23012274376_1b94da9ab8_o

The IoT needs Vulnerability Research to Survive

F-Secure Senior Security Consultant Harry Sintonen appeared at Disobey last week in Helsinki to teach the audience a lesson in how attackers take advantage of insecure devices. Harry created the demonstration after he discovered several vulnerabilities in a QNAP network attached storage (NAS) device. And in order to verify that the vulnerabilities could be used to “hack” into the device, Harry developed a proof-of-concept exploit (a bit of code that uses vulnerabilities to compromise systems) that allows him to seize control of the vulnerable devices. I won’t get into the technical details here (you can see Harry’s presentation below for the technical nuances). But basically, Harry’s proof-of-concept (POC) manipulates the device while it tries to update its firmware. This process was an easy target for Harry because of problems with how the device updates (such as not encrypting the update requests). Harry’s POC allowed him to seize control of the device. He didn’t try to do anything more than that. But an attacker would. After seizing control of the device, an attacker could do things like access stored data, steal passwords, or even execute commands (for example, tell the device to download malware). Sound serious? Well, the good news is that attackers would need to position themselves to intercept the update process before they can manipulate it. “The extra step is enough to discourage most opportunistic or low-skilled attackers,” said Janne Kauhanen, a cyber security expert with F-Secure. But the bad news is that these kinds of problems are running rampant in internet-connected devices. In this case, Harry notified QNAP about these issues in February 2016. However, to the best of Harry’s knowledge, they’ve yet to release a fix (although QNAP claims to be working on one). Vulnerability Research is Vital if we want to Secure the IoT This isn’t Harry’s first time finding security issues in products. Last summer, he discovered a vulnerability in Inteno home routers that leave them exposed to hackers. "It's ridiculous how insecure the devices we're sold are," Janne said at the time. "We and other security companies are finding vulnerabilities in these devices all the time. The firmware used in routers and Internet of Things devices is neglected by manufacturers and their customers – by everyone except hackers, who use the vulnerabilities to hijack Internet traffic, steal information, and spread malware." Security researchers conduct these types of investigations because manufacturers and developers typically don’t have the resources available to do it on their own. And considering the global shortage of competent cyber security personnel, this shouldn’t come as a surprise. That’s why companies (not just security companies) invest in vulnerability research. One way they do this is with “bug bounty” programs. Microsoft, Facebook, and many other well-known IT companies (including F-Secure) offer money to anyone able to uncover vulnerabilities in their products. In fact, a 10-year-old received 10,000 dollars for finding a vulnerability in Instagram last summer. But sadly, most vulnerabilities go undisclosed until a user stumbles upon them. Or even worse, when an attacker gets caught using them to hack into devices. IoT devices are spreading. And security issues are spreading with them. So make no mistake: if we’re to avoid the next Mirai outbreak, or something even worse, it’ll be because someone took the time to find and point out security problems before they’re attacked. [protected-iframe id="c597820588130e91b942ae5b05aecdb7-10874323-81725797" info="//www.slideshare.net/slideshow/embed_code/key/txWoZ7NVwzHtFn" width="595" height="485" frameborder="0" scrolling="no" allowfullscreen=""] [ Image by Tumitu Design | Flickr ]

