If you were hit on the head by malware, would you even notice?

Did you know that in most cases, you do not realize when you have been hit by malware?

At least the site that has been said to be the source for a recent attack on Facebook, Apple and Twitter, claims to have known nothing of being compromised before reading about the security breaches on the news. Bloomberg.com tells the iPhone software development site was most likely used for a waterhole attack by East-European criminals.

Most malware programs use the vulnerabilities in popular software to get installed so that you do not even recognize the threat. New exploits are detected around the world all the time, and for example Java is usually at the top of the targeted software list. The amount of malware is alarmingly high, almost 60% of respondents of a Ponemon study confirmed over 25 malware incidents in their environments each month.

Sophisticated malware contaminates your pc or mobile just by a visit to an infected website, by opening an Office document, pdf or other document with an exploit. You will not notice anything peculiar. The days of the very obvious spam mails with malware in them is over. Today, the mails and sites with infection look just as original and trustworthy as any other and you would be “happily” unaware of anything out of the ordinary going on. Until the reality hits in and the repercussions of the attack get real.

The biggest amount of vulnerabilities comes not from the operating system, but from 3rd party software. Exploit kits are in the wild only a few moments after a fix to a vulnerability is released.

Administrators currently don’t necessarily have visibility to what 3rd party software is installed. Keeping up with all the patches and updates for all used software, and making the necessary updates takes a lot of time and effort.  For example, this June alone, my colleagues counted well over 100 vulnerabilities just in the most common software for Windows workstations.

To make it more challenging, usually, after all the necessary updates are done, the admin has to start it all over again when new security updates are available. Often as soon as the next day…

The F-Secure experts can offer a solution: Software Updater not only studies the available patches, but also installs security updates automatically and covers both the operating system and 3rd party software. However, administrators can easily define exclusions for the automatic mode if and when necessary.

Cheers, Eija

More posts from this topic


Why Bring your own Device (BYOD)?

Do you ever use your personal phone to make work related calls? Or send work related e-mails? Maybe you even use it to work on Google Docs, or access company files remotely? Doing these things basically means you’re implementing a BYOD policy at your work, whether they know it or not. BYOD – that’s bring your own device – isn’t really a new trend, but it is one that’s becoming more widespread. Statistics from TrackVia suggest that younger generations are embracing BYOD on a massive scale, with nearly 70% of surveyed Millennials admitting that they use their own devices and software, regardless of their employer’s policies on the matter. This is essentially pressuring employers to accept the trend, as the alternative could mean imposing security restrictions that limit how people go about their work. Consequently, Gartner predicts that 38% of businesses will stop providing employees with devices by 2016. It kind of seems like workers are enforcing the trend, and not businesses. But it’s happening because it’s so much easier to work with phones, tablets, and computers that you understand and enjoy. Work becomes easier, productivity goes up, life becomes more satisfying, etc. This might sound like an exaggeration, and maybe it is a little bit. BYOD won’t solve all of life’s problems, but it really takes advantage of the flexibility modern technology offers. And that’s what mobility should be about, and that’s what businesses are missing out on when they anchor people to a specific device. BYOD promotes a more “organic” aspect of technology in that it’s something people have already invested in and want to use, not something that’s being forced upon them. But of course, there are complications. Recent research confirms that many of these same devices have already had security issues. It’s great to enjoy the benefits of using your own phone or tablet for sending company e-mails, but what happens when things go wrong? You might be turning heads at work by getting work done faster and more efficient, but don’t expect this to continue if you happen to download some malicious software that infiltrates your company’s networks. You’re not alone if you want to use your own phone, tablet, or computer for work. And you’re not even alone if you do this without telling your boss. But there’s really no reason not to try and protect yourself first. You can use security software to reduce the risk of data breaches or malicious infections harming your employer. And there’s even a business oriented version of F-Secure's popular Freedome VPN called Freedome for Business that can actually give you additional forms of protection, and can help your company manage an entire fleet of BYOD and company-owned devices. It’s worth bringing these concerns to an employer if you find yourself using your own devices at the office. After all, statistics prove that you’re not alone in your concerns, and your employer will most likely have to address the issue sooner rather than later if they want the company to use technology wisely.  

