Sandra@F-Secure

Follow me on:

latest posts from Sandra@F-Secure

Mobile World Congress, #MWC16, F-Secure Sense

The world's top mobile hardware and software manufacturers and experts are gathering in Barcelona again for the Mobile World Congress. And while new hardware -- like the sharp new Samsung S7, the futuristic LG G5  and the Samsung Gear VR -- makes news around the globe, the real story of #MWC16 is the Internet. Sure, you've probably heard this story before. But now the story is even bigger "The Internet is becoming an invisible fabric—like air—that enables all the services we’ve come to depend on—from communications to banking to driving in the right direction," Wired's Jessi Hempel wrote. The irony of having more Internet in our lives is that it feels like less Internet. "The more our world becomes connected, the more we stop noticing it altogether," Hempel explained. "Things just work. This morning, I called a cab (Halo), transferred money to my partner (Venmo), read up on trends (Twitter), and checked in with my editor (Slack)—all in about ten minutes." The real question is not if the Internet will become a part of our home life but how quickly it does. The Internet of Things has been a rare tech development that has been driven by commercial and government adoption and not consumers -- many of whom got laptops and iPhones for personal use before their work ever offered them one. "Cities like Los Angeles and San Antonio are deploying connected street lighting to cut down on waste and make streets safer for drivers," Mike Feibus wrote in USA Today. "And companies like GE and Harley-Davidson are connecting factory equipment to decrease downtime by predicting equipment failure, and to anticipate heating and cooling needs to cut costs and improve comfort." But that doesn't mean home users aren't picking on the technology. Feibus notes there are 2.9 billion home IoT units versus 1.6 billion commercial devices. But that includes Smart TVs, gaming units and home theaters. Consumers are not yet migrating in droves to Internet-connected "home automation, energy and security devices." Why are consumers so wary? It could be the same reason that U.S. Armed Forces isn't rushing to get on IoT despite the obvious strategic advantages -- security. An F-Secure survey last year found that 7 of 10 people were worried about their "smart home" devices being hacked. And poll after poll says that consumers worry about IoT security, which is probably why they stick to products that seem like natural upgrades to audio-visual equipment they already own but aren't branching out more than that -- despite the potential to save time, money and lives by making homes smart. We want to help change this. That's why we're at Mobile World Congress to introduce people to SENSE. SENSE is a brand new security and privacy product designed to protect people, smart homes, and all of the Internet-connected devices people use to get online. What does SENSE protect? Everything. That is everything in your home that connects to the Internet. It's the device you need to have the confidence to begin automating your home. And we want to give you the chance to see for yourself that it works. https://twitter.com/FSecure_Sense/status/701833076926783491 If you're at #MWC16, we hope to meet you so you can meet SENSE. If not, you can get a good look at SENSE here.

February 23, 2016
Virdem malware, old viruses, Malware Museum

What's so fun about old malware? In just four days more than a hundred thousand people have visited The Malware Museum -- an online repository of classic malware, mostly viruses, that infected home computers in the 1980s and 90s. Working with archivist Jason Scott, Mikko Hyppönen -- our Chief Research Officer -- put together 78 examples finest/worst examples of old-school malware that includes emulations of the infections with the destructive elements removed so you can enjoy them safely. "I only chose interesting viruses," Mikko told BBC News. The result is "nerdy nostalgia," says PC Magazine's Stephanie Mlot. The exhibits feature clunky ASCII graphics, pot references and obscure allusions to Lord of the Rings. While an early ancestor of ransomware like Casino was willing to ruin your files and call you an "a**hole," it wasn't trying to extort any cash out of you. That's because the creators of these early forms of digital vandalism were amateurs in the truest sense of the world. They did it for the love of mayhem. We long for the days of "happy hackers," as Mikko calls them, because the malware landscape today is so ominous. "Most of the malware we analyze today is coming from organized criminal groups... and intelligence agencies," Mikko explained. To keep the memories of the good old days alive, we're going to make t-shirts celebrating some classic malware. And we'd like you to choose which viruses we should commemorate. CRASH V SIGN FLAME CASINO PHANTOM (Image via @danooct1) [polldaddy poll=9302985] If you appreciate the Museum, Mikko asks that you contribute to the Internet Archive. You can learn more about Malware from Mikko's Malware Hall of Fame. Cheers, Sandra

February 8, 2016
cloud-computing

January 28 is Data Privacy Day in the U.S. and Data Protection Day in Europe and the idea is the same all over the world: If you don't watch out for your data, no one will. Every day, we put tremendous amounts of trust in the sites we use, the services we choose and the governments who are supposed to protect us but spend a lot of time making sure they can watch us too. It takes a society to shape these policies and we encourage you to join with those who demand privacy as a human right. But even as an individual, there is a lot you can do to keep your data private. In fact, there's probably too much you can do. Many of us get inundated with security and privacy tips and end up doing nothing to protect ourselves. So this Privacy Day, keep it simple. Just focus on one new thing you can do to keep your data more secure. Here is a privacy menu to choose from: Always lock your PC and devices when they aren't in use. And if you want to step it up, don't just use a good passcode, use a good passphrase. Stop trying to memorize your passwords. And do what the pros do: use a password manager like our F-Secure KEY, which is free on one device, instead. Check your privacy settings. Start with the platform you use the most. Use two-factor authentication. It's the easiest way to keep your accounts from being hacked and more and more sites offer it. Always use a VPN when you connect to public Wi-Fi. Avoid bad network connections and keep your data from being sniffed. Our Freedome VPN also blocks online trackers. If you do all of these things, good on you. You're ready to go to Edward Snowden or an ex-FBI agent levels of privacy. Cheers, Sandra  

