“We’re not creative enough when we imagine cyber warfare,” F-Secure Security Advisor Sean Sullivan recently told me. “It’s not kinetic explosions. It could be a guy whose crimeware business has dried up and is looking for new business.”
Over the last week, F-Secure Labs has taken a look at attacks from the “Energetic Bear” hacking group, Havex, which targets the energy sector, and now CosmicDuke, which is aimed at targets in Ukraine, Poland, Turkey, and Russia.
The goal of these attacks seems to be espionage or gathering information up for a buyer, which could be a government. But the methods don’t match the precision and massive investment of manhours that went into an attack like Stuxnet, which was designed to take down Iran’s nuclear capabilities.
“They rely on plausible deniability and using resources that don’t seem to be created specifically for the task,” Sean said. “It matches the modular methodology of what we conventionally think of as crimeware.”
“You look at one element and it looks like crimeware,” said F-Secure Senior Researcher Timo Hirvonen, who wrote the CosmicDuke analysis. “You look at it from a different angle and you say, ‘I’ve never seen it aimed like that before.'”
“The conventional wisdom is that anything related to cyber warfare will be shiny and new,” Sean said. These attacks instead suggest “semi-professionalism”.
Here are three questions Sean is pondering in the wake these attacks:
What do we mean when we say state-sponsored?
“Cyber warfare models real life,” Sean said. “Some countries have a massive cyber intelligence infrastructure that works from the top down. Others seem to have a more grassroots origin, co-opting existing technologies that seem to be built on existing crimeware.”
He wonders if state-focused campaigns are using malware that isn’t necessarily state-sponsored. “Countries who use troops with black masks and no insignias standing on a peninsula may have the same kind of thing going online.”
Opportunistic and pragmatic governments may be paying people to co-opting technology that exist for international espionage purposes.
He suggests the goals of such attacks may fit into Sun Tzu’s advice from The Art of War: know your enemy.
Armed with information, countries can use soft power to turn allies against each other and dissuade retribution like economic sanctions.
What do we mean by APT — advanced persistent threat?
These attacks are not complex in the way Stuxnet was. And they don’t need to be.
CosmicDuke — a variant of a malware family that has existed since 2001– infects by tricking targets into opening either a PDF file which contains an exploit or a Windows executable whose filename makes it look like a document or image file.
Once the target opens the malicious file, CosmicDuke gains access starts collecting information with a keylogger, clipboard stealer, screenshotter, and password stealers for a variety of popular chat, e-mail and web browsing programs. CosmicDuke also collects information about the files on the system, and has the capability to export cryptographic certificates and their private keys. Once the information has been collected, it is sent out to remote servers via FTP. In addition to stealing information from the system, CosmicDuke allows the attacker to download and execute other malware on the system. Pretty standard stuff.
Is the war against crimeware driving criminals to cyber espionage? Or: Could be fighting cybercrime be counterproductive?
“Some of these guys may be working for the government and themselves,” Sean said.
A wave of successes in the international war on cybercrime may be driving criminals to new buyers.
“The talent developed on its own,” he said. “And now there’s a government taking advantage of talent in their borders. Law enforcement has been going after crimeware. But it doesn’t go away. It’s fungible. The talent’s still there it needs to make a buck.”
Sean believes there’s a message in these attacks for everyone.
“It’s not just the NSA that hunts system admins. If you have any sort of credentialed access to important systems, you are a target. Keep calm and secure your stuff.”
He hopes that businesses will recognize that prevention is always the best remedy.
“For IT managers: ask for the security budget you need – and fight for it. There is more evidence than ever that letting cost dictate security is bad management.”
If governments are willing to work with increasingly opportunistic malware authors, risks could grow exponentially.
“Is today’s crimeware botnet, tomorrow’s national security nightmare?” Sean asks. “What happens when these guys get out of jail? I’m sure they won’t let the talent go fallow.”
