There are many ways to keep your computer secure. Your own behavior affects it a lot and we at F-Secure are happy to help protecting you with our products. But there are also many tools that can improve your security even if that wasn’t their initial purpose. Melissa and Sean described how you can use separate browsers to lower the risk for human errors. Virtualization is another technology that can improve security as a side effect. It’s a like the separate browsers idea, but takes it a lot further. Read on to learn more.
Virtualization in computing means to simulate something with software. What we talk about here is to create a whole virtual computer inside a real computer. It’s complex under the hood, but there are luckily easy products that can be used by almost anyone. This technology is by the way used extensively in the software industry. Huge number of virtual computers can be used to process data or test software. A large portion of the Internet is also provided by virtual servers.
But how can this improve my security? Most malware is made for profit and interfering with your on-line banking is a common payload. But what if you run your on-line banking on a separate computer? Buying another machine costs money and consumes space, but that can be solved by using a virtual computer instead. That virtual machine would only be used for banking, nothing else. A malware infection could happen if your guard is down and you open a malicious file in the mail. Or surf to a site witch is infected with a drive-by download. Both cases could infect your real computer, but the malware can’t see what you are doing with the bank inside the virtual machine. One could also use the opposite strategy. Use a virtual machine when doing something risky, like looking for downloads on shady servers. A previously made snapshot can easily be restored if something bad hits the virtual machine.
An additional benefit is that this gives you an excellent opportunity to play around with different operating systems. Install Linux/Windows/OS X just to become familiar with them. Do you have some hardware which driver won’t work in your new machine? No problem, install a virtual machine with an older operating system.
OK, sounds like a good idea. But can I do it? Here’s what it takes.
I’m not going to provide detailed instructions for this. That depends too much on which virtualization product and operating system you use. And it would beside that be like reinventing the wheel. You will find plenty of step-by-step instructions by Googling for what you want to do, for example “install Linux in VirtualBox”.
But for your convenience, here’s an overview of the process.
Edited to add: It is of course a good habit to exercise the same basic security measurements inside virtual machines as in real computers. Turn on the operating system’s update function, install your anti-virus program and make sure your browser is kept up to date. Doing just banking with the virtual machine reduces the risk a lot, but this is good advice even in that case. And needless to say, the virtual machine’s armor is essential if you use it for high-risk tasks. Thanks Dima for providing feedback.
This is the fourth in a series of posts about Cyber Defense that happened to real people in real life, costing very real money. It was only just past 1 pm, but Magda was already exhausted. She had recently fired her assistant, so she was now having to personally handle all of the work at her law office. With the aching pain in her head and monstrous hunger mounting in her stomach, Magda thought it was time for a break. She sat at her desk with a salad she had bought earlier that morning and decided she’d watch a short online video her friends had recently told her about. She typed the title in the browser and clicked on a link that took her to the site. A message popped up that the recording couldn’t be played because of a missing plugin. Magda didn’t have much of an idea what the “plugin” was, which wasn’t surprising considering that her computer knowledge was basic at best – she knew enough to use one at work, but that was pretty much all. It was the recently sacked assistant, supported by an outsourced IT firm, who took care of all things related to computers and software. A post-it stuck to Magda’s desk had been unsuccessfully begging her to install an antivirus program. “What was this about?”, Magda tried to remember. At moments like this, she regretted letting the girl go. After some time, she recalled that her assistant had mentioned something about a monthly subscription plan for some antivirus software to protect the computers, tablets and mobile phones. This solution, flexible and affordable for small businesses like Magda’s firm, had also been also recommended by the outsourced IT provider. Despite a nagging feeling that something wasn’t right, she clicked “install”. After a few seconds, the video actually played. Magda was very proud of herself: she had made the plugin thing work! A few days later, she logged into her internet banking system to pay her firm’s bills. As she looked at the balance of the account, she couldn’t believe her eyes. The money was gone! The transaction history showed transfers to accounts that were completely unknown to her. She couldn’t understand how somebody was able to break in and steal her money. The bank login page was encrypted, and besides that, she was the only person who knew the login credentials... At the bank she learnt that they had recorded a user login and transfer orders. Everything had been according to protocol, so the bank had no reason to be suspicious. The bank’s security manager suggested to Magda that she may have been the victim of a hacker’s attack. The IT firm confirmed this suspicion after inspecting Magda’s computer. Experts discovered that the plugin Magda had downloaded to watch the video online was actually malware that stole the login credentials of email accounts, social networking sites and online banking services. Magda immediately changed her passwords and decided to secure them better. She finally had good antivirus software installed, which is now protecting all of the data stored on her computer. She recalled that her bank had long been advising to do that, but she had disregarded their advice. If only she hadn’t... Her omission cost her a lot of money. She was happy, though, that money was all she lost. She didn’t even want to imagine what might have happened if any of her case or clients information had been compromised. That would have been the end of her legal career. "This is why you should always use different browsers for different sorts of tasks," F-Secure Security Advisor Sean Sullivan explains. "Any browser you use for sensitive financial transactions should be used just for that, especially at work." To get an inside look at business security, be sure to follow our Business Insider blog.
