Sandra@F-Secure

Follow me on:

latest posts from Sandra@F-Secure

browser security, business security, banking trojan

This is the fourth in a series of posts about Cyber Defense that happened to real people in real life, costing very real money. It was only just past 1 pm, but Magda was already exhausted. She had recently fired her assistant, so she was now having to personally handle all of the work at her law office. With the aching pain in her head and monstrous hunger mounting in her stomach, Magda thought it was time for a break. She sat at her desk with a salad she had bought earlier that morning and decided she’d watch a short online video her friends had recently told her about. She typed the title in the browser and clicked on a link that took her to the site. A message popped up that the recording couldn’t be played because of a missing plugin. Magda didn’t have much of an idea what the “plugin” was, which wasn’t surprising considering that her computer knowledge was basic at best – she knew enough to use one at work, but that was pretty much all. It was the recently sacked assistant, supported by an outsourced IT firm, who took care of all things related to computers and software. A post-it stuck to Magda’s desk had been unsuccessfully begging her to install an antivirus program. “What was this about?”, Magda tried to remember. At moments like this, she regretted letting the girl go. After some time, she recalled that her assistant had mentioned something about a monthly subscription plan for some antivirus software to protect the computers, tablets and mobile phones. This solution, flexible and affordable for small businesses like Magda’s firm, had also been also recommended by the outsourced IT provider. Despite a nagging feeling that something wasn’t right, she clicked “install”. After a few seconds, the video actually played. Magda was very proud of herself: she had made the plugin thing work! A few days later, she logged into her internet banking system to pay her firm’s bills. As she looked at the balance of the account, she couldn’t believe her eyes. The money was gone! The transaction history showed transfers to accounts that were completely unknown to her. She couldn’t understand how somebody was able to break in and steal her money. The bank login page was encrypted, and besides that, she was the only person who knew the login credentials... At the bank she learnt that they had recorded a user login and transfer orders. Everything had been according to protocol, so the bank had no reason to be suspicious. The bank’s security manager suggested to Magda that she may have been the victim of a hacker’s attack. The IT firm confirmed this suspicion after inspecting Magda’s computer. Experts discovered that the plugin Magda had downloaded to watch the video online was actually malware that stole the login credentials of email accounts, social networking sites and online banking services. Magda immediately changed her passwords and decided to secure them better. She finally had good antivirus software installed, which is now protecting all of the data stored on her computer. She recalled that her bank had long been advising to do that, but she had disregarded their advice. If only she hadn’t... Her omission cost her a lot of money. She was happy, though, that money was all she lost. She didn’t even want to imagine what might have happened if any of her case or clients information had been compromised. That would have been the end of her legal career. "If you have to use dangerous plugins like Java to do banking, you can enable those in one browser and use it only for the banking stuff," F-Secure Director of Security Response Antti Tikkanen explains.​ To get an inside look at business security, be sure to follow our Business Insider blog.

July 28, 2015
business, security, software, usb drives

This is the third in a series of posts about Cyber Defense that happened to real people in real life, costing very real money. Tomasz was a finance graduate, fresh out of university. This wasn’t what he had dreamed of studying, but he expected to find a well-paid job afterwards. This is why he started working in a branch of a local cooperative bank. The job wasn’t very demanding. During the day he didn’t have to deal with many customers, which suited him just fine. It did annoy him a bit that his work computer was only connected to an internal network and not the Internet, as with every other computer in the bank. This protocol protected the system from unauthorised outside access, which is crucial for a bank. It also, however, meant that employees were not able to check their private email accounts or access newsfeeds on social networking sites. One day, Tomasz noticed his computer behaving in a strange way. The machine was slow and crashed repeatedly, not to mention the error messages flashing on his screen. It was of no use for work. Things got even worse when the monitor simply went dark. Despite trying numberous times, Tomasz couldn’t turn it on again. He didn’t want to waste his precious time so he called the IT department about the problem. It turned out that he wasn’t the only one. All of the computers at the bank had gone crazy. The branch had to be closed down for four hours. A ten-person IT team responded to the crisis, launching a backup system. After several hours they were able to restore all computers to working order. What had happened was that a virus had infected the network. The head of the IT department wanted to know whose computer was attacked first. An internal investigation revealed that the malware came from Tomasz’s machine and the source of the infection was one of the bank’s flash drives. A few weeks earlier, Tomasz had copied his holiday photos to the drive to show them to his colleagues. The virus entered the device’s memory when the photos were copied from Tomasz’s private laptop. He was quickly called into his boss’s office. Tomasz knew all too well that he had violated security protocol. He knew that he would be punished, but how harshly? In the end, Tomasz was officially reprimanded and a note was placed on his file. Considering that his negligence cost the bank several thousand euro, this was merely a slap on the wrist. However, because of his recklessness, Tomasz had endangered sensitive data stored in the bank’s system, not to mention his own future career. Your business can be smart enough to prevent your own Tomasz from causing you heartache. "Your network can be set up so only administrators can add new hardware," F-Secure Security Advisor Sean Sullivan explained. "And why shouldn't it be?" For more insight into how to keep your business safe, check out our Business Insider blog. Cheers, Sandra