Online surfing has been around for a while now, and it keeps getting better as technology continues to improve. Websites are better, responsive to different devices, more interactive, and feature a more diverse range of content. All in all, online surfing has managed to stay cool for a very long time. In fact, during a recent interview, Mikko Hypponen specified online surfing as the thing that he’d miss the most if the Internet were to suddenly disappear. The Internet may not suddenly disappear tomorrow, but it is in danger of slowly eroding. While technologies have been steadily improving what people can see and do online, other interests have been trying to develop new ways to regulate and control people’s behavior. Questions about what you can see and do online used to face technical constraints, but now these are transitioning to issues about what other people want you to see and do. Noted anthropologist and author David Graeber recently remarked in an interview with the Guardian that control has become so ubiquitous that we don’t even see it. Geo-blocking is a regulative measure that seems to confirm Graeber’s views. PC Magazine concisely defines it as the practice of preventing people from accessing web content based on where they are (determined by their IP address). Geo-blocking and other types of regional restrictions are used by both companies and governments, and for a variety of purposes (for example, enforcing copyright regimes, running regional sales promotions, censorship, etc.). Freedome is a user-friendly VPN that gives people a way to re-assert control over what they can see and do online. It encrypts communications, disables tracking software, and protects people from malware. It basically gives people the kind of protection they need to surf the web while staying safe from the more prominent forms of digital threats. It also helps people circumvent geo-blocking by letting them choose different “virtual locations”. Virtual locations let people choose where they want to appear to be when they’re surfing online. So if a user selects Canada as their location, the websites they visit will think they are located in Canada. If they select Japan, websites will think they’re in Japan. I’m sure you get the idea. Choosing different virtual locations lets web surfers bypass these geo-blocks so that their access to content remains unrestricted. They can watch YouTube videos reserved for American audiences, access Facebook or Twitter when vacationing in a country that blocks those services, and avoid other measures that attempt to prevent them from enjoying their digital freedom. Freedome recently added Belgium and Poland as new choices, giving Freedome users a total of 17 different places to surf from. But the list needs to keep expanding to keep the fight for digital freedom going, so the Freedome team wants to know: where do you want to do your online surfing? [polldaddy poll=8754876] [Image by Sari Choch-Be | Flickr ]
"Securing the future" is a huge topic, but our Chief Research Officer Mikko Hypponen narrowed it down to the two most important issues is his recent keynote address at the CeBIT conference. Watch the whole thing for a Matrix-like immersion into the two greatest needs for a brighter future -- security and privacy. [youtube https://www.youtube.com/watch?v=VFoOvpaZvdM] To get started here are some quick takeaways from Mikko's insights into data privacy and data security in a threat landscape where everyone is being watched, everything is getting connected and anything that can make criminals money will be attacked. 1. Criminals are using the affiliate model. About a month ago, one of the guys running CTB Locker -- ransomware that infects your PC to hold your files until you pay to release them in bitcoin -- did a reddit AMA to explain how he makes around $300,000 with the scam. After a bit of questioning, the poster revealed that he isn't CTB's author but an affiliate who simply pays for access to a trojan and an exploit-kid created by a Russian gang. "Why are they operating with an affiliate model?" Mikko asked. Because now the authors are most likely not breaking the law. In the over 250,000 samples F-Secure Labs processes a day, our analysts have seen similar Affiliate models used with the largest banking trojans and GameOver ZeuS, which he notes are also coming from Russia. No wonder online crime is the most profitable IT business. 2. "Smart" means exploitable. When you think of the word "smart" -- as in smart tv, smartphone, smart watch, smart car -- Mikko suggests you think of the word exploitable, as it is a target for online criminals. Why would emerging Internet of Things (IoT) be a target? Think of the motives, he says. Money, of course. You don't need to worry about your smart refrigerator being hacked until there's a way to make money off it. How might the IoT become a profit center? Imagine, he suggests, if a criminal hacked your car and wouldn't let you start it until you pay a ransom. We haven't seen this yet -- but if it can be done, it will. 3. Criminals want your computer power. Even if criminals can't get you to pay a ransom, they may still want into your PC, watch, fridge or watch for the computing power. The denial of service attack against Xbox Live and Playstation Netwokr last Christmas, for instance likely employed a botnet that included mobile devices. IoT devices have already been hijacked to mine for cypto-currencies that could be converted to Bitcoin then dollars or "even more stupidly into Rubbles." 4. If we want to solve the problems of security, we have to build security into devices. Knowing that almost everything will be able to connect to the internet requires better collaboration between security vendors and manufacturers. Mikko worries that companies that have never had to worry about security -- like a toaster manufacturer, for instance -- are now getting into IoT game. And given that the cheapest devices will sell the best, they won't invest in proper design. 5. Governments are a threat to our privacy. The success of the internet has let to governments increasingly using it as a tool of surveillance. What concerns Mikko most is the idea of "collecting it all." As Glenn Glenwald and Edward Snowden pointed out at CeBIT the day before Mikko, governments seem to be collecting everything -- communication, location data -- on everyone, even if you are not a person of interest, just in case. Who knows how that information may be used in a decade from now given that we all have something to hide? Cheers, Sandra
