This time of the year is always interesting. It is the time when Labs looks back on the past half-year to summarize what has happened in the threat landscape. I can proudly announce that the report for H2 2012 has been published and is free for you to download and read!
The report is once again packed with highly interesting reading on the threats that we all face when using the net. And this report is not just a repetition of what has been published in the media. A compilation like this makes it easier to spot the trends and the big picture. Thanks guys for putting it all together! And of course for the continuous research effort that it is based on. (I’m not going to list all the names here, the full list of contributors can be found in the report.)
Here’s some teasers…
Botnets. ZeroAccess was easily the most prevalent botnet we saw in 2012, with infections most visible in France, United States and Sweden. It is also one of the most actively developed and perhaps the most profitable botnet of last year. Read more about ZeroAccess and botnets in general at page 15 – 20.
Exploits. Java was the main target for most of the exploit-based attacks we saw during the past half year. This is aptly demonstrated in the statistics for the top 10 most prevalent detections recorded by our cloud lookup systems. Learn more about exploits at page 25-27.
Banking trojans. With regards to banking-trojans, a botnet known as Zeus—which is also the name for the malware used to infect the user’s machines—is the main story for 2012. Browse to page 21-24 to read how the traditional way to rob a bank has become hopelessly old-fashioned.
The web. Common sense is still important when surfing, but it is becoming increasingly difficult to spot the dangerous places. Ad-networks are integrated in an increasing number of sites and can distribute malware through web portals that should be trustworthy. More about the web’s dangerous places at page 28-31.
Mobile devices. Did you know that there is malware on all commonly used mobile platforms? But Android has the questionable honor to lead the pack, and the others are far behind. The full story is on page 35-37.
The threat report covers all this and a lot more. Why not make sure that you are up to date on the threat scenario by continuing to the report. It is highly recommended reading.
A little iPhone history was made this month -- a iOS device was infected by just clicking on a link. This sort of attack had previously only worked on devices where the owner had purposely installed a "jailbreak" hack. So before you do anything -- even read the rest of this post -- you should update your iOS software to the latest version of iOS 9, or iOS 10 beta, which has some nice new privacy features. Here's how this historic attack happened, according to The Verge: Earlier this month, an Emirati human rights activist named Ahmed Mansoor got a suspicious text. It promised new details of torture in the country’s state prisons, along with a link to follow if he was interested. If Mansoor had followed the link, it would have jailbroken his phone on the spot and implanted it with malware, capable of logging encrypted messages, activating the microphone and secretly tracking its movements. To our cyber security advisor Erka Koivunen, this is a glaring example of a threat that is not "advanced" -- as in APT, advanced persistent threat. Think about what goes into a real APT. "They do reconnaissance properly and understand what the victim is susceptible to. They have good timing and only create visible noise when it suits their interest," he told us. "And they have a plan B ready in case someone starts snooping their activities." Here, the the most exploitable iPhone vulnerability ever known has now been exposed and patched -- for what? It's a bit baffling to Erka who compares it to throwing "expensive exploits at this guy like kids throwing rocks." You just don't see zero-day vulnerabilities like this -- especially on what had been one of the more secure platforms available -- that often. This has some security researchers thinking: Perverse incentives: Should I take up political activism so I get more interesting 0day sent my way? /me wonders — halvarflake (@halvarflake) August 26, 2016 //platform.twitter.com/widgets.js So, if you haven't already, update now. And if you're involved in politics in *any way* whatsoever, realize that someone will try to hack you -- sooner or later. So beware of those links in strange texts and email attachments in general. [Image by Sean MacEntee via Flickr]
This is really an old problem, but it’s in the headlines again. Pokémon Go is yet another example of a “free” game with a business model based on in-app purchases. These games are also known as F2P, standing for free-to-play. You can start playing, and get hooked, for free. But soon you run into a situation where you can’t proceed without buying virtual stuff in the game. The stuff you buy is virtual but the payment is very real money. This is no doubt a profitable model. Pokémon Go went straight to the top and for example Finland-based Supercell, maker of Clash of Clans, has constantly reported nice profits. This can naturally cause trouble for addicted adults, but the real problems arise when kids get hooked. There are numerous public stories about kids making purchases for hundreds or even thousands of Euros, often without even understanding how much they have spent. And the sinister part is that this can go on for a while until you get the credit card bill, and it’s too late. Your chances to get a refund are somewhere between slim and none. But how can this happen? Let’s take a look at the most common scenarios. Your kid has set up the new device and created the needed account with Apple or Google. Everything is fine until he or she needs an app that isn’t free. You enter your credit card on the kid’s device and make the purchase, but you don’t pay any attention to the security settings. This may give your kid carte blanche to buy anything he or she likes, and you pay the bill. You have entered your credit card but set up the kid’s store account so that a password only you know is required for every purchase. But there are some convenient settings that allow purchases without a password within a limited time window after the password has been entered. Kids learn very quickly to utilize this opportunity. Let’s assume the same setup as in the previous point, but with the correct security settings. Now the password is needed for every purchase. But the store account is still owned by the kid and the password can be reset. The password reset link will be sent to the kid’s mail or phone number. It’s carte blanche again with the new password. Ok, you create an account you own for the kids phone. It’s tied to your mail and phone number, so the password reset trick shouldn’t work