July 22, 2015
hacking team, hack like a champion, why hacking team matters

Hacking is in the news. The U.S. recently disclosed that it was the victim of what may the biggest, most consequential hack ever. We hacked some politicians. And a group called "Hacking Team" was hacked itself. Brian Krebs reports: Last week, hacktivists posted online 400 GB worth of internal emails, documents and other data stolen from Hacking Team, an Italian security firm that has earned the ire of privacy and civil liberties groups for selling spy software to governments worldwide. The disclosure of a zero-day vulnerability for the Adobe Flash Player the team has used has already led to a clear increase of Flash exploits. But this story has a larger significance, involving serious questions about who governs who can buy spyware surveillance software companies and more. Our Chief Research Office Mikko Hyppönen has been following this story and tweeting insights and context. Reporters from around the world have asked him to elaborate on his thoughts. Here's a look at what he's been telling them 1) What is your opinion about the Hacking Team story? This is a big story. Companies like Hacking Team have been coming to the market over the last 10 years as more and more governments wanted to gain offensive online attack capability but did not have the technical know-how to do it by themselves. There's lots of money in this business. Hacking Team customers included intelligence agencies, militaries and law enforcement. Was what Hacking Team was doing legal? Beats me. I'm not a lawyer. Was what Hacking Team was doing ethical? No, definitely not. For example, they were selling hacking tools to Sudan, whose president is wanted for war crimes and crimes against humanity by the International Criminal Court. Other questionable customers of Hacking Team include the governments of Ethiopia, Egypt, Morocco, Kazakhstan, Azerbaijan, Nigeria and Saudi Arabia. None of these countries are known for their great state of human rights. List of Hacking Team customers: Australia - Australian Federal Police Azerbaijan - Ministry of National Defence Bahrain - Bahrain Chile - Policia de Investigation Colombia - Policia Nacional Intelligencia Cyprus - Cyprus Intelligence Service Czech Republic - UZC Cezch Police Ecuador - Seg. National de intelligencia Egypt - Min. Of Defence Ethiopia - Information Network Security Agency Honduras - Hera Project - NICE Hungary - Special Service National Security Kazakstan - National Security Office Luxembourg - Luxembourg Tax Authority Malaysia - Malaysia Intelligene Mexico - Police Mongolia - Ind. Authoirty Anti Corruption Morocco - Intelligence Agency Nigeria - Bayelsa Government Oman - Excellence Tech group Oman Panama - President Security Office Poland - Central Anticorruption Bureau Russia - Intelligence Kvant Research Saudi Arabia - General Intelligence Presidency Singapore - Infocomm Development Agency South Korea - The Army South Korea Spain - Centro Nacional de Intelligencia Sudan - National Intelligence Security Service Thailand - Thai Police - Dep. Of Correction Tunisia - Tunisia Turkey - Turkish Police USA - FBI Uzbekistan - National Security Service 2) What happens when a company of this kind is a victim of an hacking attack and all of its technology assets are published online?  This was not the first time something like this happened. Last year, Gamma International was hacked. In fact, we believe they were hacked by the same party that hacked Hacking Team. When a company that provides offensive hacking services gets hacked themselves, they are going to have a hard time with their customers. In the case of Hacking Team, their customer list was published. That list included several secretive organizations who would rather not have the world know that they were customers of Hacking Team. For example, executives of Hacking Team probably had to call up the Russian secret intelligence and tell them that there's been a breach and that their customership was now public knowledge. The Hacking Team leak also made at least two zero-exploits public and forced Adobe to put out emergency patches out for Flash. This is not a bad thing by itself: it's good that unknown vulnerabilities that are being exploited become public knowledge. But Adobe probably wasn't happy. Neither was New York Times, as they learned that Hacking Team was using a trojanized iOS app that claimed to be from New York Times to hack iPhones. 3) Is it possible to be protected from malware provided by companies like Hacking Team? Yes. We've added detection for dozens of Hacking Team trojans over the years. Hacking Team had a service where they would update their product to try to avoid signature-based antivirus detections of their programs. However, they would have much harder time in avoiding generic exploit detections. This is demonstrated by their own internal Wiki (which is now public). Let me attach a screenshot from their Wiki showing how we were able to block their exploits with generic behavioural detection: Cheers, Sandra [Image by William Grootonk | Flickr]

