If you were running Windows on your computer 10 years ago, you were running Windows XP.
In fact, you were most likely running Windows XP SP1 (Service Pack 1).
This is important, as Windows XP SP1 did not have a firewall enabled by default and did not feature automatic updates.
So, if you were running Windows, you weren't running a firewall and you had to patch your system manually – by downloading the patches with Internet Explorer 6, which itself was ridden with security vulnerabilities.
No wonder then, that worms and viruses were rampant in 2003.
In fact, we saw some of the worst outbreaks in history in 2003: Slammer, Sasser, Blaster, Mydoom, Sobig and so on.
They went on to do some spectacular damage. Slammer infected a nuclear power plant in Ohio and shut down Bank of America's ATM systems. Blaster stopped trains in their tracks outside Washington DC and shut down Air Canada check-in systems at Canadian airports. Sasser thoroughly infected several hospitals in Europe.
The problems with Windows security were so bad that Microsoft had to do something. And it did.
In hindsight, the company did a spectacular turnaround in their security processes.
Microsoft started Trustworthy Computing. It stopped all new development for a while to go back and find and fix old vulnerabilities.
Today, the difference in the default security level of 64-bit Windows 8 is so much ahead of Windows XP you can't even compare them.
We've seen other companies do similar turnarounds.
When the Microsoft ship started to become tighter and harder to attack, the attackers started looking for easier targets.
One favorite was Adobe Reader and Adobe Flash. For several years, one vulnerability after another was found in Adobe products, and most users were running badly outdated products as updating wasn't straightforward. Eventually Adobe got their act together.
Today, the security level of, say, Adobe Reader, is so much ahead of older versions of the PDF readers you can't even compare them.
The battle at hand right now is with Java and Oracle. It seems that Oracle hasn't gotten their act together yet. And maybe don't even have to: users are voting with their feet and Java is already disappearing from the web.
The overall security level of end users' systems is now better than ever before. The last decade has brought us great improvements.
Unfortunately, the last decade has also completely changed who we're fighting.
In 2003, all the malware was still being written by hobbyists, for fun. The hobbyists have been replaced by new attackers: not just organized criminals, but also hacktivists and governments. Criminals and especially governments can afford to invest in their attacks.
As an end result, we're still not safe with our computers, even with all the great improvements.
But at least we don't see flights grounded and trains stopped by malware every other week, like we did in 2003.
• F-Secure KEY uses the Advanced Encryption Standard (AES-256) algorithm in the CCM mode (CTR with CBC MAC) for encryption to protect your sensitive data. The security of the AES was carefully analyzed by many crypto experts prior to selecting it as a recommended algorithm for modern data encryption.
• The encryption key is derived from your master password using the Password-Based Key Derivation Function 2 (PBKDF2) algorithm specified in Public-Key Cryptography Standards (PKCS) #5. In PBKDF2, we use Hash-based Message Authentication Code (HMAC) SHA256, random salts and 20,000 of iterations. This makes it much more difficult to recover the keys through exhaustive search or dictionary attacks even for weak passwords.
• Each password record is individually encrypted using a unique and strong random encryption key. The record-specific keys are encrypted using a master encryption key which is derived from your master password using the PBKDF2 algorithm.
• Your master password and the master encryption key are never stored anywhere. The encryption keys live only when you use the product. There is no way to recover your password or data if you forget the master password.
• When we developed F-Secure KEY, our guiding design principle was: "We don't need to know who you are. We just hope you like the product." Consequently, all the F-Secure KEY users are fully anonymous. We don't track you in any way, even when you synchronize your data across devices.
• The F-Secure KEY servers are owned and operated by F-Secure within the European Union in compliance with Finnish law and applicable EU rules.
Question: You state that my information is encrypted. What encryption do you use, and are you able to decrypt my information and hand it over to a third party?
Answer: We use AES-256 encryption in CCM (counter with CBC-MAC) mode. We have no way of decrypting any information that you have saved. In addition, anyone using F-Secure Key is anonymous to F-Secure, so we have no way of identifying an individual user's data. So we never see any of your information at any stage, and therefore we can't decrypt it or hand it over to a third party.
Both the choice of encryption and anonymity of users were conscious decisions made to improve the security of the product and protect the privacy of people using it.
