infects servers, and that is possible. But the situation seems to be brighter for us ordinary users. The affected component is the Unix/Linux command shell Bash, which is only used by nerdy admins. It is present in Macs as well, but they seem to be unaffected. Linux-based Android does not use Bash and Windows is a totally different world. So we ordinary users can relax and forget about this one. We are not affected. Right? WRONG! Where is your cloud content stored? What kind of software is used to protect your login and password, credit card number, your mail correspondence, your social media updates and all other personal info you store in web-based systems? Exactly. A significant part of that may be on systems that are vulnerable to Shellshock, and that makes you vulnerable. The best protection against vulnerabilities on your own devices is to make sure the automatic update services are enabled and working. That is like outsourcing the worries to professionals, they will create and distribute fixes when vulnerabilities are found. But what about the servers? You have no way to affect how they are managed, and you don’t even know if the services you use are affected. Is there anything you can do? Yes, but only indirectly. This issue is an excellent reminder of some very basic security principles. We have repeated them over and over, but they deserve to be repeated once again now. You can’t control how your web service providers manage their servers, but you can choose which providers you trust. Prefer services that are managed professionally. Remember that you always can, and should, demand more from services you pay for. Never reuse your password on different services. This will not prevent intrusions, but it will limit the damage when someone breaks into the system. You may still be hurt by a Shellshock-based intrusion even if you do this, but the risk should be small and the damage limited. Anyway, you know you have done your part, and its bad luck if an incident hurts you despite that. Safe surfing, Micke PS. The best way to evaluate a service provider’s security practices is to see how they deal with security incidents. It tells a lot about their attitude, which is crucial in all security work. An incident is bad, but a swift, accurate and open response is very good. Addition on September 30th. Contrary to what's stated above, Mac computers seem to be affected and Apple has released a patch. It's of course important to keep your device patched, but this does not really affect the main point of this article. Your cloud content is valuable and part of that may be on vulnerable servers.