July 13, 2015
Wi-Fi security, Wi-Fi Hack, Wi-Fi VPN

Some are calling last year's hack of United States' Office of Personnel Management a "cyber Pearl Harbor," which is hyperbole. But it's definitely a disaster. The penetration of OPM's computer networks gives someone -- maybe China? -- access to the private data of millions of U.S. government employees, including clearance forms that may include details of these employee's most sensitive mental, physical and financial problems. And the worst part is the government's excuse for who's to blame for the hack. "I don't believe anyone is personally responsible," Office of Personnel Management director Katherine Archuleta said at a Senate hearing. "We have legacy systems that are very old." The U.S. government has been systematically starved of information technology advancements since the Office of Technology Assessment was shut down in the budget battle of 1995. So someone is definitely responsible if this was the result of the kind of systemic failure that the OPM's Inspector General has been warning about for years. But using old technology isn't unique to governments, though the U.S. government seems to specialize in it. Watch this video about a recent Wi-Fi experiment we conducted with penetration testing expert Mandalorian Security Services and the Cyber Security Research Institute: [protected-iframe id="c1d2fa70e39bc4719c0fceb59c88a3b0-10874323-9129869" info="https://www.youtube-nocookie.com/embed/qk2RPOBpZvc?rel=0" width="640" height="360" frameborder="0"] Most of us follow the basics of security. We keep our system and security software updated. Our passwords are strong and stored safely. Hopefully you even use separate browsers for financial transactions and basic surfing/networking. But how many of us -- including the UK politicians in this video -- assume we're secure on public Wi-Fi without taking security precautions. The hacks depicted in this experiment only took 3 hours to set up and once the equipment was in place, tablets and mobile phones could be hacked in less than 30 minutes. Sometimes as quickly as 5. The information that can be obtained this way isn't as damaging as the OPM attack but it's not negligible either. It includes: • Detailed browsing history • Internet phone calls – Voice Over Internet Protocol – recorded calls • Email accounts • All email history and contacts • Online financial services • Social media accounts • All social media data How could this affect the victim of a hack? If you're politician, profoundly. “So if someone hacked it and put out messages that were detrimental, horrible or whatever, it would be a very bad thing for me in my job," Mary Honeyball, a Labour MEP for London, said. "I think that the possibility that someone could put out an unauthorised communication before an election who just wants to cause trouble is really unacceptable." Getting fired for something you've said is bad. Losing your office or job for something you didn't say would be infinitely worse. There's also the possibility of private information being used for extortion, which has been suggested as a potential worse case scenario consequence of the OPM hack. Cybercrime is a numbers game and the numbers when it comes to Wi-Fi are astounding. The Wi-Fi Alliance suggests that 1 out of 4 homes globally run a Wi-Fi network. According to Strategy Analytics, some 800 million households worldwide will have adopted Wi-Fi by 2016. In your home you can take steps to secure your network with a WPA2 password. But there hundreds of millions of public Wi-Fi hotspots around the world. And most of them are not properly secured. What can you do about it? "People shouldn’t be afraid to use public Wi-Fi – it’s a fantastic service," our Security Advisor Sean Sullivan said. "But they must understand that there are risks and it is their responsibility to protect themselves. This is simply done using a piece of software called a Virtual Private Network (or VPN). For phones and tablets, these are available as an app. Our Freedome VPN will encrypt all data travelling from the device to the network, meaning that the hacker will steal nothing of use. Simply turning it on gives you the best protection you can possibly have to stay safe over public Wi-Fi, so you can focus on what you’re doing instead of worrying about staying safe.” To find out more about this hack, check out this podcast: [audio wav="https://fsecureconsumer.files.wordpress.com/2015/07/final-podcast-f-secure-politicians-hack.wav"][/audio] And you can also watch our first hack experiment on the dangers of public Wi-Fi. Cheers, Sandra [Image by Johan Viirok | Flickr]

