Follow me on:

latest posts from Sandra@F-Secure

Cartoon, online banking, online crime

This is the seventh in a series of posts about Cyber Defense that happened to real people in real life, costing very real money. "If I weren’t a lawyer, I probably wouldn’t have survived today”, Kate thought, as she opened a bottle of whiskey. She had earned it. It was a hard day, a disaster. Well, not a total disaster. When she had closed down her law firm and joined Mordor, Inc., she thought she would finally get a little peace of mind… She could not have been more wrong. * * * [The same day, 12 hours earlier] As every morning, she got into her white BMW slightly late and drove to work through the city streets. Caught in the traffic jam, she had time to do the makeup and swipe through some photos on Tinder. “I can't wait to add my skydiving picture and fill in my height,” she thought. “My profile is too polite and too boring. But that's going to change...” A few days ago she had ordered a new parachute. A gift for herself her 50th jump. It was red and went very well with her blonde hair. Unfortunately, the Tinder crowd would have to wait for the parachute picture. As usual, the Post Office was still holding up the package. She spent the first few hours at work doing what she always did. She checked some outstanding contracts, adding comments. Her golden rule: at least one note per page to justify her existence. Then she moved on to writing proposals. This was her favorite task. She could do it quickly, using templates she had dating all the back to law school. Copy-and-paste time. She was finishing adding few words the last sentence of the document when she heard that happy sound indicating that a new e-mail had arrived. FROM: TO: SUBJECT: Poczta Polska S.A. Order update Your package could not be delivered to the delivery address on October 27, 2015, because no one was at home. In order to obtain information regarding your shipment, click the link. You can pick up the shipment at the nearest Poczta Polska office by presenting the printed ADVICE NOTE: Your ADVICE NOTE WARNING! If the package is not picked up within 7 days, a storage fee will be charged. After another 7 days, the package will be sent to the warehouse in Koluszki and destroyed or auctioned under supervision of a committee. Kind regards, Poczta Polska. "Damn. I should have picked the thing up," she thought. But then she remembered that a few days back the company hired her an assistant. “Wonderful. Someone else will stand in line for me.” She forwarded the message to her assistant, adding one sentence to appropriately prioritize the matter: Yvonne, no one will hold it against you if you can’t pick it up today, but I hope you can go to the post office ASAP. What was Yvonne to do? She set aside the invoices she'd been assigned to pay online when the accountant called in sick and clicked the link to download Kate's claim note. Because ASAP means ASAP. On the page that appeared, she immediately saw a large “View details” button. She clicked again to download the file named awizo.pdf. After saving the file on the disk, she opened it and printed the notice. She locked her computer screen just as IT had instructed her during her orientation. What Yvonne didn't know is she had downloaded an awizo.pdf.pif file. PIF is a very interesting extension. Even if Windows has been configured to display file extensions, the PIF extension does not show up. The icon does not look like a PDF file, but icons are constantly changing. So who knows? It was too late. Her computer was infected. The antivirus did not react because… there was no antivirus. To cut costs, Mordor Inc. had not renewed the license. The company calculated that it will be cheaper to train the employees that “bad file formats that cannot be opened in any circumstances." Still PDF files were allowed… It was almost lunchtime. To get to the post office as soon as possible, Yvonne couldn't let the elevator open for each of the building's 20 floors. She pressed both the “ground floor” and “close the door” buttons and held them down for three seconds. This trick enabled “fast travel mode.” It was often used by security staff to get to the selected floor without stopping. It worked only on elevators made by OTIS, like this one. Before the elevator got to the ground floor, malware known as VBKlip was installed on Yvonne’s computer. It worked in a very simple way. If a bank account number appeared in the infected computer's clipboard, e.g. copied from an invoice, VBKlip changed it into another one. This way the victims were oblivious to the fact that by using copy and paste they were helping online criminals rob them. * * * “Let me explain it again. We don’t have your package and we do not send emails to customers. This is Poczta Polska! Stamps and date-stamps are sacred! Any notice without a stamp is invalid. OK? Now, would you like to buy some Wite-Out or Exorcist Guide magazine? We have also candles”. Yvonne, who had waited in the line for 30 minutes, was not happy. But there was nothing she could do. She got back to the office and finished paying the invoices. An hour later the lights in her office suddenly turned off. * * * “You had a very simple task. Pay the invoices. How tough is that?” In the dark, the CEO looked more threatening than ever. “Rent. That's pretty important, in case you didn't notice. You see, Mrs. Yvonne, it's hard to work without power”. “But...” Yvonne stared, but the CEO would not let her talk. “You will now go down to the building’s manager office and convince the building manager that we didn't mean to deceive him. And promise him that this time we were willing to pay on time. And do it quickly." “But I paid all the invoices… I have confirmations here." Yvonne logged into the bank's website. But after entering the login and password, she saw a message: her computer was likely infected. The bank had cut off access for security reasons. "Hmmm," she said. "One of the accounts she paid must have marked as 'suspicious' by the bank." IT came and quickly confirmed the infection. A quick phone call to the bank dispelled any doubts. The money had already gone and could not be recovered. To make matters worse, in addition to VBKlip, another Trojan had been discovered that targeted credit card numbers. Yvonne had written the company’s credit card data in the text file so she could easily paste it into other sites. The Trojan had located the file, and the credit card number had been immediately put up for sale on the carder forum. The credit limit (PLN 20,000) has been used up in just one hour to purchase electronics... Yvonne was heartbroken. To cover all the losses, it would be PLN 75,000, out of her own pocket. With tears in her eyes, she began searching for similar cases of theft on the online. She wished she had found the article that warned against such attacks and explained how to safely perform money transfers earlier, before it was too late. * * * Kate felt partly responsible for Yvonne’s troubles. After all, she told Yvonne to print the fake mail claim. So she decided to do what lawyers do. After many phone calls to the bank, she obtained information about the accounts and banks the money went to. Another batch of calls ensured that the money was blocked on dummy accounts. It was a matter of time before it would be returned to Mordor’s account. She did not have much trouble recovering the funds from the credit card, either. Kate decided to use an effective, though little-known chargeback procedure offered by banks in cooperation with payment organizations. She simply had to ask an agent to send the appropriate form, in which she would describe the circumstances of the event and indicate fraudulent transactions on the bank statement. After several days, the money would be back in Mordor's account -- but all the whiskey would be gone.  

