The number of exploit attacks against known vulnerabilities continues to increase. The target is to install malware into the targeted system and to gain benefits for the criminals behind the attack.
According to F-Secure Threat Report H1/2013, the majority of Top 10 detections from the last six months involved exploits. Java is the most popular entry point and therefore, disallowing Java plug-ins might make sense. Java vulnerabilities have allowed attackers to use even classic forms of attack, known for about ten years already.
The table clearly shows that the users do not seem to understand the importance of security patches since exploits can target vulnerabilities that have had a patch for over 5 years!
On the other hand, exploit kits find their way to the market unbelievably fast – the F-Secure Threat report tells: “Java vulnerability CVE-2013-2423; a Metasploit module targeting this was first published on April 20th, and a day later we noticed in-the-wild attacks against it had already gotten underway by the CrimeBoss exploit kit”.
Why is it so hard to keep pace with the critical security updates then?
First, the number of patches releases is huge. For example, Microsoft alone recently published 13 patches against 47 bugs in its Patch Tuesday security update. Add to that the Java updates, Adobe updates, and all the rest of the products, and the number of necessary updates in a business environment can be devastating. Second – would the IT administrator always know which software is installed on which machine?
F-Secure Software Updater, an automated patch management tool integrated in the security clients, can help manage the huge task of keeping on top of the critical security updates. It follows the philosophy: find it, fix it, and forget it.
This May, the GameOver ZeuS botnet made history by becoming one of the largest botnets ever seized by law enforcement. Unfortunately, it's back at work. BankInfo Security's Mathew J. Schwartz explains: Nearly three months after the FBI, Europol and Britain's National Crime Agency launched"Operation Tovar" to successfully disrupt the botnet used to spread Gameover ZeuS, the malware is making a global comeback. Gameover ZeuS is a Trojan designed to steal banking and other personal credentials from infected PCs. At the time of the May law enforcement takedown, the FBI estimated that between 500,000 and 1 million PCs worldwide - one-quarter of them in the United States - were infected by the malware, which the bureau says was used to steal more than $100 million. Our Security Advisor Sean Sullivan notes that "there isn't a 'flood' of new GoZ variants". F-Secure Labs has looked at the recent threats and one of our experts has a theory about their origin. Our analyst most familiar w/ GameOver ZeuS just took a look at the latest GOZ samples. His verdict: it's very clearly the work of Slavik. — Sean Sullivan (@5ean5ullivan) August 27, 2014 Find out the latest about GoZ from Sean and Mikko Hypponen on 5 September in Threat Report Webinar live from Helsinki at 10:00 AM EST. What should you do? Our Online Scanner detects both new and old GameOver Zeus variants. Check your PC for free now. Cheers, Jason [Image by delunula dot com]
You come back after a nice vacation, rested, tanned and ready to catch up on a few weeks of email. The only problem? You've forgotten your password. This may seem like a trivial problem, until you realize that it's not just you -- it's the guy at the next desk and the next desk and the next desk. And it isn't just one account. A new report finds that lost or forgotten passwords cost the city of Espoo, a city of about 249,000 in Finland, about 18€ per worker for a total cost of 200, 000€ -- every year. And that doesn't include the cost of the workers' lost time. The fact is people have better things to think about than strings of often nonsensical numbers and letters that include a special character. The need for strong, unique passwords for all of our important accounts is overwhelming, with most people needing to remember at least 20 different passwords. Users have been forced to chose between using memorable terrible passwords or forgettable good passwords. At F-Secure, we believe technology should free your mind to deal with important work, not passwords. That's why we created Key, our password manager that offers you one password to rule them all. It stores all your passwords, log-ins, e-mails, PIN codes and other credentials securely. You don't need to think of crazy unguessable passwords because it generates them for you and fill them in as you use the web. And our encryption protects all your data. It's free to use on one device and as cheap as $1.84 a month if you want a premium account that covers all your devices. Give it a try, before you forget. Cheers, Sandra Image courtesy of Lulu Hoeller, flickr.com
The #Heartbleed vulnerability got people thinking about passwords -- a lot. In a recent survey*, we found that 57 percent of respondents had changed their passwords after learning about the bug that affected some of the web's largest sites. But it may not take a massive software flaw to make your accounts vulnerable to hackers. Many of us break the essential password rule all the time by not using unique and strong passwords on all your most important accounts. Are you helping online criminals? Do you use the most popular terrible passwords on the internet -- "123456" or "password"? Are you using names of your family or pets that you may be sharing on your Facebook? Is the name of you easily guessable favorite star, team or movie securing your private data? If so, you're not alone, according to our survey: When most people have at least 20 passwords to remember, it makes sense that people try to keep it simple. But simple isn't always smart. That's why we developed F-Secure Key -- the one password that rules them all. It's a password manager that automatically generates the kind of strong, unique passwords you need for all your crucial accounts. Be smart and good luck. Cheers, Sandra [Image by Nasuni via Flickr] *224 Internet users around the globe participated in the survey, which was promoted through Facebook, Twitter, Google Plus and the F-Secure Safe and Savvy blog and conducted through Surveygizmo, May 2014.