In response to news that the secret records of more than 22 million Americans have been breached, possibly by attackers from China, you may have heard the loaded term being used to describe the unprecedented attack. "Why are we ignoring a cyber Pearl Harbor?" a conservative columnist asked. F-Secure Security Advisor Sean Sullivan joined other experts in explaining that while the Office of Personnel Management hack was a very big deal, it's hyperbole to call it an act of war. Sean argues that the term cyber war should be limited to cyber weapons that cause actual physical damage. It would have to break the so-called "kinetic barrier". There is no international treaty that defines online rules of engagement but he points to NATO's Tallinn Manual on the International Law Applicable to Cyber Warfare, which attempts to apply existing laws to cyber warfare. Cyber attacks present an even more vexing challenge in attributing the author of an attack than stateless terrorism. But regardless the author, any cyber attacks on a hospital, for instance, would be illegal under existing law. Sullivan sees the OPM hack as more likely to be part of another governmental activity that predates the internet: espionage. "Espionage can be a part of warfare, if you think they’re gathering that information for military defense purposes," he said. "Or it can be counterintelligence." He suggests the OPM hack data could be used to find which Americans are, for instance, not working on diplomatic mission and thus might be intelligence. He notes that former NSA contractor Edward Snowden briefly worked at a U.S. embassy. The lack of a background check in that instance could suggest that he was working as a spy under a false identity. There’s a difference between war and warfare, Sean notes. "It could be China is interested in defensive capabilities," he said. "It’s an aspect of warfare. It’s not war." If it were to transgress to the level of war, the results would be severe. "We can assume that China is a rational actor," Sean said. "It wants world power without wrecking the world economy. Military posturing is more likely." He suggests that the U.S. should be much more concerned about the protection of all of its digital data. “I guarantee you that the IRS’ records are just as vulnerable," he said, suggesting that the one thing that may be keeping taxpayers' records safe is the government's tendency to rely upon dated technology like magnetic tape. And at least some powerful U.S. officials agree that more must be done to secure America's private information. But don't expect them to be satisfied with the same sort of restricted networks the private sector relies upon. A bipartisan coalition of senators are backing new legislation that would give the Homeland Security secretary the authority "to detect intrusions on .gov domains and take steps similar to what the National Security Agency can do with the Pentagon," according to Roll Call. Ah, so more powers for the NSA. Isn't that always the endgame these days when the language of war being tossed around? [Image by U.S. Naval War College | Flickr]
Wired.com broke a shocking but hardly surprising story on July 21st. The reporter was driving his Jeep on the highway when strange things started to happen. First the fan and radio went on and later the whole car came to a stop. On the highway! Andy Greenburg was not in control of the car anymore. It was controlled remotely by two hackers, Charlie Miller and Chris Valasek, from miles away. They had not tampered with the car, and as a matter of fact never even touched it. All was done by connecting remotely to the vehicle and utilizing a vulnerability in its own software. A highway is not the safest place for this kind of demonstration so they continued with the brakes and steering manipulation in a parking place. Yes, that’s right. Brakes and steering! Scary? Hell yes! This is a great demonstration of security issues with the Internet of Things trend (IoT). Anything connected to the net can in theory be hacked and misused remotely. IoT is typically associated with “smart” appliances like toasters and fridges, but a car connected to the net is very much IoT as well. And a hacked car is a lot scarier than a hacked fridge. So let’s look at the tree fundamental questions this hack raises. How can this be possible? Car manufacturers were taken with their pants down. They have for decades been thinking deformation