anymore. You put down your phone and head for the toilet. Your kid has been waiting for the opportunity and initiates the password reset request. Your phone is there on the table wide open, with the reset link in the mail. You can figure out the rest yourself. And of course the simple alternative. You think the store password on your kid’s device is secret. But in reality it is either too easy to guess or someone has been looking over your shoulder. So there’s many things that can go wrong, but what can we do to avoid it? There are many ways to fight this problem, but this is in my opinion the best approach: Let the kid set up the store account on the device and set own passwords. Just like an adult would use a phone, except that there’s no payment method registered. Never enter your credit card number on the kid’s device. On Android, get familiar with Google Play Family. This feature enables you to purchase stuff for your kid on your own device. On iPhone, send apps or money as gifts. There may be applications that bypass the store and handle credit card transactions directly. This can typically be handled with vouchers or other prepaid payment methods instead. The application usually guides the users and list all supported methods. Let’s also take a look at the hard way. Follow these instructions if you for some reasons must have your credit card registered as a payment method on the kid’s device. Make sure the store is protected with a good password that only you know. Make sure the kid isn’t watching too closely when you enter it. Make sure the store is set up to require the password every time a purchase is made. Make sure the store account is attached to an e-mail only you have access to. Make sure the e-mail password is decent and not known to your kid. Make sure your phone’s security settings are decent. Use a PIN or password your kid doesn’t know and make sure it locks automatically quickly enough. Even better, do not have the e-mail of your kids store account on your phone. Access it through web mail when needed. So this is after all a quite complex issue. There are many variations and other ways to deal with the problem. Did I miss some simple and clever way? Write a comment if you think I did. And finally. Yes, there’s also many ways to lock the kids out of the store completely. This does no doubt solve some problems, but I don’t think it’s a good idea. They will after all live their lives in a world where digital devices and services are as natural as breathing. They deserve the opportunity to start practicing for that right now. Let them browse the store and discover all the fun stuff. And be part of the group and use all the same apps as their friends. Let them have fun with the phone and learn, even if they will learn some things the hard way. Don’t ruin it for them. Safe surfing, Micke
Many people feel that some platforms are more secure than others. And while there may be some truth in that, what’s far more common is that operating systems offer users security features that people choose to use, or ignore. As Micke has pointed out in the past, behavior is often more important for security than product features. So someone with an Android device that updates all the software, sets it up to keep the device and data in their control, and knows how to avoid risky behavior that hackers look for will keep their data safer than an iPhone user that’s never even looked at the settings for their device. And based on what we saw at AltConf2016 – a developer event that mirrored Apple’s last WWDC – it looks like many iPhone and iPad users are making some pretty basic security faux pas. So here’s a few tips iPhone and iPad users can use to protect their devices and data. Don’t forget to forget Wi-Fi networks Unlike Android and Windows Phone, iOS devices don’t let you see your Wi-Fi history. It might not seem like it, but periodically cleaning out your Wi-Fi history is important. We’ve shown in the past that many people configure their devices to automatically connect with Wi-Fi hotpots they’ve connected with before. This leaves them exposed to hackers spoofing Wi-Fi hotspots (which is surprisingly simple and inexpensive to do). So if you’re an “auto-connector”, you should always remember to “forget” public Wi-Fi networks that you use in the odd café, hotel, or restaurant you visit. Because iOS devices don’t let you see your network history, you can’t pick and choose old networks you want to forget. So iOS users have two options: either forget a Wi-Fi network before you leave and walk out of range, or do a periodic network reset to clean out your entire network history. Don’t name your device after yourself During AltConf2016, F-Secure set up a Wi-Fi hotspot to see whether or not people would connect to any available free Wi-Fi. And as we’ve seen in the past, people take their Wi-Fi wherever they can get it. While many people connected and disconnected frequently, it was clear that lots of those people seem to name their device’s after themselves – approximately 80% of the devices that connected included a first name as part of the device identifier. And out of that 80%, 70% of them were iOS devices (Android and OS X devices constituted the remaining 30%). Now, hackers won’t really need this information to “pwn” their victims. But little tidbits like these are great for scams that use social engineering. Fraudsters and tricksters can use something as simple as this to manipulate people as part of a larger scam. It’s tough to say why personalizing devices seems more popular among iOS users than their Android/Windows counterparts. And having unique device names helps keep them separate on, say, a family’s Wi-Fi network that can have multiple people using it at any one time. But using initials or some other way to differentiate them is a better way to personalize your device without necessarily giving tech-savvy fraudsters the opportunity to learn something they can use to scam you. Use app restrictions (they're not just for kids) Earlier in the year, F-Secure Security Advisor Sean Sullivan recommended people change their iOS settings to take advantage of the various restrictions you can use. You can check out his blog post about it here, but basically, using iOS’ restrictions can create safeguards against malicious apps or attacks that try to trick your device into sharing information without your knowledge. Attackers use apps and processes that can run without requiring direct action from users (such as cloud storage services) to steal data. It’s something often seen as part of corporate cyber attacks, so it’s especially important to do this if you use your iPhone or iPad for work. And as my colleague pointed out in this recent blog post, you should already be using two-factor authentication and strong, unique passwords. [Image by Kārlis Dambrāns | Flickr]