The number of exploit attacks against known vulnerabilities continues to increase. The target is to install malware into the targeted system and to gain benefits for the criminals behind the attack.
According to F-Secure Threat Report H1/2013, the majority of Top 10 detections from the last six months involved exploits. Java is the most popular entry point and therefore, disallowing Java plug-ins might make sense. Java vulnerabilities have allowed attackers to use even classic forms of attack, known for about ten years already.
The table clearly shows that the users do not seem to understand the importance of security patches since exploits can target vulnerabilities that have had a patch for over 5 years!
On the other hand, exploit kits find their way to the market unbelievably fast – the F-Secure Threat report tells: “Java vulnerability CVE-2013-2423; a Metasploit module targeting this was first published on April 20th, and a day later we noticed in-the-wild attacks against it had already gotten underway by the CrimeBoss exploit kit”.
Why is it so hard to keep pace with the critical security updates then?
First, the number of patches releases is huge. For example, Microsoft alone recently published 13 patches against 47 bugs in its Patch Tuesday security update. Add to that the Java updates, Adobe updates, and all the rest of the products, and the number of necessary updates in a business environment can be devastating. Second – would the IT administrator always know which software is installed on which machine?
F-Secure Software Updater, an automated patch management tool integrated in the security clients, can help manage the huge task of keeping on top of the critical security updates. It follows the philosophy: find it, fix it, and forget it.
This is the sixth in a series of posts about Cyber Defense that happened to real people in real life, costing very real money. Chris, a very ordinary businessman, was on a very ordinary business trip when he received an urgent call from one of his business partners asking him to make a money transfer. Chris was waiting for a train at a station, but he was happy to have the opportunity to help out his colleague, so he quickly pulled his laptop out of his bag to make the transfer. The account for his company-owned mobile phone was maxed out, so he wanted to take advantage of the train station’s Wi-Fi while he had a chance. He booted up his laptop and started looking for a free connection. Fortunately, “Railway_Station_Name” was open to the public – no username, password, or registration required. “Phew! Caught a lucky break there,” thought Chris. Fueled by motivation to get the job done, Chris went ahead and connected to the seemingly trustworthy network. He noticed it was a little bit slow, and not wanting to risk missing his train, he closed all the background apps and processes, including his anti-virus software. He really wanted to use the opportunity to show his initiative to his team, and he didn’t want to risk missing his meeting or not finishing the transfer because his computer was slow. He figured that as long as he avoids opening emails or browsing the web, he wouldn’t have any problems. And just like he thought, it was all over in a couple of minutes. He completed the money transfer without any issues. He shut down his laptop and hurried off to catch his train, confident that he had done the right thing by taking a few minutes to help his business partner. “A job well done,” Chris thought to himself. Chris arrived back at his hotel later that evening and booted up his laptop again to send some emails and wrap up his day. But his computer wasn’t working properly. It was slow. Error messages were spreading over his desktop like flies on spoiled fruit. He tried running an anti-virus check, but even that wouldn’t work. He decided to take it into a computer store he had passed earlier to see if they could take a look at it for him. He only had to wait at the shop for a few minutes while the store’s staff checked his laptop. “The problem is your computer’s infected by a virus – several in fact,” said the clerk. “One of the viruses disabled your AV software, and you’ve also got a ton of spyware. We’ve cleaned it up for you so you should be good to go now, but try to be more careful in the future.” The satisfaction Chris had felt earlier was suddenly gone. Now he was plagued with doubt about whether or not his information was secure, and even worse, he was concerned that perhaps the bank account he had used earlier had been compromised. He’d heard of such things happening to other people working for other companies. He thought that maybe these other people had just been suckers, scammed by some spam emails or clicking random links they found online. But now he wasn’t so sure, so he decided to change all of the passwords for his online accounts. Chris retired to his hotel, feeling stressed, and with a lighter wallet from paying the guys at the computer shop for helping him out. He told himself that he would think twice before disabling his AV software in the future. But Chris’ doubts about what he’d done, and what kind of threats he had been exposed to, continued to linger. Chris didn’t realize that he’d fallen into a trap, and connected to a rogue Wi-Fi hotspot that a hacker had prepared at the train station. These kinds of opportunistic attacks are quite common because they capitalize on people taking Wi-Fi security for granted, and are quite easy and cheap for hackers to put together. As this video shows, it’s a small feat to trick people into connecting to public Wi-Fi hotspots that hackers can use to steal account credentials and intercept communications. [youtube https://www.youtube.com/watch?v=qk2RPOBpZvc&w=560&h=315] F-Secure Security Advisor Su Gim Goh recently conducted an experiment in Hong Kong to see how many people connect to Wi-Fi hotspots without verifying that the connections are safe. He put together a Wi-Fi hotspot for less than 200 U.S. dollars, and took it to different cafes and restaurants in Hong Kong. Goh was able to determine that 55% of people automatically connected to his hotspot, which was set up to spoof legitimate connections that people want to use. “Spoofing” legitimate Wi-Fi hotspots means that the bad Wi-Fi hotspots are able to trick devices into thinking they’re legitimate hotspots that have been used before, so anyone that’s used the legitimate (“spoofed”) Wi-Fi hotspot in the past, and has their device recognize it as a preferred or safe network, will be automatically connected to the “spoofing” hotspot. Goh and many other security researchers warn people against taking Wi-Fi security for granted. “Auto-connecting is typically bad for security, so you should disable that option on your phone, or even just keep your Wi-Fi off when you’re not using it. It’s really not that hard to toggle it on/off, and it’s better than learning the hard way.”
