You’ve probably never heard of most of the 100 top URLs in world.
In fact, most users have no idea that they’ve even accessed most of the 89 domains the average user interacts with in a month.
A new F-Secure Labs study of the top 100 URLS accessed by customers all over the globe shows that of the world’s top URLs only 15% were accessed directly. The remaining 85% were accessed by other websites or software on the users PCs. Of the 85% accessed automatically, 10% come from ad-serving domains, 35% are ad-serving domains with tracking components and 19% are purely tracking domains.
This means that at least half of the URLs your browser accesses are not providing you any content. Instead, you are the content, providing anonymous marketers precious information about your interests, tastes and lifestyle.
“We are more honest with search engines than we are with our families,” F-Secure Chief Security Officer Mikko Hypponen said recently. “Search engines know more about you than your family members know about you.”
But the NSA, Google and Facebook aren’t the only ones tracking your online behavior. Nearly every site you load, every link you click is sending your information to be recorded possibly for eternity, given the how inexpensive it is to store data.
And when connecting through “free public Wi-Fi”, the risks of data loss only escalate.
Users of Freedome by F-Secure – the next generation VPN solution that allows you to become untraceable — have become intimately aware of how much tracking is aimed at them. Freedome alerts users of every blocked attempt to track a device through a site or an app. In just a few weeks, the average user is likely to see thousands of attempts to trace activity blocked.
“The trackers are not going away,” said F-Secure’s Director of New Concepts Janne Pirttilahti. “Their goal is to monetize every second of your life whether you are opening your wallet or not.”
Pirttilahti notes we cannot even know how our data will be used as new ways to predict and influence our behavior are developed.
“That’s why they’re trying to track everything you do. They don’t even know everything they want to know yet. Your privacy is the cost of using the web—unless you actively protect yourselves with a solution like Freedome.”
The Sony hack of late 2014 sent shock waves through Hollywood that rippled out into the rest of the world for months. The ironic hack of the dubious surveillance software company Hacking Team last summer showed no one is immune to a data breach - not even a company that specializes in breaking into systems. After a big hack, some of the first questions asked are how the attacker got in, and whether it could have been prevented. But today we're asking a different question: whether, once the attacker was already in the network, the breach could have been detected. And stopped. Here's why: Advanced attacks like the ones that hit Sony and Hacking Team are carried out by highly skilled attackers who specifically target a certain organization. Preventive measures block the great majority of threats out there, but advanced attackers know how to get around a company's defenses. The better preventive security a company has in place, the harder it will be to get in…but the most highly skilled, highly motivated attackers will still find a way in somehow. That's where detection comes in. Thinking like an attacker If an attacker does get through a company's defensive walls, it's critical to be able detect their presence as early as possible, to limit the damage they can do. There has been no official confirmation of when Sony's actual breach first took place, but some reports say the company had been breached for a year before the attackers froze up Sony's systems and began leaking volumes of juicy info about the studio's inner workings. That's a long time for someone to be roaming around in a network, harvesting data. So how does one detect an attacker inside a network? By thinking like an attacker. And thinking like an attacker requires having a thorough knowledge of how attackers work, to be able to spot their telltale traces and distinguish them from legitimate users. Advanced or APT (Advanced Persistent Threat) attacks differ depending on the situation and the goals of the attacker, but in general their attacks tend to follow a pattern. Once they've chosen a target company and performed reconnaissance to find out more about the company and how to best compromise it, their attacks generally cover the following phases: 1. Gain a foothold. The first step is to infect a machine within the organization. This is typically done by exploiting software vulnerabilities on servers or endpoints, or by using social engineering tactics such as phishing, spear-phishing, watering holes, or man-in-the-middle attacks. 2. Achieve persistence. The initial step must also perform some action that lets the attacker access the system later at will. This means a persistent component that creates a backdoor the attacker can re-enter through later. 3. Perform network reconnaissance. Gather information about the initial compromised system and the whole network to figure out where and how to advance in the network. 4. Lateral movement. Gain access to further systems as needed, depending on what the goal of the attack is. Steps 2-4 are then repeated as needed to gain access to the target data or system. 5. Collect target data. Identify and collect files, credentials, emails, and other forms of intercepted communications. 6. Exfiltrate target data. Copy data to the attackers via network. Steps 5 and 6 can also happen in small increments over time. In some cases these steps are augmented with sabotaging data or systems. 7. Cover tracks. Evidence of what was done and how it was done is easily erased by deleting and modifying logs and file access times. This can happen throughout the attack, not just at the end. For each phase, there are various tactics, techniques and procedures attackers use to accomplish the task as covertly as possible. Combined with an awareness and visibility of what is happening throughout the network, knowledge of these tools and techniques is what will enable companies to detect attackers in their networks and stop them in their tracks. Following the signs Sony may have been breached for a year, but signs of the attack were there all along. Perhaps these signs just weren't being watched for - or perhaps they were missed. The attackers tried to cover their tracks (step 7) with two specific tools that forged logs and file access and creation times - tools that could have been detected as being suspicious. These tools were used throughout the attack, not just at the end, so detection would have happened well before all the damage was done, saving Sony and its executives much embarrassment, difficult PR, lost productivity, and untold millions of dollars. In the case of Hacking Team, the hacker known as Phineas Fisher used a network scanner called nmap, a common network scanning tool, to gather information about the organization’s internal network and figure out how to advance the attack (step 3). Nmap activity on a company internal network should be flagged as a suspicious activity. For moving inside the network, step 4, he used methods based on the built-in Windows management framework, PowerShell, and the well-known tool psexec from SysInternals. These techniques could also potentially have been picked up on from the way they were used that would differ from a legitimate user. These are just a few examples of how a knowledge of how attackers work can be used to detect and stop them. In practice, F-Secure does this with a new service we've just launched called Rapid Detection Service. The service uses a combination of human and machine intelligence to monitor what's going on inside a company network and detect suspicious behavior. Our promise is that once we've detected a breach, we'll alert the company within 30 minutes. They'll find out about it first from us, not from the headlines. One F-Secure analyst sums it up nicely: "The goal is to make it impossible for an attacker to wiggle his way from an initial breach to his eventual goal." After all, breaches do happen. The next step, then, is to be prepared. Photo licensed under CC BY 2.0: Breach photo by Jim Champion