July 9, 2015
money, burnt, online, internet, scams

There wouldn't be billions people online every moment of every day if everyone was getting scammed all the time. Online security is, in many ways, better than ever, as are the sites designed to attract our attention. But exploits and the crooks that want to exploit us still exist, enjoying advanced malware-as-service models proven to steal our data, time and money. And with the awesome number of people online, scams only need to work a tiny percentage of the time to make the bad guys rich. We're sure you're savvy enough to avoid most trouble. But for everyone else you know, here are 5 common scams to look out for. 1. Ransomware. This scam, which F-Secure Labs has been tracking for over 5 years, prospers because it offers incredible returns -- to the scammer. "It estimated it would cost $5,900 (£3,860) to buy a ransomware kit that could return up to $90,000 in one month of operation," the BBC reports. It works like this. You suddenly get a message saying that your files are being held and you need to pay a ransom to release them. Sometimes the scam pretends to be from a police organization to make them extra scary: Anonymous cyber-currencies like bitcoin have made the scam even more appealing. "That's what really enabled the ransomware problem to explode," our Mikko Hypponen said. "Once the criminals were able to collect their ransom without getting caught, nothing was stopping them." They really do take your files and they generally will give them back. Ironically, their reputation matters since people will stop paying if they hear it won't work. Mikko recommends four ways to defend yourself from this -- and almost every scam: Always backup your important files. Ensure software is up-to-date. Be suspicious of message attachments and links in email. Always run updated comprehensive security software. He adds, "Don't pay money to these clowns unless you absolutely have to." 2. Technical support scams. "In a recent twist, scam artists are using the phone to try to break into your computer," reports the U.S. Federal Trade Commission. "They call, claiming to be computer techs associated with well-known companies like Microsoft. They say that they’ve detected viruses or other malware on your computer to trick you into giving them remote access or paying for software you don’t need." Never give anyone who calls you unsolicited your private information or access to your computer. As a matter a fact, don't do that even if the call is solicited. If you feel the call may actually important, ask who they are calling from and then contact the organization directly. For more tips visit the FTC site. 3. Facebook freebies. Free iPad! Free vacation! Free gift card! If it's free, it's on Facebook and it comes from someone you do not know or trust directly, assume it's a scam. At best it's a waste of your time, at worst it could end up costing you money. Unfortunately, there are only two things you can do to avoid these scams. Don't follow people who share crap like this on Facebook and don't click on things that seem too good to be true. "There is no way a company can afford to give every Facebook user a $25.00, $50.00 or $100.00 gift card," Facecrooks, a site that monitors these scams, reminds you. "A little common sense here tells you that something is way off base." So be suspicious of everything on Facebook. Even friends asking for money. 4. Loan scams. Scammers are smart. They know that the more a person is in financial need, the more desperate she or he becomes. For this reason, loans of various kinds -- especially mortgages that are in foreclosure -- are often lures for a scam. Once they have your attention, they may use a variety of tactics to dupe you, the FTC explains. They may demand a fee to renegotiate your loans for lower payments or to do an "audit" of what you're paying. It may even go far enough that they'll ask you directly or trick you into signing over your house to ease the pressure from your creditors. There are many warning signs to look out for. Keep in mind that if you're ever in doubt, the best step is to back off and seek advice. You can also tell the person you're going to get a second opinion on this from a lawyer. If the person you're dealing with insists that you not or freaks out in any other way, it's a good sign you're being taken. 5. Money mule scams. These scams are a variation on the 419 scams where a foreign prince asks you to hold money for him. All you have to do is wire him some first. But in this case you may actually get the money and be used as a tool of organized crime. A money mule illegally transfers money for someone in exchange for some of the take. Many law-abiding people get drawn into this crime while searching for jobs or romance, which is why your should stick to legitimate sites if you're seeking either of those things. Greed and the lure lottery winnings and inheritances is also used as a lure for potential victims. Trust is the most important thing on the internet. Anyone who trusts you too quickly with offers of money or love is probably scamming you. Cheers, Sandra [Image by epSos .de | Flickr]