This is the fifth in a series of posts about Cyber Defense that happened to real people in real life, costing very real money. Kamil left a business meeting and immediately took out his phone to call a client. During the conversation the device buzzed with an incoming text message. After Kamil unlocked the screen, a text popped up: “Thank you for activating the WEATHER TODAY service. You will be receiving a text message with the forecast three times a day. The daily cost of the service is one Euro. If you want to cancel your subscription, please text us ‘STOP.A133’ at 92590.” Nothing of this made any sense to Kamil. He had never activated any service on that phone. It was a company phone, he used only to contact clients. In any case, he didn’t need any weather forecasts. In order to save his company money, he quickly followed instructions from the text and cancelled the service. “Done!”, he thought and went back to his car to return to the head office of his firm, a consulting company. But this was only the beginning of his troubles... “Came to my office immediately”, read the email Kamil got from his boss Jacek two weeks later. “This must be about the contract with the bank that I finally closed,” thought Kamil and rushed upstairs to see his supervisor. “Are you out of your mind?! There an extra 500 Euro on top of your phone subscription fees because you’ve activated some extra services! You have everything you need to work, unlimited calls, online access. But I will not burn the firm’s money for some stupid extras!”, Jacek fumed. “Boss, I got a strange text about some weather forecast service, but I immediately blocked the subscription, I didn’t know there was any problem”, explained Kamil, surprised. He agreed to pay the fees out of his own pocket and immediately explain the whole situation. Jacek seemed to cool down a little, but promised that he would place a note on Kamil’s file if the issue wasn’t solved by the end of the month. “This time, I’m gonna keep it off-record, but I’m watching you”, the manager warned Kamil. Startled and confused, Kamil decided to do some online research about WEATHER TODAY. As he saw the first browser hits, he already knew he found what he was looking for. An article on a professional computer security portal reported that the activation message was a ruse used to wrangle money out of unaware recipients of the text message. It was precisely the STOP.A133 message that cost Kamil 500 Euro. He followed the article author’s advice and decided to install mobile security software that protects against spam. Having compared available options, he chose the best app from a reputable developer and never risked his job over an SMS message again. Is there anything you can do to protect yourself besides installing mobile security and not responding to unsolicited texts from unknown senders? "Some mobile operators will let you opt out of or disable billing through SMS messages," F-Secure Security Sean Sullivan explained. "It is very surprising to me that many businesses don’t demand bulk disabling by default for their employer provided plans." To get an inside look at business security, be sure to follow our Business Insider blog.
This is the fourth in a series of posts about Cyber Defense that happened to real people in real life, costing very real money. It was only just past 1 pm, but Magda was already exhausted. She had recently fired her assistant, so she was now having to personally handle all of the work at her law office. With the aching pain in her head and monstrous hunger mounting in her stomach, Magda thought it was time for a break. She sat at her desk with a salad she had bought earlier that morning and decided she’d watch a short online video her friends had recently told her about. She typed the title in the browser and clicked on a link that took her to the site. A message popped up that the recording couldn’t be played because of a missing plugin. Magda didn’t have much of an idea what the “plugin” was, which wasn’t surprising considering that her computer knowledge was basic at best – she knew enough to use one at work, but that was pretty much all. It was the recently sacked assistant, supported by an outsourced IT firm, who took care of all things related to computers and software. A post-it stuck to Magda’s desk had been unsuccessfully begging her to install an antivirus program. “What was this about?”, Magda tried to remember. At moments like this, she regretted letting the girl go. After some time, she recalled that her assistant had mentioned something about a monthly subscription plan for some antivirus software to protect the computers, tablets and mobile phones. This solution, flexible and affordable for small businesses like Magda’s firm, had also been also recommended by the outsourced IT provider. Despite a nagging feeling that something wasn’t right, she clicked “install”. After a few seconds, the video actually played. Magda was very proud of herself: she had made the plugin thing work! A few days later, she logged into her internet banking system to pay her firm’s bills. As she looked at the balance of the account, she couldn’t believe her eyes. The money was gone! The transaction history showed transfers to accounts that were completely unknown to her. She couldn’t understand how somebody was able to break in and steal her money. The bank login page was encrypted, and besides that, she was the only person who knew the login credentials... At the bank she learnt that they had recorded a user login and transfer orders. Everything had been according to protocol, so the bank had no reason to be suspicious. The bank’s security manager suggested to Magda that she may have been the victim of a hacker’s attack. The IT firm confirmed this suspicion after inspecting Magda’s computer. Experts discovered that the plugin Magda had downloaded to watch the video online was actually malware that stole the login credentials of email accounts, social networking sites and online banking services. Magda immediately changed her passwords and decided to secure them better. She finally had good antivirus software installed, which is now protecting all of the data stored on her computer. She recalled that her bank had long been advising to do that, but she had disregarded their advice. If only she hadn’t... Her omission cost her a lot of money. She was happy, though, that money was all she lost. She didn’t even want to imagine what might have happened if any of her case or clients information had been compromised. That would have been the end of her legal career. "If you have to use dangerous plugins like Java to do banking, you can enable those in one browser and use it only for the banking stuff," F-Secure Director of Security Response Antti Tikkanen explains. To get an inside look at business security, be sure to follow our Business Insider blog.