January 17, 2017
BY 
5540953795_617de9187f_b

The 5 Minute Guide™ to App Store Security and Privacy

Mobile devices have largely avoided the malware outbreaks that have plagued PCs for decades now for a simple reason -- app stores. Nearly all -- or even all -- the software that's on your phone or tablet now came through these official portals, where they endured some degree of vetting. But this doesn't mean it's impossible to have your security or privacy compromised by bad apps. Here's a quick run-through of the basics you need to know to keep the data on your mobile device safe and private. 1. Stick to the official app stores. If you have an iOS device, you can only use the official App Store, unless you "jailbreak" your device and take your security into your own hands. Android users, however, have more freedom. And with freedom, there's a little danger. "Anything ending in .apk might be malicious," Tom Van De Wiele, F-Secure Security Consultant, tells me. "So the official Google Play store is the only place you should get your apps." He offers a simple metaphor to remember this concept: "You don’t pick up shiny food from the street and put it in your mouth either, no matter what the promise is." In case you missed the point: The Play store is the clean table -- everywhere else is the grimy, filthy floor. 2. ANDROID USERS: Make sure to block downloads from "Unknown sources". "Phishing campaigns are focussing on providing .apk files to unsuspecting victims by email, SMS, MMS, Skype and other means," Tom says. He recommends you avoid these scams by blocking downloads from unknown sources. To do this, via iKidApps.com: Navigate to your Android phone’s home screen. Tap the Android "Menu" button. Choose "Settings". Open "Applications". Make sure there is no green check mark next to the Unknown sources item. If there is a green check mark next to Unknown sources, disable the setting. 3. ANDROID AND IOS USERS: Don't assume that your apps have been vetted for privacy. "It is not in Google’s interest to remove a lot of apps as they generate advertisement revenue for Google," Tom says, adding that the Play store doesn't do nearly as much vetting for malicious apps as the Apple iOS store does and instead opts for a “clean-up-as-you-go model." But that doesn't mean iOS apps are completely nuisance free. "Apple has the 'walled garden' of trying to control what they can when it comes to their application eco-system," he says. "This does not take into account apps that invade your privacy by asking you, for example if the app can 'access the address book', which will result in sending the contents of the address book to a remote location." You have to check the app permissions yourself to avoid these data-farming apps. 4. Look out for "bait ware." Both app stores have been plagued by what Tom calls "bait ware". These are apps "where the user is fooled into generating a lot of advertisement revenue by randomly popping up ads, fake buttons and other arbitrary functionality." New parents need to especially be on the lookout for these apps. "This is especially prevalent in baby and toddler applications which look very enticing to download and try but are merely empty husks with interwoven advertisement." Why do these apps prosper despite their dubious quality? Tom says, "Both Apple and Google are reluctant to remove them as it becomes a slippery slope on where to draw the line between sincere and malevolent behavior of an application." 5. "Walled gardens" aren't perfect solutions so check reviews and be suspicious of newer apps. Google's approach invites malicious apps to occasionally appear in its store. Often they're imitations or clones of much more popular apps. This is much, much more rare in the iOS App Store, but it has happened. To preserve your security, privacy and disk space, do some basic due diligence and check the reviews to see if they seem real and offer some substantive testimony that the app is legit. [Image by PhotoAtelier | Flickr]

January 17, 2017
man-hands-reading-boy

5 Must-Read Online Privacy Articles from 2016

A great deal has happened within the online privacy sphere in the last 12 months. The subject has become a genuinely hot topic, and we have done our best to dissect relevant industry issues into an easily readable form while reporting directly from the eye of the storm, so to speak. Here are five essential reads to get you up to speed on the state of online privacy, VPN, and related topics. An Open Letter to Businesses who Block VPN on Their Wi-Fi Networks Ultimately, allowing the use of VPN on your Wi-Fi hotspot is your call. However, if you truly care about your customers, don’t be in the minority of businesses that forces them to give up their online security and privacy while browsing on your network. A Twitter user asked us a question that inspired our most viral article of the year, as well as the video response we produced as a follow-up. In the post and video, we emphasize the fact that companies end up shooting themselves in the foot by putting their customers’ security at risk. If you ever come across this consumer-unfriendly practice, we urge you to share the article and/or video! Read the full article here. How Does Encryption Work? “. . .It’s easy to forget that easy access to encryption greatly benefits even normal web users like you and me.” Our widely shared article on encryption exhibits a 360-degree view on encryption, providing readers with an overview of its history and a straightforward explanation of how modern VPNs ingeniously work to protect your privacy. If you’re interested in learning what’s under the hood of online privacy, this article is for you. 4 People Who See What Porn You Watch “A large majority of web users are lulled into a false sense of security by Incognito mode or private browsing, but this is only one of the steps needed toward becoming private online.” Many things take place “behind the scenes” on the Internet – these are things that we can’t see and therefore don’t think about. This admittedly attention-grabbing headline was meant as a wakeup call to the fact that adult content browsing histories aren’t as private as most people would like to think. Read up on a few people who have access to your porn browsing history, as well as some quick tips that can help prevent snooping. Privacy, Patriotism and PR: The Case of Apple vs. FBI “In this debate, privacy, patriotism and public relations are just some of the factors influencing a public discourse that has shifted to reflect new and often clashing attitudes towards encryption.” The Apple Vs. FBI case was the Clash of the Titans between privacy players that dominated mainstream news outlets throughout the first half of 2016, with ripples that are sure to affect the dynamics between companies and governments for years to come. We made a conscious effort to explore the issue from every possible angle, and the article is still a very relevant read. Why Do Newspapers Spy on You? “The longer something on the Internet is free, the harder it will be to make people start paying for it.” Who pays for a product that costs something to make but is free for the customer? In this article, we look at the idiosyncratic purchasing habits of modern web users and why these habits have lead news websites and other services to sacrifice their visitors’ privacy in order to stay in business. This piece is good food for thought for all consumers of online news.    

