sony key

Do you have your door open for malware attacks?

The number of exploit attacks against known vulnerabilities continues to increase. The target is to install malware into the targeted system and to gain benefits for the criminals behind the attack.

According to F-Secure Threat Report H1/2013, the majority of Top 10 detections from the last six months involved exploits. Java is the most popular entry point and therefore, disallowing Java plug-ins might make sense.  Java vulnerabilities have allowed attackers to use even classic forms of attack, known for about ten years already.

Image

The table clearly shows that the users do not seem to understand the importance of security patches since exploits can target vulnerabilities that have had a patch for over 5 years!

On the other hand, exploit kits find their way to the market unbelievably fast – the F-Secure Threat report tells: “Java vulnerability CVE-2013-2423; a Metasploit module targeting this was first published on April 20th, and a day later we noticed in-the-wild attacks against it had already gotten underway by the CrimeBoss exploit kit”.

Why is it so hard to keep pace with the critical security updates then?

First, the number of patches releases is huge. For example, Microsoft alone recently published 13 patches against 47 bugs in its Patch Tuesday security update. Add to that the Java updates, Adobe updates, and all the rest of the products, and the number of necessary updates in a business environment can be devastating. Second – would the IT administrator always know which software is installed on which machine?

F-Secure Software Updater, an automated patch management tool integrated in the security clients, can help manage the huge task of keeping on top of the critical security updates. It follows the philosophy: find it, fix it, and forget it.

Cheers, Eija

More posts from this topic

browser security, business security, banking trojan

The Devil’s in… the browser

This is the fourth in a series of posts about Cyber Defense that happened to real people in real life, costing very real money. It was only just past 1 pm, but Magda was already exhausted. She had recently fired her assistant, so she was now having to personally handle all of the work at her law office. With the aching pain in her head and monstrous hunger mounting in her stomach, Magda thought it was time for a break. She sat at her desk with a salad she had bought earlier that morning and decided she’d watch a short online video her friends had recently told her about. She typed the title in the browser and clicked on a link that took her to the site. A message popped up that the recording couldn’t be played because of a missing plugin. Magda didn’t have much of an idea what the “plugin” was, which wasn’t surprising considering that her computer knowledge was basic at best – she knew enough to use one at work, but that was pretty much all. It was the recently sacked assistant, supported by an outsourced IT firm, who took care of all things related to computers and software. A post-it stuck to Magda’s desk had been unsuccessfully begging her to install an antivirus program. “What was this about?”, Magda tried to remember. At moments like this, she regretted letting the girl go. After some time, she recalled that her assistant had mentioned something about a monthly subscription plan for some antivirus software to protect the computers, tablets and mobile phones. This solution, flexible and affordable for small businesses like Magda’s firm, had also been also recommended by the outsourced IT provider. Despite a nagging feeling that something wasn’t right, she clicked “install”. After a few seconds, the video actually played. Magda was very proud of herself: she had made the plugin thing work! A few days later, she logged into her internet banking system to pay her firm’s bills. As she looked at the balance of the account, she couldn’t believe her eyes. The money was gone! The transaction history showed transfers to accounts that were completely unknown to her. She couldn’t understand how somebody was able to break in and steal her money. The bank login page was encrypted, and besides that, she was the only person who knew the login credentials... At the bank she learnt that they had recorded a user login and transfer orders. Everything had been according to protocol, so the bank had no reason to be suspicious. The bank’s security manager suggested to Magda that she may have been the victim of a hacker’s attack. The IT firm confirmed this suspicion after inspecting Magda’s computer. Experts discovered that the plugin Magda had downloaded to watch the video online was actually malware that stole the login credentials of email accounts, social networking sites and online banking services. Magda immediately changed her passwords and decided to secure them better. She finally had good antivirus software installed, which is now protecting all of the data stored on her computer. She recalled that her bank had long been advising to do that, but she had disregarded their advice. If only she hadn’t... Her omission cost her a lot of money. She was happy, though, that money was all she lost. She didn’t even want to imagine what might have happened if any of her case or clients information had been compromised. That would have been the end of her legal career. "If you have to use dangerous plugins like Java to do banking, you can enable those in one browser and use it only for the banking stuff," F-Secure Director of Security Response Antti Tikkanen explains.​ To get an inside look at business security, be sure to follow our Business Insider blog.