June 24, 2015
insured, business security, cartoon

This is the second in a series of posts about Cyber Defense that happened to real people in real life, costing very real money. Peter came into work thinking, “Today is gonna be boring as hell. I can’t wait till my shift ends”. He couldn’t have been more wrong. One terrible password “Policy 2014” would soon turn his insurance agency upside down. Peter had been working in a 24/7 security centre for a couple of years. He was an IT security specialist and he thought that he’d seen it all. This illusion was shattered when he picked up the phone. “We have a problem. We are losing clients!” he heard through the receiver. He kept listening, though he had no idea how this applied to him. “I think someone might have broken into our sales system! He calls our clients whose contracts are soon to expire. Just before we have a chance to do so ourselves”, the caller complained. The situation was beginning to look serious, and confusing. The system had recently been updated to boost security. At first, the staff who drafted offers for sales reps were accused of leaking the information. It had to be them. They had full access to the system. However, after close monitoring of the system, these suspicions proved to be unfounded. A lead was discovered by sheer coincidence: someone tried to log into the internal sales system using the account of an employee who was currently on holidays. The situation required immediate action. Peter had to identify the exact time and place the system was hacked into through sales reps’ accounts. For this purpose he used a Network Monitoring System of his own design. Unfortunately, it didn’t shed much light on the matter. The login location shifted each time he scanned the system. What is more, these locations were often miles away from each other! Then he started to think like a detective – he decided to lay some bait for the hacker. He created a fake profile for a client whose contract was about to expire. A sales rep was to call him in exactly five days. However, Peter entered his own phone number in the client’s profile details. It only took three days for the hacker to bite. After a two-minute phone call, everything became clear enough. It turned out that the mysterious hackers were in fact employees of a distributor with whom Peter’s company had entered into a contract for the sale of its insurance policies. These suspicions were only made more certain when it was discovered that the company had recently recorded an increase in its sales of insurance products through the distributor. The investigation revealed that an employee from the IT department had facilitated the hacking. He confessed, and revealed that temporary passwords to the sales system were always the same (“Policy 2014”) and that hardly anyone ever changed them – this was enough to obtain customer account data. Finally, the situation was brought under control. The sales system was secured and sales specialists were properly trained in data and password protection techniques. However, the company’s image suffered. Although much effort was made to keep the case confidential, many clients grew concerned about the safety of their personal data. Nevertheless, it was the sales personnel who suffered the most as their commissions dwindled. For the latest on business security, be sure to visit F-Secure's Business Insider.