November 17, 2015
Mikko Hypponen, Leo Laporte, Triangulation

F-Secure Chief Research Officer Mikko Hyppönen sat down on Monday for a video chat with renowned tech journalist and broadcaster Leo Laporte on Triangulation. Laporte has admired Mikko and F-Secure from afar for more than twenty years, the host explained. So this first talk gave the two IT stalwarts a chance to talk over Mikko's nearly quarter century of work at F-Secure -- which he joined as a coder in 1991 when we were still known as Data Fellows. You can watch the whole interview below or download the audio here: [youtube] The whole show is worth your time but to get ready to mark Mikko's silver anniversary at F-Secure, we thought we'd pull out some interesting lessons he's learned in more than two decades of tangling with digital threats. Driving a forklift -- Mikko's job before joining F-Secure -- has one big advantage over being an internationally known virus hunter. Once you're done with work for the day, you don't think about your job at all. Mikko told Leo that being Chief Research Officer at a company that protects hundreds of millions of computers doesn't give you that luxury. Some early malware creators went on to some very interesting things. Mikko told Leo about his trip to Pakistan to meet the two brothers who wrote the first PC virus more than 25 years ago, which you can watch below. Basit Farooq Alvi and Amjad Farooq Alvi wrote the program for what they saw as a legitimate purpose -- preventing copyright infringement. Today the brothers along with a third brother run a successful telecommunications business. Robert Tapan Morris -- the creator of Morrisworm the first computer worm -- is a member of the Computer Science faculty at MIT and a partner in Y Combinator, which helps launch tech startups.[youtube] His number one security tip? Back up your stuff. "Back up your computer, your iPad, your phone. And back it up so you can access it even if your house burns down." The numbers when it comes to malware are huge. F-Secure Labs receives about 350,000 malware samples a day, seven days a week. "The amount of new detections we build on those samples every day is usually around 10,000... 20 [thousand] on a bad day." Mobile malware isn't a big problem -- except, perhaps, in China -- because Android and iOS are very restrictive. "If you are a programmer, you cannot program on your iPad," Mikko explained. All apps that end up in the Play or App Store have to be approved by Google or Apple respectively. This model, which Mikko compares to the PlayStation and Xbox ecosystems, may be good for security, but it does have some negative consequences. "It's also a little bit sad in the sense that when you have these closed environments, it's sort of like converting the users from producers to consumers." Mikko wrapped up the interview by explaining F-Secure's principles when it comes to protecting and respecting users' data: "We try to sell our products the old-fashioned way. You pay for it with your money, not your privacy." Cheers, Sandra P.S.: For some bonus Mikko, watch a public lecture he gave this week at Estonian Information Technology College. [youtube]