January 28, 2016
Cartoon, online banking, online crime

This is the seventh in a series of posts about Cyber Defense that happened to real people in real life, costing very real money. "If I weren’t a lawyer, I probably wouldn’t have survived today”, Kate thought, as she opened a bottle of whiskey. She had earned it. It was a hard day, a disaster. Well, not a total disaster. When she had closed down her law firm and joined Mordor, Inc., she thought she would finally get a little peace of mind… She could not have been more wrong. * * * [The same day, 12 hours earlier] As every morning, she got into her white BMW slightly late and drove to work through the city streets. Caught in the traffic jam, she had time to do the makeup and swipe through some photos on Tinder. “I can't wait to add my skydiving picture and fill in my height,” she thought. “My profile is too polite and too boring. But that's going to change...” A few days ago she had ordered a new parachute. A gift for herself her 50th jump. It was red and went very well with her blonde hair. Unfortunately, the Tinder crowd would have to wait for the parachute picture. As usual, the Post Office was still holding up the package. She spent the first few hours at work doing what she always did. She checked some outstanding contracts, adding comments. Her golden rule: at least one note per page to justify her existence. Then she moved on to writing proposals. This was her favorite task. She could do it quickly, using templates she had dating all the back to law school. Copy-and-paste time. She was finishing adding few words the last sentence of the document when she heard that happy sound indicating that a new e-mail had arrived. FROM: advice@poczta-polska.pl TO: kate.honest@mordor-inc.pl SUBJECT: Poczta Polska S.A. Order update Your package could not be delivered to the delivery address on October 27, 2015, because no one was at home. In order to obtain information regarding your shipment, click the link. You can pick up the shipment at the nearest Poczta Polska office by presenting the printed ADVICE NOTE: Your ADVICE NOTE WARNING! If the package is not picked up within 7 days, a storage fee will be charged. After another 7 days, the package will be sent to the warehouse in Koluszki and destroyed or auctioned under supervision of a committee. Kind regards, Poczta Polska. "Damn. I should have picked the thing up," she thought. But then she remembered that a few days back the company hired her an assistant. “Wonderful. Someone else will stand in line for me.” She forwarded the message to her assistant, adding one sentence to appropriately prioritize the matter: Yvonne, no one will hold it against you if you can’t pick it up today, but I hope you can go to the post office ASAP. What was Yvonne to do? She set aside the invoices she'd been assigned to pay online when the accountant called in sick and clicked the link to download Kate's claim note. Because ASAP means ASAP. On the page that appeared, she immediately saw a large “View details” button. She clicked again to download the file named awizo.pdf. After saving the file on the disk, she opened it and printed the notice. She locked her computer screen just as IT had instructed her during her orientation. What Yvonne didn't know is she had downloaded an awizo.pdf.pif file. PIF is a very interesting extension. Even if Windows has been configured to display file extensions, the PIF extension does not show up. The icon does not look like a PDF file, but icons are constantly changing. So who knows? It was too late. Her computer was infected. The antivirus did not react because… there was no antivirus. To cut costs, Mordor Inc. had not renewed the license. The company calculated that it will be cheaper to train the employees that “bad file formats that cannot be opened in any circumstances." Still PDF files were allowed… It was almost lunchtime. To get to the post office as soon as possible, Yvonne couldn't let the elevator open for each of the building's 20 floors. She pressed both the “ground floor” and “close the door” buttons and held them down for three seconds. This trick enabled “fast travel mode.” It was often used by security staff to get to the selected floor without stopping. It worked only on elevators made by OTIS, like this one. Before the elevator got to the ground floor, malware known as VBKlip was installed on Yvonne’s computer. It worked in a very simple way. If a bank account number appeared in the infected computer's clipboard, e.g. copied from an invoice, VBKlip changed it into another one. This way the victims were oblivious to the fact that by using copy and paste they were helping online criminals rob them. * * * “Let me explain it again. We don’t have your package and we do not send emails to customers. This is Poczta Polska! Stamps and date-stamps are sacred! Any notice without a stamp is invalid. OK? Now, would you like to buy some Wite-Out or Exorcist Guide magazine? We have also candles”. Yvonne, who had waited in the line for 30 minutes, was not happy. But there was nothing she could do. She got back to the office and finished paying the invoices. An hour later the lights in her office suddenly turned off. * * * “You had a very simple task. Pay the invoices. How tough is that?” In the dark, the CEO looked more threatening than ever. “Rent. That's pretty important, in case you didn't notice. You see, Mrs. Yvonne, it's hard to work without power”. “But...” Yvonne stared, but the CEO would not let her talk. “You will now go down to the building’s manager office and convince the building manager that we didn't mean to deceive him. And promise him that this time we were willing to pay on time. And do it quickly." “But I paid all the invoices… I have confirmations here." Yvonne logged into the bank's website. But after entering the login and password, she saw a message: her computer was likely infected. The bank had cut off access for security reasons. "Hmmm," she said. "One of the accounts she paid must have marked as 'suspicious' by the bank." IT came and quickly confirmed the infection. A quick phone call to the bank dispelled any doubts. The money had already gone and could not be recovered. To make matters worse, in addition to VBKlip, another Trojan had been discovered that targeted credit card numbers. Yvonne had written the company’s credit card data in the text file so she could easily paste it into other sites. The Trojan had located the file, and the credit card number had been immediately put up for sale on the carder forum. The credit limit (PLN 20,000) has been used up in just one hour to purchase electronics... Yvonne was heartbroken. To cover all the losses, it would be PLN 75,000, out of her own pocket. With tears in her eyes, she began searching for similar cases of theft on the online. She wished she had found the article that warned against such attacks and explained how to safely perform money transfers earlier, before it was too late. * * * Kate felt partly responsible for Yvonne’s troubles. After all, she told Yvonne to print the fake mail claim. So she decided to do what lawyers do. After many phone calls to the bank, she obtained information about the accounts and banks the money went to. Another batch of calls ensured that the money was blocked on dummy accounts. It was a matter of time before it would be returned to Mordor’s account. She did not have much trouble recovering the funds from the credit card, either. Kate decided to use an effective, though little-known chargeback procedure offered by banks in cooperation with payment organizations. She simply had to ask an agent to send the appropriate form, in which she would describe the circumstances of the event and indicate fraudulent transactions on the bank statement. After several days, the money would be back in Mordor's account -- but all the whiskey would be gone.  