June 12, 2015
vulnerabilities holes software unpatched

Online criminals are in the business of finding holes -- holes in your software. "Pieces of software will always have vulnerabilities, and there will always be criminals creating exploits for those vulnerabilities," says F-Secure Senior Researcher Timo Hirvonen. "It's become a whole business model for these criminals, because the security patches that companies release basically expose the vulnerabilities in software. The criminals reverse engineer the patches to find vulnerabilities, and then they target those vulnerabilities with exploits they develop." Given that they spend all day thinking about how to get into your network and you spend all all day trying to run your business, they may have the advantage. But there is a lot you can do to make your data and customers safer. Our Security Advisor Sean Sullivan recently responded to questions we frequently hear from businesses trying to secure their IT infrastructure. He explained with what the most common vulnerabilities tend to be, the steps you can take to patch them and the biggest mistakes businesses make. Mobile apps and cloud systems allow employees to access documents, systems, data and other work product from anywhere, but always-on access comes with always-threatening security risks. What are the most significant of those risks? Always on and working from anywhere means more devices and a larger attack surface area. Even a diligent and tech-savvy person who is cautious about not opening a suspicious file can still be a victim of exploits, as these kits automatically take advantage of vulnerabilities in software that are commonly used by browsers and programs, such as Adobe Reader, Flash players, etc. More than half of what F-Secure is blocking these days are exploits, and they’re among the biggest threats to SMBs because people frequently don't update their software and this puts the business at greater risk. A Java plug-in update, for example, that people often ignore thinking it’s not a mission-critical application for their day-to-day activities can be the chink in the armor that lets in a malicious attack. Some of the exploit kits we're detecting are using exploits that have been detected and patched MONTHS ago, but the attackers are betting that many businesses haven’t updated their software, and their bets are paying off. What are the most important steps small and medium-sized businesses should take to protect themselves against those risks? The cybersecurity landscape is fluid so invest in sending your IT person to training seminars so he or she can learn more about protecting your users and network. Additionally, selecting a cloud-based security solution helps you and your employees not have to worry about updating plugins and applications. What are some of the biggest mistakes SMBs make in this area? They undervalue their data and content. Training documents for new hires, for example, aren’t mission critical to the business functioning, so it’s likely the business wouldn’t see it as valuable, but if they had to recreate all of those files from scratch, it would likely take a lot of time and resources, right? Thinking an attacker won’t go after certain items because it’s not important to them is the wrong mindset — they care about what’s important to you. Backup files in multiple locations — online and physical hard drives. Use a VPN to encrypt your communication and encourage or provide VPN applications for your employees to use on their work and personal devices. Lastly, keep your systems updated. Using a cloud-based security software that takes care of all that helps saves you time and money and lets you focus on your business and the professionals handle security. Our F-Secure Booster's premium version contains a software update feature that can you monitor their drivers and applications to keep them patched in protected. Our business products also feature Software Updater to keep software updated and safe from exploits. [Image by elineart | Flickr]

May 28, 2015
Welcome Mat Key Security

If you're in business, you have enemies -- and they're trying to get into your network. For-profit malware authors after baking information or files for extortion want in. Script-kiddies want in because mayhem is their game. And if you're large enough, criminals seeking data about your customers  for espionage want in too. "For instance, if you're a law firm," F-Secure Labs Senior Researcher Jarno Niemelä said in a recent webinar, "your clients might be interesting." And it's not just the clients of lawyers, who may be "interesting". He noted companies that specialize in car rental, car leasing, cleaning and catering all have customers that are attractive targets for your enemies. In order for an attack to be successful, the attacker must first get information about his or her targets. And the worst part is we may be letting our enemies in. Here are the 5 most common methods that is done: 1. Email. Spam is designed to hit anyone and only needs to work a tiny fraction of the time. A spear phishing attack was designed to get you. 2. Hacked websites. Like a lion hiding in a savannah, the best attackers infect a website you're likely to visit -- naughty and not naughty -- and wait for you to become their prey. 3. Search Engine Poisoning. Criminals target a specific search term and tries to drive an infected site up the Google rankings. 4. Traffic Injection. These more advanced attacks hijack your traffic and send it to a router controlled by the enemy. Once you've become the victim of a man-in-the-middle attack any web site you visit could be infected just for you. 5. Social engineering. What your enemy lacks in technical savvy, s/he could make up with the ability to fool you. 6. Affiliate marketing. Some criminals -- and intelligence agencies -- simply buy their victims in bulk. Jarno calls it "the digital slave trade". Of course, these aren't the only ways into your network. Jarno also explained how offline attacks through external drives, for instance, can provide access. But these are the six most likely ways your enemies will find their way in your network. And you should have some idea what they're up to, since their success depends on your mistakes. Cheers, Sandra    

May 19, 2015