zones and airbags when you say security. Now they need to become aware of digital security too. I’m confident that they already have some level of awareness in this field, but the recent Jeep-incident shows that they still have a lot to learn. I’m not only thinking about preventing this from happening in the first place. No system is perfect, and they must also be able to deal with discovered vulnerabilities. A fix for the problem was created, but patching vehicles required a visit to the car dealer. Like taking your computer to the store to have Windows updates applied. No way! This underlines that digital security is about more than just design and quality control. It’s also about incident response and maintenance processes. Good morning car manufacturers and welcome to the world of digital security. You have a lot to learn. Ok, it can be done, but why? We are now at the “Wow! This is really possible!” –stage. The next stage will be “Ok, but how can this be utilized?” There’s a lot of headlines about how we could be killed by hacked cars. That may be technically possible, but has so far never happened. Hackers and virus writers used to work out of curiosity and do pranks just because it was possible. But that was in the eighties and nineties. Earning money and collecting information are the motives for today’s cyber criminals and spies. Killing you by driving your car off a cliff will not support either of those objectives, but it does make juicy headlines. Locking your car and asking for a ransom to unlock it is however a plausible scenario. Turning on the hands-free microphone to spy on your conversations is another. Or just unlocking it so that it can be stolen. Anyway, the moral of the story is that scary headlines about what car hackers can do are mostly hype. The threat will look very different when or if it becomes reality in the future. Let’s just hope that the car manufacturers get their act together before this becomes a real problem. Should I be worried? No. Not unless your job is to design software for vehicles. The current headlines are very important wake-up calls for the car industry, but have very little impact on ordinary consumers. Some early incidents, like this Jeep case, will be handled by calling cars to the dealer for an update. But it is clear that this isn’t a sustainable process in the long run. Cars are like appliances, any update process must be fully automatic. And the update process must be much faster than applying the latest software once a year when the car is in for routine maintenance. So any car hooked up to the net also needs an automatic update process. But what about the hackers driving me off a cliff? You said it could be possible, and I don’t want to die. First, does anyone have a motive to kill you? Luckily most of us don't have that kind of enemies. But more important. Doing that may or may not be possible. Car manufacturers may be inexperienced with hacking and IT security, but they understand that any technical system can fail. This is why cars are built with safeguards at the hardware level. The Jeep-hackers could steer the car remotely, but only at low speed. This is natural as the electronically controlled steering is needed for parking assistance, not for highway cruising. Disabling this feature above a certain speed threshold makes perfect sense from safety perspective. But, on the other hand. I can think of several scenarios that could be lethal despite low speed. And the hackers could fool the speedometer to show the wrong speed. What if they can feed an incorrect speed reading into the system that turns off electronic steering? Ok, never say never. But hiring a traditional contract killer is still a better option if someone want's you gone. And there’s naturally no safeguards between software and hardware when the self-driving cars take over. Widespread self-driving cars are still sci-fi, and hacking them is even further away. But we are clearly on a path that leads in that direction. A few wrong turns and we may end up with that problem becoming reality. The good news is on the other hand that all publicity today contribute to improved digital security awareness among vehicle manufacturers. But finally back to today’s reality. It is still a lot more likely for you to be killed by a falling meteorite than by a hacker taking over your car. Not to talk about all the ordinary traffic accidents! Safe cruising, Micke