January 13, 2017
BY 

Latest Posts

23012274376_1b94da9ab8_o

F-Secure Senior Security Consultant Harry Sintonen appeared at Disobey last week in Helsinki to teach the audience a lesson in how attackers take advantage of insecure devices. Harry created the demonstration after he discovered several vulnerabilities in a QNAP network attached storage (NAS) device. And in order to verify that the vulnerabilities could be used to “hack” into the device, Harry developed a proof-of-concept exploit (a bit of code that uses vulnerabilities to compromise systems) that allows him to seize control of the vulnerable devices. I won’t get into the technical details here (you can see Harry’s presentation below for the technical nuances). But basically, Harry’s proof-of-concept (POC) manipulates the device while it tries to update its firmware. This process was an easy target for Harry because of problems with how the device updates (such as not encrypting the update requests). Harry’s POC allowed him to seize control of the device. He didn’t try to do anything more than that. But an attacker would. After seizing control of the device, an attacker could do things like access stored data, steal passwords, or even execute commands (for example, tell the device to download malware). Sound serious? Well, the good news is that attackers would need to position themselves to intercept the update process before they can manipulate it. “The extra step is enough to discourage most opportunistic or low-skilled attackers,” said Janne Kauhanen, a cyber security expert with F-Secure. But the bad news is that these kinds of problems are running rampant in internet-connected devices. In this case, Harry notified QNAP about these issues in February 2016. However, to the best of Harry’s knowledge, they’ve yet to release a fix (although QNAP claims to be working on one). Vulnerability Research is Vital if we want to Secure the IoT This isn’t Harry’s first time finding security issues in products. Last summer, he discovered a vulnerability in Inteno home routers that leave them exposed to hackers. "It's ridiculous how insecure the devices we're sold are," Janne said at the time. "We and other security companies are finding vulnerabilities in these devices all the time. The firmware used in routers and Internet of Things devices is neglected by manufacturers and their customers – by everyone except hackers, who use the vulnerabilities to hijack Internet traffic, steal information, and spread malware." Security researchers conduct these types of investigations because manufacturers and developers typically don’t have the resources available to do it on their own. And considering the global shortage of competent cyber security personnel, this shouldn’t come as a surprise. That’s why companies (not just security companies) invest in vulnerability research. One way they do this is with “bug bounty” programs. Microsoft, Facebook, and many other well-known IT companies (including F-Secure) offer money to anyone able to uncover vulnerabilities in their products. In fact, a 10-year-old received 10,000 dollars for finding a vulnerability in Instagram last summer. But sadly, most vulnerabilities go undisclosed until a user stumbles upon them. Or even worse, when an attacker gets caught using them to hack into devices. IoT devices are spreading. And security issues are spreading with them. So make no mistake: if we’re to avoid the next Mirai outbreak, or something even worse, it’ll be because someone took the time to find and point out security problems before they’re attacked. [protected-iframe id="c597820588130e91b942ae5b05aecdb7-10874323-81725797" info="//www.slideshare.net/slideshow/embed_code/key/txWoZ7NVwzHtFn" width="595" height="485" frameborder="0" scrolling="no" allowfullscreen=""] [ Image by Tumitu Design | Flickr ]