October 15, 2015
Hillary Clinton, email scandal, phishing scam

This email was one of five phishing scams found in the 6,400 pages of Hillary Clinton's emails released on Wednesday. While there's no confirmation that former First Lady fell for the scam, her political opponents are using it to attack her for the security risks of the unconventional private server she used while in office -- even though a recent report found that 1 of 7 emails received on official U.S. Defense Department servers were either spam, phishing or other malware attacks. Receiving such attacks is inevitable. Cyber criminals have long known that one the best ways to hack into something is to simply ask you for the password. This technique has long relied on the fact that most of are used to entering our credentials so if a site looks trustworthy enough, we'll just type our credentials. From there, the bad guys can use these keys to unlock our digital life. As we've become more savvy in recognizing untrustworthy emails like the one above, criminals have taken advantage of our growing desire to share information about ourselves online to pioneer a more advanced technique called "spear phishing," which usually arrives in the form of a personalized email from an person or business you have a relationship with. This sort of attack was pioneered to hack high-value targets like Clinton. The Russian-backed Dukes group used this method in its 7-year campaign against western interests and others. In our Business Insider blog, Eija offers an inside look at how the CEO of a Finnish startup was the victim of an attempted spear phishing. "However, anyone can be a target..." Eija explains. And if you work in the U.S. government your chances of being hit with a very personalized attack have greatly increased as a result of the recent hack of the Office of Personnel Management. “Every bit of my personal information is in an attacker’s hands right now,"Paul Beckman, the Department of Homeland security’s chief information security officer, said at the Billington Cybersecurity Summit in September. "They could probably craft my email that even I would be susceptible to, because they know everything about me virtually.” Beckman said he regularly sends fake phishing emails to his staff to see if they fall for them, and “you’d be surprised at how often I catch these guys.”' Getting caught results in mandatory security training. But even after two or three rounds of instruction, the same people still fall for similar scams. “Someone who fails every single phishing campaign in the world should not be holding a [top secret clearance] with the federal government,” he said. “You have clearly demonstrated that you are not responsible enough to responsibly handle that information.” Beckman said he has proposed that those who prove they cannot detect a scam be stripped of their clearance, which could limit their career possibilities or even cost them a job. If you're the CEO of a startup, you recognize that security of your business is essential to your success. But if you're just an employee, your incentives for protecting intellectual property are nowhere as strong. Criminals only need one victim to make one mistake to succeed. So what are employers to do when education just isn't good enough? How about positive reinforcement for those who successfully avoid a scam? The truth is we're all only as secure as our training and focus. Organizations need to work on the best methods for developing both. Whether it's at work or at home or in the U.S. State Department, you're likely to be faced with a phishing attempt before long. Here's basic guidance from Eija on how to avoid being hooked: Be vigilant when entering your password anywhere Enable two-factor authentication Use Google’s built-in Security Checkup and Privacy Checkup tools Periodically review forwarding and mail filter settings, Connected apps & sites, Devices and Activities, shared files Disable POP and IMAP access if you don’t need them for a desktop or mobile client Cheers, Sandra

September 29, 2015
The Dukes, Russian cyber attacks, ATP attacks, Russian hackers