One password to rule them all.
A young woman holding what appears to be an Ikea coffee cup in one hand and a smartphone in the other.
Just another day in Finland.
KEY is free for individual device use — an optional paid sync service across devices is available.
Bitcoin, and other digital currencies such as Litecoin and Peercoin, will change the way we exchange money. But they come with a major flaw: they can also be used to turn infected computers into devices that "print" money.
The beauty of the algorithm behind Bitcoin is that it solves two main challenges for cryptocurrencies - confirming transactions and generating money without causing inflation - by joining them together. Confirmations are given by other members of the peer-to-peer network, who in return are given new Bitcoins for their labour. The whole process is known as "mining".
When Bitcoin was young, mining was easy. You could earn Bitcoins by mining on a home computer. However, as the currency's value grew (from $8 to $1000 during 2013) - more people applied to do it, and, in response, mining became (mathematically) harder and required more powerful computers. Unfortunately, those computers don't have to be your own. Some of the largest botnets run by online criminals today are monetized by mining. Any infected home computer could be mining Bitcoins for a cybercrime gang.
Using botnets to mine is big business. The second-largest botnet in the world, ZeroAccess made tens of thousands of dollars a day by using the infected machines to mine for cryptocurrencies. This is especially effective when the infected machines have a high-end GPU chip on its video card.
Mining botnets such as these do not require a human user - just processing power and a network connection. The internet of things will bring millions more connected computers on to the web, embedded in devices such as cars and rubbish bins. And not all of them will have to have as high a spec as even a Windows PC to mine money: Litecoin, for example, uses more memory-intensive algorithms that can be run on a regular CPU rather than on high-end GPUs.
The mythical internet-connected fridge may at last have found an - admittedly criminal - reason to exist.
Mikko Hypponen Originally published in Wired UK 12/2013
1. The price of Bitcoin has been wildly volatile lately. And that type of commodity volatility affects Bitcoin's ability to act as a currency because prices are quickly driven out of whack. Even for ransomware such as CryptoLocker.
Here's a screenshot from a November 20th variant:
The price of decryption is now 0.5 BTC.
Just a few weeks ago, the going rate was two Bitcoin.
2. This is the wallpaper CryptoLocker sets:
While the text shown above notes the destruction of "your private key" — it isn't actually destroyed.
The site from which CryptoLocker can be downloaded also offers a "Decryption Service" that can be accessed after the countdown. (But you'll have to pay more.) Because the service isn't tied to a particular computer, a file must be uploaded in order for the service to match it with a key.
Uploading a file includes "Pac-Man" animation while you wait:
Yesterday's CryptoLocker post mentioned that it's spreading via spam. It's actually a spam campaign that installs an intermediary, and then CryptoLocker is installed. But in any case, the first link in the chain that results in a CryptoLocker infection is spam.
And here's a fresh example of the message being used: "Please kindly find our new PO per attachment. Could you provide your PI for confirmation. Our Order file is password protected and can be opened/accessed with password: TRADING"
The company from which the message claims to be from (blurred in the example above) is of course an innocent bystander whose good name is being abused as part of this scheme.
Note that the attachments are password protected. This allows the threat to bypass gateway security measures. If you're an information security manager, don't take it for granted that the people in your organization know not to open attachments.
If you haven't heard much about "CryptoLocker" yet… you will.
Unlike much of the ransomware we've written about in the past, CryptoLocker doesn't attempt to use police themed trickery or other sleight of hand. It's strictly business. It infects via e-mail attachments (zip files containing supposed PDF files) and then sets about encrypting all of your personal data files — photos, music, documents, et cetera.
And then… you have three days to pay the ransom. Or else.
It's largely a problem in English-speaking countries because that's the language used in the e-mail bait. For now. It's certainly only a matter of time because somebody decides to expand into other languages.
And here's the kicker. One of the ways in which you can pay? Bitcoin.
That's right, CryptoLocker accepts everybody's favorite cryptocurrency as payment. And that's why this could be a tipping point. One of the biggest factors keeping ransomware at bay is the difficulty it takes to get paid. Thanks to Bitcoin and other similar digital currencies… that barrier is eroding fast.
Ransomware economics: the more frictionless Bitcoin becomes — the more prevalent CryptoLocker will become.