January 17, 2017
5540953795_617de9187f_b

Mobile devices have largely avoided the malware outbreaks that have plagued PCs for decades now for a simple reason -- app stores. Nearly all -- or even all -- the software that's on your phone or tablet now came through these official portals, where they endured some degree of vetting. But this doesn't mean it's impossible to have your security or privacy compromised by bad apps. Here's a quick run-through of the basics you need to know to keep the data on your mobile device safe and private. 1. Stick to the official app stores. If you have an iOS device, you can only use the official App Store, unless you "jailbreak" your device and take your security into your own hands. Android users, however, have more freedom. And with freedom, there's a little danger. "Anything ending in .apk might be malicious," Tom Van De Wiele, F-Secure Security Consultant, tells me. "So the official Google Play store is the only place you should get your apps." He offers a simple metaphor to remember this concept: "You don’t pick up shiny food from the street and put it in your mouth either, no matter what the promise is." In case you missed the point: The Play store is the clean table -- everywhere else is the grimy, filthy floor. 2. ANDROID USERS: Make sure to block downloads from "Unknown sources". "Phishing campaigns are focussing on providing .apk files to unsuspecting victims by email, SMS, MMS, Skype and other means," Tom says. He recommends you avoid these scams by blocking downloads from unknown sources. To do this, via iKidApps.com: Navigate to your Android phone’s home screen. Tap the Android "Menu" button. Choose "Settings". Open "Applications". Make sure there is no green check mark next to the Unknown sources item. If there is a green check mark next to Unknown sources, disable the setting. 3. ANDROID AND IOS USERS: Don't assume that your apps have been vetted for privacy. "It is not in Google’s interest to remove a lot of apps as they generate advertisement revenue for Google," Tom says, adding that the Play store doesn't do nearly as much vetting for malicious apps as the Apple iOS store does and instead opts for a “clean-up-as-you-go model." But that doesn't mean iOS apps are completely nuisance free. "Apple has the 'walled garden' of trying to control what they can when it comes to their application eco-system," he says. "This does not take into account apps that invade your privacy by asking you, for example if the app can 'access the address book', which will result in sending the contents of the address book to a remote location." You have to check the app permissions yourself to avoid these data-farming apps. 4. Look out for "bait ware." Both app stores have been plagued by what Tom calls "bait ware". These are apps "where the user is fooled into generating a lot of advertisement revenue by randomly popping up ads, fake buttons and other arbitrary functionality." New parents need to especially be on the lookout for these apps. "This is especially prevalent in baby and toddler applications which look very enticing to download and try but are merely empty husks with interwoven advertisement." Why do these apps prosper despite their dubious quality? Tom says, "Both Apple and Google are reluctant to remove them as it becomes a slippery slope on where to draw the line between sincere and malevolent behavior of an application." 5. "Walled gardens" aren't perfect solutions so check reviews and be suspicious of newer apps. Google's approach invites malicious apps to occasionally appear in its store. Often they're imitations or clones of much more popular apps. This is much, much more rare in the iOS App Store, but it has happened. To preserve your security, privacy and disk space, do some basic due diligence and check the reviews to see if they seem real and offer some substantive testimony that the app is legit. [Image by PhotoAtelier | Flickr]

January 17, 2017
man-hands-reading-boy

A great deal has happened within the online privacy sphere in the last 12 months. The subject has become a genuinely hot topic, and we have done our best to dissect relevant industry issues into an easily readable form while reporting directly from the eye of the storm, so to speak. Here are five essential reads to get you up to speed on the state of online privacy, VPN, and related topics. An Open Letter to Businesses who Block VPN on Their Wi-Fi Networks Ultimately, allowing the use of VPN on your Wi-Fi hotspot is your call. However, if you truly care about your customers, don’t be in the minority of businesses that forces them to give up their online security and privacy while browsing on your network. A Twitter user asked us a question that inspired our most viral article of the year, as well as the video response we produced as a follow-up. In the post and video, we emphasize the fact that companies end up shooting themselves in the foot by putting their customers’ security at risk. If you ever come across this consumer-unfriendly practice, we urge you to share the article and/or video! Read the full article here. How Does Encryption Work? “. . .It’s easy to forget that easy access to encryption greatly benefits even normal web users like you and me.” Our widely shared article on encryption exhibits a 360-degree view on encryption, providing readers with an overview of its history and a straightforward explanation of how modern VPNs ingeniously work to protect your privacy. If you’re interested in learning what’s under the hood of online privacy, this article is for you. 4 People Who See What Porn You Watch “A large majority of web users are lulled into a false sense of security by Incognito mode or private browsing, but this is only one of the steps needed toward becoming private online.” Many things take place “behind the scenes” on the Internet – these are things that we can’t see and therefore don’t think about. This admittedly attention-grabbing headline was meant as a wakeup call to the fact that adult content browsing histories aren’t as private as most people would like to think. Read up on a few people who have access to your porn browsing history, as well as some quick tips that can help prevent snooping. Privacy, Patriotism and PR: The Case of Apple vs. FBI “In this debate, privacy, patriotism and public relations are just some of the factors influencing a public discourse that has shifted to reflect new and often clashing attitudes towards encryption.” The Apple Vs. FBI case was the Clash of the Titans between privacy players that dominated mainstream news outlets throughout the first half of 2016, with ripples that are sure to affect the dynamics between companies and governments for years to come. We made a conscious effort to explore the issue from every possible angle, and the article is still a very relevant read. Why Do Newspapers Spy on You? “The longer something on the Internet is free, the harder it will be to make people start paying for it.” Who pays for a product that costs something to make but is free for the customer? In this article, we look at the idiosyncratic purchasing habits of modern web users and why these habits have lead news websites and other services to sacrifice their visitors’ privacy in order to stay in business. This piece is good food for thought for all consumers of online news.    