Much of the world woke to headlines Thursday morning featuring revelations from a new F-Secure whitepaper on an advanced-persistent threat (ATP) group known as “the Dukes”. In our News from the Labs blog, Labs researcher Artturi Lehtiö wrote: We believe that the Dukes are a well-resourced, highly dedicated, and organized cyber-espionage group that has been working for the Russian government since at least 2008 to collect intelligence in support of foreign and security policy decision-making. The reports note that the targets include many entities that the Russian government isn't particularly friendly with: "The Dukes primarily target Western governments and related organizations, such as government ministries and agencies, political think tanks and governmental subcontractors. Their targets have also included the governments of members of the Commonwealth of Independent States; Asian, African, and Middle Eastern governments; organizations associated with Chechen terrorism; and Russian speakers engaged in the illicit trade of controlled substances and drugs.” The Verge's Russell Brandom walked through the evidence that led to the Labs' conclusion that the attacks are likely Russian-backed: "A Russian-language error message was found within one part of the code base, and the group operating the programs seemed to act largely within working hours on Moscow time — suggesting the group was Russian, although not necessarily aligned with the Russian government. From there, F-Secure looked at the group's targets and apparent resources. Duke's growth suggested a steady flow of resources aimed at a string of government-related targets: embassies, parliaments, and ministries of defense. Notably, the group never targeted the Russian government. Even after security firms made their activities public, the Duke group didn't change tactics, suggesting they weren't concerned about being apprehended." ArsTechnica's Sean Gallagher explicated the evidence and noted the Labs' conclusion, "Such an organization operating in Russia would most likely require state acknowledgement, if not outright support." Artturi explained to Brandom that recent attacks on White House and the State Department appear to be linked the attacks detailed in his report: "The US State Department and White House are both the type of organizations that we know the Dukes primarily target. Based on what has been reported in the news, we believe it is possible that the Dukes are also behind the recent compromises of the State Department and the White House." Jarno Limnell, a professor of cybersecurity at Finland's Aalto University,told the International Business Times' David Gilbert that he fears that if this report is true, escalation is inevitable: "Losing digital information is so important for a society's competitiveness, I think we are not far from the situation where response to cyberespionage will be physical." "It is, of course, the most recent in a long line of reports linking Russia to significant cybercrime," Gizmodo's Jamie Condliffe wrote. "How it’s stopped remains anyone’s guess." We, of course, are not so pessimistic. NBC News' Arjun Kharpal highlighted described the somewhat sophisticated social engineering used to mask the infection: "The Duke group mainly uses 'spear-phishing' to attack victims – a tactic that involves sending an email with a malicious web link. Often the group would use decoys – image files or videos – to distract a victim during the infection process and malicious activity taking place. In one instance, a video of a TV commercial showing monkeys at an office was sent." Advanced threats are most likely to target organizations that are protecting high value data. Generally, but not always, these groups, especially governments, have the resources in order to prevent easy access to hackers. In our Business Insider blog, Eija wrote: "It is clear that educating employees is one very important tool in trying to fight spear-phishing campaigns such as these. Employees exposed to threats of phishing and watering holes need to understand these risks, and to learn to recognize the most common tactics employed to distract the user. These employees also need to have the best protection against phishing and watering hole attacks, and so organizations need to make sure they’re providing security strong enough to mitigate these kinds of attacks." F-Secure Cyber Security Advisor Erka Koivunen notes that smart security can prevent many risks: Why use macro-enabled Office documents that the recipient is just expected to accept, or PDF files that include JavaScript for no obvious reason? Cutting down on these types of insecure practices would easily help minimize the attack surface available for the criminals.

September 17, 2015
graveyard, RIP Flash, Is Flash dead

The first day of September may go down in internet security history -- and not just because it's the day when F-Secure Labs announced that its blog, which was the first antivirus industry blog ever, has moved to a new home. It's also the day that Google's Chrome began blocking flash ads from immediately loading, with the goal of moving advertisers to develop their creative in HTML5. Google is joining Amazon, whose complete rejection of Flash ads also begins on September 1. "This is a very good move on Amazon’s part and hopefully other companies will follow suit sooner than later," F-Secure Security Advisor Sean Sullivan wrote in August when Amazon made its announcement. "Flash-based ads are now an all-too-common security risk. Everybody will be better off without them." Last month, Adobe issued its 12th update in 2015 for the software addressing security and stability concerns. An estimated 90 percent of rich media ads are delivered through Flash. Having the world's largest online retailer reject your ad format is a significant nudge away from the plugin. But it would be difficult to overstate the impact of Chrome actively encouraging developers to drop Flash. About 1 out of every 2 people, 51.74 percent, who access the internet through a desktop browser do it via Chrome, according to StatCounter. This makes it the world's most popular web interface by far.   Facebook's Chief Security Officer has also recently called for the end of Flash and YouTube moved away from the format by default in January. “Newer technologies are available and becoming more popular anyway, so it would really be worth the effort to just speed up the adoption of newer, more secure technologies, and stop using Flash completely," F-Secure Senior Researcher Timo Hirvonen told our Business Insider blog. So what's keeping Flash alive? Massive adoption and advertisers. “Everyone in every agency’s creative department grew up using Adobe’s creative suite, so agencies still have deep benches of people who specialize in this,”Media Kitchen managing partner Josh Engroff told Digiday. “Moving away from it means new training and calibration.” And Flash does have some advantages over the format that seems fated to replace it. "HTML5 ads may be more beautiful, and are perceived to be more secure, but the files can be a lot larger than Flash," Business Insider's Laura O'Reilly wrote. In markets, stability can breed instability and it seems that our familiarity and reliance on Flash has resulted in unnecessary insecurity for our data. Has Flash hit its moment when its dominance rapidly evaporates? We can have hope. "I sincerely hope this is the end of Flash," Timo told us. Cheers, Sandra [Image by Sean MacEntee | Flickr]    