November 17, 2015
Mikko Hypponen, Leo Laporte, Triangulation

F-Secure Chief Research Officer Mikko Hyppönen sat down on Monday for a video chat with renowned tech journalist and broadcaster Leo Laporte on Triangulation. Laporte has admired Mikko and F-Secure from afar for more than twenty years, the host explained. So this first talk gave the two IT stalwarts a chance to talk over Mikko's nearly quarter century of work at F-Secure -- which he joined as a coder in 1991 when we were still known as Data Fellows. You can watch the whole interview below or download the audio here: [youtube https://www.youtube.com/watch?v=Cpg-5NO9oS8] The whole show is worth your time but to get ready to mark Mikko's silver anniversary at F-Secure, we thought we'd pull out some interesting lessons he's learned in more than two decades of tangling with digital threats. Driving a forklift -- Mikko's job before joining F-Secure -- has one big advantage over being an internationally known virus hunter. Once you're done with work for the day, you don't think about your job at all. Mikko told Leo that being Chief Research Officer at a company that protects hundreds of millions of computers doesn't give you that luxury. Some early malware creators went on to some very interesting things. Mikko told Leo about his trip to Pakistan to meet the two brothers who wrote the first PC virus more than 25 years ago, which you can watch below. Basit Farooq Alvi and Amjad Farooq Alvi wrote the program for what they saw as a legitimate purpose -- preventing copyright infringement. Today the brothers along with a third brother run a successful telecommunications business. Robert Tapan Morris -- the creator of Morrisworm the first computer worm -- is a member of the Computer Science faculty at MIT and a partner in Y Combinator, which helps launch tech startups.[youtube https://www.youtube.com/watch?v=lnedOWfPKT0] His number one security tip? Back up your stuff. "Back up your computer, your iPad, your phone. And back it up so you can access it even if your house burns down." The numbers when it comes to malware are huge. F-Secure Labs receives about 350,000 malware samples a day, seven days a week. "The amount of new detections we build on those samples every day is usually around 10,000... 20 [thousand] on a bad day." Mobile malware isn't a big problem -- except, perhaps, in China -- because Android and iOS are very restrictive. "If you are a programmer, you cannot program on your iPad," Mikko explained. All apps that end up in the Play or App Store have to be approved by Google or Apple respectively. This model, which Mikko compares to the PlayStation and Xbox ecosystems, may be good for security, but it does have some negative consequences. "It's also a little bit sad in the sense that when you have these closed environments, it's sort of like converting the users from producers to consumers." Mikko wrapped up the interview by explaining F-Secure's principles when it comes to protecting and respecting users' data: "We try to sell our products the old-fashioned way. You pay for it with your money, not your privacy." Cheers, Sandra P.S.: For some bonus Mikko, watch a public lecture he gave this week at Estonian Information Technology College. [youtube https://www.youtube.com/watch?v=UXSAaVx2EOo&w=560&h=315]

October 15, 2015