Exactly one year ago today, we saw the very first of the Snowden leaks. One year later, the world has changed a lot – for the better. In a recent talk I gave, I called the past year “Year 1 A.S. – After Snowden.” The Snowden revelations are that important to the digital world.
Before Snowden, the world was simpler. There was a certain innocence we hadn’t lost yet. People weren’t thinking much about things like where their data is stored. People were happily using services without much thought as to what country hosted it. Since Snowden, we’ve lost that innocence. We’re now much more aware of the privacy implications of the Internet services we use, and how where they’re from affects our own privacy. We’re now aware that whatever we do online is being tracked and followed.
That awareness is a very good thing. We should be having this conversation. We should be talking about privacy, security, the capabilities of technology, how it should be used, and the role of governments and corporations. The issues are complex. There are no easy answers.
Is Snowden a traitor, or a patriot to his country? The Americans can decide, and I hope they decide in his favor. Yes, he broke the trust of his employer and his NDA. But in the end he did the right thing.
Snowden could have put his head in the sand and continued to receive his very nice paycheck, or he could have simply walked away silently. But he didn’t. What he did do, was risk everything to give us a great gift: the opportunity to have this debate on the world stage. Without him we wouldn’t have been pushed to face these important and defining questions.
Are you fed up with mass surveillance? With having your digital privacy violated? Then make yourself a part of the conversation. F-Secure is giving you the chance to make your voice heard today. Share your thoughts and ideas in our #digitalfreedom manifesto. It’s a crowdsourced document that will be used to help advance digital freedom in the world. Join together with everyone who cares about digital freedom and privacy to make a difference. The manifesto is licensed under creative commons. It’s open for contributions until June 30. You can contribute here.
I hope we see more Snowdens from other world powers. Other countries are doing similar surveillance too, we just don’t have concrete evidence about it yet. But I’m glad there are people out there who have the integrity and the ideals to stand up against what’s wrong, no matter the cost.
And that’s why Edward Snowden gives me hope.
Espionage – it’s not just for James Bond type spies anymore. Cyber espionage is becoming an increasingly important part of global affairs, and a threat that companies and organizations handling large amounts of sensitive data are now faced with. Institutions like these are tempting targets because of the data they work with, and so attacks designed to steal data or manipulate them can give attackers significant advantages in various social, political and industrial theaters. F-Secure Labs’ latest malware analysis focuses on CozyDuke – an Advanced Persistent Threat (APT) toolkit that uses combinations of tactics and malware to compromise and steal information from its targets. The analysis links it to other APTs responsible for a number of high-profile acts of espionage, including attacks against NATO and a number of European government agencies. CozyDuke utilizes much of the same infrastructure as the platforms used in these attacks, effectively linking these different campaigns to the same technology. “All of these threats are related to one another and share resources, but they’re built a little bit differently to make them more effective against particular targets”, says F-Secure Security Advisor Sean Sullivan. “The interesting thing about CozyDuke is that it’s being used against a more diverse range of targets. Many of its targets are still Western governments and institutions, but we’re also seeing it being used against targets based in Asia, which is a notable observation to make”. CozyDuke and its associates are believed to originate from Russia**. The attackers establish a beachhead in an organization by tricking employees into doing something such as clicking a link in an e-mail that distracts users with a decoy file (like a PDF or a video), allowing CozyDuke to infect systems without being noticed. Attackers can then perform a variety of tasks by using different payloads compatible with CozyDuke, and this can let them gather passwords and other sensitive information, remotely execute commands, or intercept confidential communications. Just because threats like CozyDuke target organizations rather than individual citizens doesn’t mean that they don’t put regular people at risk. Government organizations, for example, handle large amounts of data about regular people. Attackers can use CozyDuke and other types of malware to steal data from these organizations, and then use what they learn about people for future attacks, or even sell it to cyber criminals. The white paper, penned by F-Secure Threat Intelligence Analyst Artturi Lehtiö, is free and available for download from F-Secure’s website. [ Image by Andrew Becraft | Flickr ]
How important is it to ask the right question? Our Security Advisor Sean Sullivan thinks it's so important that it can either help or hurt your cause. Most anyone who has debated the issues of government surveillance and online tracking by corporations has likely faced someone who dismisses concerns with "I don't have anything to hide." This is apparently a very popular sentiment. 83 percent of respondents in the United Kingdom answered "No" to the question "Do you have anything to hide?" in a new F-Secure survey. "You might as well be asking people – are you a dishonest person?" Sean wrote in our latest Threat Report (like goes to PDF). "The question is emotionally charged and so of course people react to it in a defensive manner – I think it is perfectly natural that 83% of people said no." Sean suggested another question that reframes the debate: "Would you want to share everything about your life with everyone everywhere, all the time, forever?" Think about just your Google Search history. Seriously, take a look at it -- here's how you can see it (and delete it). "And my prediction was proven correct – 89% of respondents did not want to be exhibitionists," he wrote. Both questions, he notes, at the core ask, "Do you think privacy is important?" One does it in a way that's accusatory. The other in a way that's explanatory. Sean suggests that we all have things in our past we'd rather forget and asking the right question can get people to see that quite quickly. There's reason to pessimistic about privacy given that there has been substantial change in U.S. government policy since the Snowden revelations began. But even that may change soon with bipartisan revisions to the the law that began legalized mass surveillance. This imperfect attempt to limit the NSA's bulk collection is a promising start of a major shift away from methods that have done more to stifle digital freedom than to achieve the unachievable goal of creating a world without threats, if it's indeed just a start. Maybe we're starting to ask the right questions. [Image by Ashleigh Nushawg | Flickr]
Malware is an omniscient threat – it’s present even when people don’t realize it. Understanding the threat is a key component of protecting yourself and your devices, and nothing drives that point home like cold hard facts and comprehensive research. F-Secure just released its latest Threat Report, which provides important insights into contemporary digital threats. The report details the various changes and trends in the digital threat landscape using data collected during the 2nd half of 2014. The threat report is full of important information, and it’s worth checking out to get some ideas about what attackers are cooking up. Trends like social media malware, exploits, and ransomware are detailed in the report. But there’s tons of important information people should be aware of, and so we put together an infographic to give you a quick overview of the report. The report provides lots more information about the threats, incidents, and trends that were prominent in the latter half of 2014. There's also some insightful words penned by F-Secure security researchers to give you a little context about why you need to arm yourself with knowledge to defend yourself against digital threats. You can download the full threat report for free from F-Secure’s website.