July 28, 2015
insured, business security, cartoon

Insured but not secured

This is the second in a series of posts about Cyber Defense that happened to real people in real life, costing very real money. Peter came into work thinking, “Today is gonna be boring as hell. I can’t wait till my shift ends”. He couldn’t have been more wrong. One terrible password “Policy 2014” would soon turn his insurance agency upside down. Peter had been working in a 24/7 security centre for a couple of years. He was an IT security specialist and he thought that he’d seen it all. This illusion was shattered when he picked up the phone. “We have a problem. We are losing clients!” he heard through the receiver. He kept listening, though he had no idea how this applied to him. “I think someone might have broken into our sales system! He calls our clients whose contracts are soon to expire. Just before we have a chance to do so ourselves”, the caller complained. The situation was beginning to look serious, and confusing. The system had recently been updated to boost security. At first, the staff who drafted offers for sales reps were accused of leaking the information. It had to be them. They had full access to the system. However, after close monitoring of the system, these suspicions proved to be unfounded. A lead was discovered by sheer coincidence: someone tried to log into the internal sales system using the account of an employee who was currently on holidays. The situation required immediate action. Peter had to identify the exact time and place the system was hacked into through sales reps’ accounts. For this purpose he used a Network Monitoring System of his own design. Unfortunately, it didn’t shed much light on the matter. The login location shifted each time he scanned the system. What is more, these locations were often miles away from each other! Then he started to think like a detective – he decided to lay some bait for the hacker. He created a fake profile for a client whose contract was about to expire. A sales rep was to call him in exactly five days. However, Peter entered his own phone number in the client’s profile details. It only took three days for the hacker to bite. After a two-minute phone call, everything became clear enough. It turned out that the mysterious hackers were in fact employees of a distributor with whom Peter’s company had entered into a contract for the sale of its insurance policies. These suspicions were only made more certain when it was discovered that the company had recently recorded an increase in its sales of insurance products through the distributor. The investigation revealed that an employee from the IT department had facilitated the hacking. He confessed, and revealed that temporary passwords to the sales system were always the same (“Policy 2014”) and that hardly anyone ever changed them – this was enough to obtain customer account data. Finally, the situation was brought under control. The sales system was secured and sales specialists were properly trained in data and password protection techniques. However, the company’s image suffered. Although much effort was made to keep the case confidential, many clients grew concerned about the safety of their personal data. Nevertheless, it was the sales personnel who suffered the most as their commissions dwindled. For the latest on business security, be sure to visit F-Secure's Business Insider.

June 12, 2015
Corporate Cyberattacks

Corporate Cyberattacks and You

F-Secure announced today that it has acquired nSense - a Danish cybersecurity firm that specializes in providing security consultations, vulnerability assessment, and related services to large enterprises. So you might be asking yourself why this matters. Well, the answer is that it matters because “large enterprises” provide products and services to people, and so the kind of security measures these services use to defend against cyberattacks is what protects the personal information you give to these enterprises from would-be attackers. The 2011 attack on Sony’s Playstation network provides a textbook example of how important corporate cybersecurity is for regular people. The Playstation Network was hacked in April 2011, and while it was initially reported as a disruption in service, Sony’s investigation eventually uncovered evidence that the attackers were able to steal the personal data of people subscribing to the gaming service. The compromised data included names, email addresses, physical addresses, and even login details of around 70 million subscribers. Sony also admitted that the attackers may have stolen credit card numbers, although they could not confirm this. And this isn’t an isolated incident. Target experienced a massive data breach in 2013, as did Home Depot in 2014. Both instances exposed the credit card information of shoppers to risks - risks that people don’t necessarily want to take when they go shopping at brick-and-mortar stores. So the cybersecurity of large enterprises is an issue that concerns us all, which is why F-Secure’s acquisition of nSense is big news. F-Secure’s award-winning products already protect tens of millions of people and thousands of businesses. nSense is one of Northern Europe’s leading cybersecurity firms, and specializes in providing protection services for large enterprises in the entertainment, finance and service provider sectors. You should care about whether or not the businesses and organizations you entrust with your data are taking care of it, and providing it with the best protection. Now F-Secure is in an even stronger position to provide its vaunted Best Protection to large enterprises, and to their customers. And that's why it matters. [ Image by carlosalbertoteixeira | Pixabay ]

June 2, 2015
BY