January 13, 2017
screen-shot-2017-01-11-at-6-02-30-pm

"I believe data is the new oil," F-Secure's chief research officer Mikko Hypponen says. "And just like oil brought us both prosperity and problems, data will bring us prosperity, and problems." We're just beginning to understand how so-called "big data" is changing everything, even medical care. A new report from the Century Foundation reveals how the private information we share with practitioners gets anonymized and then mined. That information combined with metrics from search engines and wearables can then be melded for "predicative analysis" which is able to project behavior with “a surprising degree of accuracy," despite laws meant to protect medical privacy. Presumably these learnings could be used to make us healthier but they could also be used to deny us treatments or insurance coverage. And while we worry about government surveillance, many of us voluntarily share our thoughts, pictures and intimate details about our lives with Facebook, which then purchases more information about us from third-parties to make sure the ads we see are even more effective. Mikko has noted that Twitter connects our offline data to our profiles through our phone number. So when you share your mobile number for a proactive reason, such as activating two-factor authentication or account recovery, we're also feeding the data beast to make ourselves even more profitable to the sites we use. And then there's Internet of Things, which is coming into your home whether you like it or not. "You will buy whole appliances and you won't even know they are IoT appliances. I mean, you go and buy a toaster and there is an IoT feature... Why would you even need IoT features in a goddamn toaster?" Mikko asks. "But it's going to be online anyway. Why? Because it's going to be so cheap to put it online. And the benefits it creates are not benefits for you, the consumer, they're benefits for the manufacturer. Because now they can collect analytics." Our Freedome VPN team has found that when it comes to connecting with free Wi-Fi, people are willing to give up almost anything -- even their first born. Data. On one hand, prosperity and opportunity. On the other, problems and problems we haven't yet imagined. That's why controlling our personal information matters more than ever. Data Privacy Day -- held annually on 28 January -- is an international effort to get people around the globe to think about the importance of controlling what we share. To mark the day, Mikko will be doing a Reddit IAmA on the day before -- 27 January -- where you can ask him anything and our Freedome VPN team will be in the streets spreading the word about the importance of privacy. To prepare you can read Mikko's recent Q&A session on Quora and feast on this playlist of dozens of talks and interviews he's given: [youtube https://www.youtube.com/watch?v=JAChQaySECY?list=PLkMjG1Mo4pKIRUqHj1eUMDqvV5a0o2CoS]