Apr 17, 2015
webpage screenshot TOS

Sad figures about how many read the license terms

Do you remember our stunt in London where we offered free WiFi against getting your firstborn child? No, we have not collected any kids yet. But it sure was a nice demonstration of how careless we have become with user terms of software and service. It has been said that “Yes, I have read then license agreement” is the world’s biggest lie. Spot on! This was proven once again by a recent case where a Chrome extension was dragged into the spotlight accused of spying on users. Let’s first check the background. The “Webpage Screenshot” extension, which has been pulled from the Chrome Web Store, enabled users to conveniently take screenshots of web page content. It was a very popular extension with over 1,2 million users and tons of good reviews. But the problem is that the vendor seemed to get revenues by uploading user behavior, mainly visited web links, and monetizing on that data. The data upload was not very visible in the description, but the extension’s privacy policy did mention it. So the extension seemed to be acting according to what had been documented in the policy. Some people were upset and felt that they had been spied on. They installed the extension and had no clue that a screenshot utility would upload behavior data. And I can certainly understand why. But on the other hand, they did approve the user terms and conditions when installing. So they have technically given their approval to the data collection. Did the Webpage Screenshot users know what they signed up for? Let’s find out. It had 1 224 811 users when I collected this data. The question is how many of them had read the terms. You can pause here and think about it if you want to guess. The right answer follows below.   [caption id="attachment_8032" align="aligncenter" width="681"] Trying to access Webpage Screenshot gave an error in Chrome Web Store on April 7th 2015.[/caption]   The privacy policy was provided as a shortened URL which makes it possible to check its statistics. The link had been opened 146 times during the whole lifetime of the extension, slightly less than a year. Yes, only 146 times for over 1,2 million users! This means that only 0,012 % clicked the link! And the number of users who read all the way down to the data collection paragraph is even smaller. At least 99,988 % installed without reading the terms. So these figures support the claim that “I have read the terms” is the biggest lie. But they also show that “nobody reads the terms” is slightly incorrect.   Safe surfing, Micke   PS. Does F-Secure block this kind of programs? Typically no. They are usually not technically harmful, the user has installed them deliberately and we can’t really know what the user expects them to do. Or not to do. So this is not really a malware problem, it’s a fundamental problem in the business models of Internet.   Images: Screenshots from the Webpage Screenshot homepage and Chrome Web Store    

Apr 8, 2015
3 Mobile Security Tips for Travelers

3 Mobile Security Tips for Travelers

Easter is coming up, and many people will take advantage of the holiday by visiting friends or family, or even taking a quick vacation. Mobile phones are an important travel accessory for people these days, as it lets them stay in touch with people, use some great map apps to find their way around, and use online banking and other services they need. The flip side to these wonderful aspects of mobile technology is that there are threats that become more pronounced when people are on the road. Public Wi-Fi hotspots are popular in hotels and airports because they help people avoid roaming charges. Wi-Fi in general wasn’t designed to be particularly secure, and so it exposes all kinds of sensitive information to the public. It’s so easy to monitor what people do over Wi-Fi that it took less than 20 minutes for this hacker to learn the personal details of people connected to a cafe’s hotspot. Do you ever visit café’s when you travel? I know I do. And I also know that having to worry about keeping my personal data safe when I travel is one hassle I can do without. So I sat down with F-Secure Security Advisor Sean Sullivan to talk about this. Sean travels extensively for both work and play. He gets it – worrying about mobile security is the last thing people want to do when they’re away. He gave me three quick pieces of advice to pass along to let people know what they can do to keep their mobile phones safe and secure when they’re away from home. 1. Use a PIN number or passcode to lock your phone. Losing your phone is like losing your wallet – it’s not the cash that stresses people out. It’s the information. Credit cards, driver’s license, insurance information, ID – lots of people keep this info in both their phones and wallets. If your phone gets lost or stolen that information can get out there, so if you want to keep this data secure a code is the absolute minimum. Even if your phone goes missing, a passcode or PIN can help the data stay hidden. Plus, many mobile services will have anti-theft protection and let you remotely locate your phone, but these anti-theft features won’t do you any good if whoever finds your phone can simply open your settings and disable them. Most phones let you set up passcodes to lock your phone at regular intervals (for example, every hour or every two hours). When I'm working I usually set my phone to lock every four hours, but for traveling I set it to lock every five minutes. I suggest you set yours to lock as often as you can stand. Even if it's not a long time, like at hour intervals, it's better than no protection at all. 2. Take the time to remove old files and log out of apps that you don’t need. Cleaning your phone out is important if you want to bring it traveling, especially if you use your phone for work. Phones and computers always store information about what you do. Internet browsers store a history. Apps create temporary files where they store stuff to help them run faster. A lot of apps and websites have passwords and contact information about you stored. Deleting this data only takes you a few minutes with this new free app, and can save you the hassles that come from having your personal data compromised. I’m always careful to close and even delete apps I won’t be using when I travel, and even reset automatic logins I use for work. I recommend you do the same, because if your phone goes missing and someone starts sending e-mails from your account, you might not have a job to come back to. Getting rid of work stuff is key, not only to protect you and your employer from any mishaps, but also to avoid thinking about work when you’re trying to relax. 3. There’s no excuse not to use a VPN, so get one and test it BEFORE your trip. VPNs are always a good idea. Almost every security researcher I know swears by them. They’re especially important while you’re traveling because you’re more exposed when you’re away from home. You often have to choose between using free Wi-Fi hotspots or paying roaming charges to use your mobile connection. Using a VPN like Freedome gives you a secure funnel that lets you use public Wi-Fi connections without assuming the risks. It’s especially important for budget travelers that use services like AirBnB. The sharing economy is great for travelers on a shoestring budget, but you give up some of your control over your own situation when you use these services. If you’re using someone else’s Wi-Fi you might not be able to verify that it’s safe – after all, it’s not a 5-star hotel. Using Freedome can prevent you from “sharing” information in this new economy that you’d rather keep private. These are quick, easy things you can do to keep your private information private while you’re traveling, so take this advice to heart so you can enjoy your holidays. P.S. Sullivan also suggests calling your bank ahead of time and let them know you’re traveling, so they know that charges appearing away from where you live don’t mean that your credit card was stolen. [Image by Francesco | Flickr ]

Apr 2, 2015