September 1, 2015
SMS premium text message, comic, angry boss

This is the fifth in a series of posts about Cyber Defense that happened to real people in real life, costing very real money. Kamil left a business meeting and immediately took out his phone to call a client. During the conversation the device buzzed with an incoming text message. After Kamil unlocked the screen, a text popped up: “Thank you for activating the WEATHER TODAY service. You will be receiving a text message with the forecast three times a day. The daily cost of the service is one Euro. If you want to cancel your subscription, please text us ‘STOP.A133’ at 92590.” Nothing of this made any sense to Kamil. He had never activated any service on that phone. It was a company phone, he used only to contact clients. In any case, he didn’t need any weather forecasts. In order to save his company money, he quickly followed instructions from the text and cancelled the service. “Done!”, he thought and went back to his car to return to the head office of his firm, a consulting company. But this was only the beginning of his troubles... “Came to my office immediately”, read the email Kamil got from his boss Jacek two weeks later. “This must be about the contract with the bank that I finally closed,” thought Kamil and rushed upstairs to see his supervisor. “Are you out of your mind?! There an extra 500 Euro on top of your phone subscription fees because you’ve activated some extra services! You have everything you need to work, unlimited calls, online access. But I will not burn the firm’s money for some stupid extras!”, Jacek fumed. “Boss, I got a strange text about some weather forecast service, but I immediately blocked the subscription, I didn’t know there was any problem”, explained Kamil, surprised. He agreed to pay the fees out of his own pocket and immediately explain the whole situation. Jacek seemed to cool down a little, but promised that he would place a note on Kamil’s file if the issue wasn’t solved by the end of the month. “This time, I’m gonna keep it off-record, but I’m watching you”, the manager warned Kamil. Startled and confused, Kamil decided to do some online research about WEATHER TODAY. As he saw the first browser hits, he already knew he found what he was looking for. An article on a professional computer security portal reported that the activation message was a ruse used to wrangle money out of unaware recipients of the text message. It was precisely the STOP.A133 message that cost Kamil 500 Euro. He followed the article author’s advice and decided to install mobile security software that protects against spam. Having compared available options, he chose the best app from a reputable developer and never risked his job over an SMS message again. Is there anything you can do to protect yourself besides installing mobile security and not responding to unsolicited texts from unknown senders? "Some mobile operators will let you opt out of or disable billing through SMS messages," F-Secure Security Sean Sullivan explained. "It is very surprising to me that many businesses don’t demand bulk disabling by default for their employer provided plans." To get an inside look at business security, be sure to follow our Business Insider blog.

August 12, 2015
StageFright, stage fright, StageFright Android exploit

The Android vulnerability known as StageFright has revealed the Android operating system's "heart of darkness." In theory, a simple MMS could take over your phone. The F-Secure Labs is actively monitoring for threats that target the exploit. The good news is that while the theoretical risk of attack is high and Android is consistently the target of nearly all mobile malware, we have not seen any active attacks that target it yet. But this is still a huge event that should trigger a major reconsideration of Android security in general. Our Micke explained: Android is the most widespread operating system on this planet. 48 % of the devices shipped in 2014 were Androids (Gartner). And that includes both phones, tablets, laptops and desktop computers. There’s over 1 billion active Android devices (Google’s device activation data). Most of them are vulnerable to Stagefright and many of them will never receive a patch. This is big! The ability to keep software updated is the essential task that makes security possible. Android's adaptability has helped lead to its remarkable growth. But it's also led to remarkable fragmentation in the ecosystem. "Recent data from Google suggests there are 6 different versions of Android that are widely used, with KitKat (Android 4.4) being the most popular. But it’s used by less than 40% of devices," Adam wrote on the F-Secure Business Insider blog. "The remaining 60% or so are spread out among the other five versions of the OS, and each is customized differently and receives varying levels of support from operators and OEMs." Many users cannot update at all. "Apparently the best supported method of updating your Android phone is to buy a new Android phone," F-Secure Chief Research Officer Mikko Hypponen tweeted. Obviously that option isn't available to millions of Android users. "Fragmentation also has socioeconomic implications," the EFF's Cooper Quintin wrote. "Older and cheaper phones tend to run older versions of the Android operating system, and vendors often give up supporting them or updating the software running on them. On the other hand newer and more expensive phones tend to receive updates faster and more reliably (especially Google Nexus devices)." So what should you do until then -- besides update your OS if possible and run mobile security that targets threats that take advantage of exploits like StageFright? 1. Examine the app that handles your MMS messages. Check out your Android device's default messaging app or Google Hangouts.  Make sure to disable their automatic retrieve/fetching options. This will prevent automatic execution of potential exploits on any received messages. 2. Avoid viewing or opening any pictures or videos from untrusted sources. We'll keep you updated about this situation as it develops. Cheers, Sandra [Photo by Photo Cindy | Flickr]  

August 3, 2015