We were recently asked a series of questions about how Freedome protects private data by TorrentFreak.com. Since we believe transparency and encryption are keys to online freedom, we wanted to share our answers that explain how we try to make the best privacy app possible. 1. Do you keep ANY logs which would allow you to match an IP-address and a time stamp to a user of your service? If so, exactly what information do you hold and for how long? We do not keep any such logs. If ever required by law under a jurisdiction, we would implement such a system, but only where applicable and keeping storage time to the minimum required by law of that respective jurisdiction. Note also that no registration is required to use our service, so any log information would generally map to an anonymous, random user ID (UUID) and the user’s public IP address. 2. Under what jurisdiction(s) does your company operate? Freedome is a service provided from Finland by a Finnish company, and manufactured and provided in compliance with applicable Finnish laws. 3. What tools are used to monitor and mitigate abuse of your service? We have proprietary tools for fully automated traffic pattern analysis, including some DPI for the purpose of limiting peer-to-peer traffic on some gateway sites. Should we detect something that is not in line with our acceptable use policy, we can rate limit traffic from a device, or block a device from accessing the VPN service. All of this is automated and happens locally on the VPN gateway. 4. Do you use any external email providers (e.g. Google Apps) or support tools ( e.g Live support, Zendesk) that hold information provided by users? We do not use any external email providers, but our users can, for example, sign up for beta programs with their email address and send us feedback by email. The email addresses are used only to communicate things like product availability. In the future, paying customers can also use our support services and tools such as chat. In those cases, we do hold information that customers provide us voluntarily. This information is incident based (connected to the support request) and is not connected to any other data (e.g. customer information, marketing, licensing, purchase or any Freedome data). This data is purely used for managing and solving support cases. 5. In the event you receive a DMCA takedown notice or European equivalent, how are these handled? There is no content in the service to be taken down. Freedome is a data pipeline and does not obtain direct financial benefit from user content accessed while using the service. While some of the other liability exclusions of DMCA (/ its European equivalent) apply, the takedown process itself is not really applicable to (this) VPN service. 6. What steps are taken when a valid court order requires your company to identify an active user of your service? Has this ever happened? The law enforcement data requests can effectively be done directly only to F-Secure Corporation in Finland. If a non-Finnish authority wants to request such data from F-Secure, the request will be done by foreign authorities directly to Finnish police or via Interpol in accordance to procedures set out in international conventions. To date, this has never happened for the Freedome Service. 7. Does your company have a warrant canary or a similar solution to alert customers to gag orders? We do not have a warrant canary system in place. Instead, Freedome is built to store as little data as possible. Since a warrant canary would be typically triggered by a law enforcement request on individual user, they are more reflective on the size of the customer base and how interesting the data in the service is from a law enforcement perspective. They are a good, inventive barometer but do not really measure the risk re: specific user’s data. 8. Is BitTorrent and other file-sharing traffic allowed on all servers? If not, why? BitTorrent and other peer-to-peer file sharing is rate limited / blocked on some gateway servers due to acceptable use policies of our network providers. Some providers are not pleased with a high volume of DMCA takedown requests. We use multiple providers (see Question #12) and these blocks are not in place on all the servers. 9. Which payment systems do you use and how are these linked to individual user accounts? There are multiple options. The most anonymous way to purchase is by buying a voucher code in a retail store. If you pay in cash, the store will not know who you are. You then enter the anonymous voucher code in the Freedome application, and we will then confirm from our database that it is a valid voucher which we have given for sale to one of our retail channels. The retail store does not pass any information to us besides the aggregate number of sold vouchers, so even if you paid by a credit card, we do not get any information about the individual payment. For in-app (e.g., Apple App Store, Google play) purchases you in most cases do need to provide your details but we actually never receive those, we get just an anonymous receipt. The major app stores do not give any contact information about end users to any application vendors. When a purchase is made through our own e-store, the payment and order processing is handled by our online reseller, cleverbridge AG, in Germany. Our partner collects payment information together with name, email, address, etc. and does store these, but in a separate system from Freedome. In this case we have a record who have bought Freedome licenses but pointing a person to any usage of Freedome is intentionally difficult and against our policies. We also don’t have any actual usage log and therefore could not point to one anyway. 10. What is the most secure VPN connection and encryption algorithm you would recommend to your users? Do you provide tools such as “kill switches” if a connection drops and DNS leak protection? Our application does not provide user selectable encryption algorithms. Servers and clients are authenticated using X.509 certificates with 2048-bit RSA keys and SHA-256 signatures. iOS clients use IPSEC with AES-128 encryption. Other clients (Android, Windows, OS X) use OpenVPN with AES-128 encryption. Perfect Forward Secrecy is enabled (Diffie-Hellman key exchange). We provide DNS leak protection by default, and we also provide IPv6 over the VPN so that IPv6 traffic will not bypass the VPN. Kill switches are not available. The iOS IPSEC client does not allow traffic to flow unless the VPN is connected, or if the VPN is explicitly turned off by the user. The Android app, in “Protection ON” state keeps capturing internet traffic even if network or VPN connection drops, thus there is no traffic or DNS leaks during connection drops. If the Freedome application process gets restarted by the Android system, there is a moment where traffic could theoretically leak outside the VPN. Device startup Android 4.x requires user’s consent before it allows a VPN app to start capturing traffic; until that traffic may theoretically leak. (Android 5 changes this, as it does not forget user’s consent at device reboot.) 11. Do you use your own DNS servers? (if not, which servers do you use?) We do have our own DNS servers. 12. Do you have physical control over your VPN servers and network or are they outsourced and hosted by a third party (if so, which ones)? Where are your servers located? In most locations we utilize shared hardware operated by specialized hosting vendors, but we also have our own dedicated hardware at some locations. Providers vary from country to country and over time. In some countries we also use multiple providers at the same time for improved redundancy. An example provider would be Softlayer, an IBM company whom we use in multiple locations.