January 12, 2017
screen-shot-2017-01-04-at-9-48-14-am

Here's how to turn off Facebook's facial recognition, which will stop you from being automatically suggested for tagging in your friends' photos: Log into Facebook and click on the lock in the upper right corner: Click on "See More Settings". In the left column click on "Timeline and Tagging". Under "How can I manage tags people add and tagging suggestions?" find "Who sees tag suggestions when photos that look like you are uploaded?" and click "Edit". (NOTE: This feature may not be available in all countries.)  Select "No one". Why would you want to turn off Facebook's facial recognition? The simple answer is you may not want pictures of you automatically identified and then tagged in pictures posted to the site, especially if you're picky about pictures. The more complex answer is that facial recognition is a little creepy and has the potential to get a lot creepier, fast. And this is at least something you can do to remind yourself of the new frontier of social media we're facing, whether we like it or not. "On the Internet, nobody knows you're a dog" reads the caption for a classic 1993 New Yorker cartoon and historians will likely have to note that it was drawn about a decade before Facebook was founded. Yes, Facebook knows if you're a dog -- or a cat. In a post on Digital Inspiration, Amit Agarwal gives a quick explanation on how to see what Facebook's artificial intelligence "DeepFace" can see inside your pictures. With a few clicks, I found that if you post a picture like this: Facebook sees this: The world's largest social media site has access to the greatest collection of photographs ever collected and they're learning from them all. It helps you tag your photos, which helps it deliver more content to your friends, which keeps people coming back to the site because we love picture. There's nothing too creepy about that -- except, perhaps, the accuracy. "According to the company’s research, DeepFace recognizes faces with an accuracy rate of 97.35 percent compared with 97.5 percent for humans -- including mothers," Bloomberg reported last year. Yes, Facebook is almost as good at recognizing your face as your mom is. If you're a fan of the Netflix series Black Mirror, you may have seen the episode "Nosedive," which depicts the troubling aspects of the confluence of social media and facial recognition heightened to nightmarish Twilight Zone-esque extremes. The show ponders a future where our mobile devices recognize everyone we see through facial recognition that captures images through a contact lens. But the future is coming faster than you may think. The app FindFace already searches a database of over 200 million people from the Russian social network Vkontakte to match faces with 70 percent accuracy. "Could someone do the same thing to Facebook?" Jonathan Frankle at The Atlantic asked himself. "Probably not." Facebook, Twitter, and Google have banned the “automated data collection” that makes it possible. "Although mimicking FindFace on the scale of the entire Internet is probably still beyond the realm of technical feasibility for the moment, it may not be impossible for long," he says. And then the days of being an anonymous "face in the crowd." If this bothers you, you may want to stop encouraging Facebook from recognizing you. And you may want to think twice about sharing your face all over the web. UPDATE: A Finnish user has informed me that tag suggestions is not yet available for him. I'm not sure why that is or what this means about Facebook's data collection. F-Secure's Micke Albrecht wonders, "Could it be that Facebook doesn’t have enough face data on all users, and doesn’t present this setting to users it can’t detect?" [Photo via Netflix.]

January 4, 2017
2681482724_aa3208509f_b

Headlines exploded last week after US authorities published a report examining Russia’s alleged attempt to undermine last year’s US Presidential elections. While the report’s value in terms of “exposing” Russian hacking is debatable (there was very little information that had not previously been reported in publications such as this report on The Dukes), the list of Russian individuals facing sanctions over their involvement in cyber attacks against the US highlighted the possibility that Russia might be employing “cyber privateers” to conduct cyber attacks on their behalf. [protected-iframe id="2d5d36a42a15b9da8c2932929b38d31f-10874323-81725797" info="//platform.twitter.com/widgets.js" class="twitter-tweet"] For those of you who don’t know, Evgeniy Mikhailovich Bogachev is the man behind the infamous GameOver Zeus botnet. GameOver Zeus was a massive criminal enterprise that was taken down in a joint effort in 2014. Bogachev, however, remains at large, with the FBI offering up to 3 million dollars for information leading to his capture. The inclusion of a career cyber criminal on a list of sanctions created as a response to Russia’s cyber espionage activities highlights the role of private hackers working on behalf of Russian intelligence services (RIS). “It’s possible that Bogachev, at some point, became involved in state-sponsored hacking as a sort of cyber privateer,” says F-Secure Security Advisor Sean Sullivan. “Using private contractors is pretty common when it comes to cyber attacks, and Bogachev’s capabilities as a career cyber criminal certainly make him an attractive recruit to anyone in need of black hat hacking services. RIS can easily benefit from what he does, as long as he doesn’t target anyone working with Russia.” Privateer was a term coined in the 17th century to describe privately owned ships that were armed and conducted military operations on behalf of a country’s official navy. They weren’t paid directly by that nation, but they were allowed to benefit from their service by robbing or capturing their targets. Back then, robbing ships was considered piracy. But privateers got away with it because they were doing it on behalf of their government. The term privateer fell out of fashion when the age of sail ended. But it’s a concept that seems to fit nicely with Russia’s hybrid warfare doctrine. It allows them to plausibly deny their official involvement if they can attribute hacking to online criminals, even while benefiting from what the criminals actually do. And there is precedent for Russia employing cyber criminals to bolster their offensive cyber capabilities. A recent article in The New York Times tells the story of several hackers that Russian authorities have attempted to recruit, including one who claimed he was offered a position with the government as an alternative to serving a prison sentence. So recruiting someone like Bogachev would be consistent with previous accounts from hackers approached to work on behalf of the Russian government. Not only that, but the fact that he’s seen as a hero in Russia makes it plausible that they would try to benefit from his profile, or at least turn a blind eye and protect him from prosecution. “Bogachev wouldn’t need a lot of ‘handling’ from the state – he can create his own initiatives that simply reinforce espionage conducted by other state-sponsored groups like The Dukes and other APTs,” adds Sullivan. “Co-opting known criminals and disguising what they do as hacktivism creates confusion that can undermine evidence of state involvement. And these disinformation strategies are integral to not just Russia’s cyber espionage activity, but their entire approach to geopolitics over the last few years.” [ Image by Mobilus In Mobili | Flickr ]