See that floppy disc? That's how F-Secure Labs used to get malware to analyze. Nowadays, of course, it's much different, Andy Patel from the Labs explained in a recent post, "What's The Deal with Scanning Engines?" In just a few hundred words, Andy lays out what makes modern protection so different from the anti-virus that you remember from the 80s, 90s or even the early 00s. And it's not just that floppy disks the Labs once analyzed have been replaced by almost any sort of digital input, down to a piece of memory or a network stream. The whole post is worth checking out if you're interested in how relentless modern internet security must be to keep up with the panoply of online threats we face. But here's a quick look at five of the key components of endpoint protection that work in tandem to stop attacks in their tracks, as described by Andy: Scanning engines. Today’s detections are really just complex computer programs, designed to perform intricate sample analysis directly on the client. Modern detections are designed to catch thousands, or even hundreds of thousands of samples. URL blocking. Preventing a user from being exposed to a site hosting an exploit kit or other malicious content negates the need for any further protection measures. We do this largely via URL and IP reputation cloud queries. Spam blocking and email filtering also happen here. Exploit detection. If a user does manage to visit a site hosting an exploit kit, and that user is running vulnerable software, any attempt to exploit that vulnerable software will be blocked by our behavioral monitoring engine. Network and on-access scanning. If a user receives a malicious file via email or download, it will be scanned on the network or when it is written to disk. If the file is found to be malicious, it will be removed from the user’s system. Behavioral blocking. Assuming no file-based detection existed for the object, the user may then go on to open or execute the document, script, or program. At this point, malicious behavior will be blocked by our behavioral engine and again, the file will be removed. The fact is, a majority of malware delivery mechanisms are easily blocked behaviorally. In most cases, when we find new threats, we also discover that we had, in the distant past, already added logic addressing the mechanisms it uses.If you're interested in knowing more about behavioral engines, check out this post in which Andy makes then easy to understand by comparing the technology to securing an office building. So you must be wondering, does this all work? Is it enough? Well, our experts and our computers are always learning. But in all the tests this year run by independent analysts AV-Comparatives, we’ve blocked 100% of the real-world threats thrown at us. Cheers, Jason
In 1853 a strange new invention appeared in the English cityscape, and caused a small wave of moral outrage among Victorians. This perceived threat to social order was not a new drug, political movement or saucy romance novel, but the seemingly harmless letter box. One reason was the shocking development of women now being able to post letters without consent from their husbands or fathers, and the other one was that sending anonymous letters would now be even easier. Maybe Victorians weren’t very thick-skinned, and were worried about unsigned letters calling people zounderkites and rantallions skyrocketing. Who knows? History now tells us that these attempts to control this early form of long-distance communication were ridiculous. And yet, a modern version of this debate is happening even today: there are those who want to make encrypted, anonymous communication available for everyone, and those who wish to restrict it. No new technology comes without drawbacks, and encryption is no exception. However, just as with the Victorian letter box, the pros greatly outweigh the cons. But why do people want to be anonymous online? Those who oppose encryption and other methods which advance online anonymity often throw around the tired argument “If you don’t have anything to hide, you have no need to be anonymous”. Not only does this statement show an astounding lack of perspective, it is also blatantly false. According to CBS there is a rising increase in desire for online anonymity, and there are many perfectly valid and legitimate reason to cover your tracks online. A lot of us just don’t feel comfortable with their Internet Service Provider, employer or even government having access to their surfing information. We all have a right to privacy, but technology is increasing the size of our digital footprint to the point when we can never know who is monitoring what we do online. Legislation, like the aptly nicknamed Snoopers Charter have the potential to give governments and ISP’s blanket rights to monitor web traffic of normal users in the name of security. This means the responsibility to protect our individual privacy rests increasingly in our own hands, and VPN services like our own Freedome go a long way in making that happen. For many people, it’s about control. We share aspects of our lives and personality on social media and other websites, but the choice of what we share should be ours to make. This control is taken away by advertisers and tracking companies, who collect information about us from different websites and piece them together to form elaborate dossiers which contain way more information about us than most would be comfortable sharing, like your medical information or what kind of porn you watch. For many, part of being anonymous online is blocking this kind of intrusive tracking, and it’s hard to find fault in that. The most serious group of people wanting anonymity are those for whom it is not so much a matter of principle but a matter of life and death. We are talking about activists, journalists and opposition supporters who operate under oppressive regimes or in places where criminals seek out and silence those who speak against them. It’s easy for those who support intrusive privacy legislation to forget that the governments who enact them will invariably have ulterior motives to “catching terrorists” or “protecting national security”: they give governments the power to control what we say. Open and free communication is the greatest tool the masses have to keep those in power accountable for their actions, and there is nothing open or free about the kind of mass surveillance which is happening more and more, legally and otherwise. What are your reasons to be anonymous online? This is not a black & white subject, and we’d be glad to hear your thoughts via the Freedome twitter channel @FreedomeVPN.