January 3, 2017
ctblocker_lockscreen

It's a story that's been told thousands, if not millions of times, already. One wrong click and bam! Files taken hostage by unbreakable encryption and there's nothing you can do but give up -- or pay the ransom. There's a reason that cyber criminals who run ransomware offer customer support and are raking in cash in numbers that need to measured in billions. And it's the same reason that 193 different ransomware families were discovered between May 2012 and May 2016, with an average of 15 new families identified each month during Q3 of 2016. The reason is simple: It works. So we're likely to see new iterations of the same threat adapted to spread more easily until it stops being so effective. One of the keys to slowing this epidemic is... you. If you and the people around you are easy targets, criminals will keep cashing in on the same trick. As Melissa explained earlier this year, there are five ways to fight back against ransomware threats -- and they just happen to protect you from most online scams -- so let's review how to fight ransomware like your files depend on it, because they do: Change your mind. Fight forward -- with backups. The fight against ransomware begins, with reliable backups of your files. Keep all software up to date. Ransomware often exploits flaws in old software to edge in and take control of your files. Beware of email, especially attachments. Be suspicious of links and attachments in emails. Remember, the post office and the IRS don't send ZIP files. And a document telling you to "Enable Content" is likely a trap. So: Run reliable security software. Use software with a layered approach that can block known ransomware variants and new threats -- software like F-Secure SAFE, which you can try for free. If you're reading this and you're already infected, F-Secure Labs has some recovery tips. But we're very sorry; there is no recovery process for ransomware that's as effective as prevention.

December 29, 2016
3194885296_6809f0ae37_b

If you’re looking for a self-improvement project that doesn't require much effort to use as your New Year’s Resolution, start using a password manager. Seriously. At work and at home. Here’s why. In his recent SecTor Talk, F-Secure Chief Research Officer Mikko Hypponen told the audience that about 30 percent of people only have one password. He also said that there’s no way this should be a problem in 2016. And he’s right. Using strong, unique passwords on critical accounts is  #opsec 101 (opsec is jargon for keeping your information secure). Some people are very conscious about protecting their information, and do things like hide their PIN codes while they enter them into bank machines or card readers. They do it so that even cameras can’t see what they’re doing. That’s smart given how important this information is. But some of these same people use one password for everything. And that’s never made sense to me. Why be so cautious when using point-of-sale devices or bank machines (both of which are often regulated and professionally maintained on a business premise), but so careless when setting up and taking care of accounts on their own? Security software does wonders in protecting people from online threats. But it won’t protect your accounts against an attacker that has your password. And unless you were hiding under a rock in 2016, you probably heard about some of the record breaking data breaches that occurred, such as the recently disclosed Yahoo hack involving more than one billion stolen passwords (that’s on top of the 500,000,000 Yahoo reported stolen earlier in the year). Attackers can use these stolen passwords to take over online accounts by simply trying them with popular online services like Facebook, Google, Twitter, and so on. Automated tools make it easy for attackers to try large numbers of stolen credentials one after another until they access an account. And if an attacker is able to access an account that you use to verify your identity with other online services (think about how many services you register with using an email address), they can use that access to systematically take over your other accounts. That’s basically how identity theft works now. And if they don’t feel like going through all that trouble themselves, they can always just sell the login credentials to other criminals. Groupon recently reported criminals were shopping on their website using login credentials stolen from other companies. And research conducted in 2016 found that 63 percent of confirmed data breaches were caused by weak, default or stolen passwords. That means stolen login credentials are a big problem that affects your personal and professional life. So using a password manager is a great way to better yourself next year without having to work too hard for it. It makes using strong passwords much easier, which will pay off in terms of securing your online accounts. It’s also a lot less effort than committing to going to the gym on a regular basis for the next 52 weeks, so it won’t radically disrupt your daily life. F-Secure KEY is even free to use. You’re not going to find a more wallet-friendly way to improve yourself in 2017 than that. And if you’re already using a password manager, you can check out these additional tips from security advisor Sean Sullivan if you want to make some other #opsec New Year’s Resolutions for 2017. [ Image by Simon Doggett| Flickr ]

December 28, 2016