If you're still using XP, please do yourself a big favor this Christmas shopping season and buy yourself a new PC. Or maybe a Mac. The women in the picture above probably own a Mac in real life, don't you think?
Either way, now is an excellent time to make the jump. Even a basic, relatively inexpensive PC is far more productive than any hardware which would still be running XP.
And yeah, if you're reading this blog — you already know that. So tell your friends and family already.
We get a lot of samples here at F-Secure Labs, most of them being submitted online. But every now and then, somebody visits one of our labs and brings along their computer for forensics.
Earlier this year, a guy in his early 20's pulled up and parked his Audi R8 just outside our Helsinki HQ. His name is Jens Kyllönen — a professional poker player — both in real world tournaments and in the online poker world. He's a high-roller by any measure, with wins in the range of 2.5 million dollars from the past year.
So why would this poker star detour from his usual routine and drop by for a visit? This is his story…
Last September, Jens participated in the European Poker Tour event in Barcelona. He was staying at the event hotel, which is a 5-star location, and spent his day mostly at the tournament tables. He took a break from the tournament and went to his room. And his laptop wasn't there. He checked to see if his friend had borrowed it, no, and then when he returned to his room… his laptop was back. He knew that something was amiss. To add to his suspicion, the OS, Windows, didn't boot properly.
Jens provided a more detailed scenario of what happened that day in this forum:
Thinking he had possibly been compromised, Jens asked us to investigate his laptop. This is quite important, as laptop security is paramount for professional poker players, especially those who play online. We agreed to investigate, and so we made full forensic images and started digging.
After a while, it was obvious that his hunch was correct, the laptop was indeed infected. There was a Remote Access Trojan (RAT) with timestamps coinciding with the time when the laptop had gone missing. Apparently, the attacker installed the trojan from a USB memory stick and configured it to automatically start at every reboot. A RAT, by the way, is a common tool that allows an attacker to control and monitor a laptop remotely, viewing anything that happens on the machine.
Below are succeeding screenshots to give you a better view on how this particular RAT works. In this screenshot, the attacker is able to see his own cards, similar to what any other players would experience.
Using the trojan, however, he can also see that the infected machine or the victim is holding a pair of queens. This gives the attacker an edge, so he knows to hold out for a better hand.
This kind of attack is very generic and works against any online poker site that we know of. The trojan is written in Java and uses obfuscation, but isn't all that complicated. Since it's in Java, the malware can run in any platform (Mac OS, Windows, Linux). Here is a snippet of the code that takes screenshots of the victim's screen:
After analyzing Jens's laptop, we started looking for other victims. It turned out that yet another professional player, Henri Jaakkola, who stayed in the same room as Jens at the EPT Barcelona event, had the exact same trojan installed in his laptop.
This is not the first time professional poker players have been targeted with tailor-made trojans. We have investigated several cases that have been used to steal hundreds of thousands of euro. What makes these cases noteworthy is that they were not online attacks. The attacker went through the trouble of targeting the victims' systems on site.
The phenomenon is now big enough that we think it warrants its own name: Sharking. Sharking attacks are targeted attacks against professional poker players (a.k.a. poker sharks). It's similar to Whaling attacks which are targeted at high profile business managers.
So, what's the moral of the story? If you have a laptop that is used to move large amounts of money, take good care of it. Lock the keyboard when you step away. Put it in a safe when you're not around it, and encrypt the disk to prevent off-line access. Don't surf the web with it (use another laptop/device for that, they're relatively cheap). This advice is true whether you're a poker pro using a laptop for gaming or a business controller in a large company using the computer for wiring a large amount of funds.
If you were running Windows on your computer 10 years ago, you were running Windows XP.
In fact, you were most likely running Windows XP SP1 (Service Pack 1).
This is important, as Windows XP SP1 did not have a firewall enabled by default and did not feature automatic updates.
So, if you were running Windows, you weren't running a firewall and you had to patch your system manually – by downloading the patches with Internet Explorer 6, which itself was ridden with security vulnerabilities.
No wonder then, that worms and viruses were rampant in 2003.
In fact, we saw some of the worst outbreaks in history in 2003: Slammer, Sasser, Blaster, Mydoom, Sobig and so on.
They went on to do some spectacular damage. Slammer infected a nuclear power plant in Ohio and shut down Bank of America's ATM systems. Blaster stopped trains in their tracks outside Washington DC and shut down Air Canada check-in systems at Canadian airports. Sasser thoroughly infected several hospitals in Europe.
The problems with Windows security were so bad that Microsoft had to do something. And it did.
In hindsight, the company did a spectacular turnaround in their security processes.
Microsoft started Trustworthy Computing. It stopped all new development for a while to go back and find and fix old vulnerabilities.
Today, the difference in the default security level of 64-bit Windows 8 is so much ahead of Windows XP you can't even compare them.
We've seen other companies do similar turnarounds.
When the Microsoft ship started to become tighter and harder to attack, the attackers started looking for easier targets.
One favorite was Adobe Reader and Adobe Flash. For several years, one vulnerability after another was found in Adobe products, and most users were running badly outdated products as updating wasn't straightforward. Eventually Adobe got their act together.
Today, the security level of, say, Adobe Reader, is so much ahead of older versions of the PDF readers you can't even compare them.
The battle at hand right now is with Java and Oracle. It seems that Oracle hasn't gotten their act together yet. And maybe don't even have to: users are voting with their feet and Java is already disappearing from the web.
The overall security level of end users' systems is now better than ever before. The last decade has brought us great improvements.
Unfortunately, the last decade has also completely changed who we're fighting.
In 2003, all the malware was still being written by hobbyists, for fun. The hobbyists have been replaced by new attackers: not just organized criminals, but also hacktivists and governments. Criminals and especially governments can afford to invest in their attacks.
As an end result, we're still not safe with our computers, even with all the great improvements.
But at least we don't see flights grounded and trains stopped by malware every other week, like we did in 2003.
• F-Secure KEY uses the Advanced Encryption Standard (AES-256) algorithm in the CCM mode (CTR with CBC MAC) for encryption to protect your sensitive data. The security of the AES was carefully analyzed by many crypto experts prior to selecting it as a recommended algorithm for modern data encryption.
• The encryption key is derived from your master password using the Password-Based Key Derivation Function 2 (PBKDF2) algorithm specified in Public-Key Cryptography Standards (PKCS) #5. In PBKDF2, we use Hash-based Message Authentication Code (HMAC) SHA256, random salts and 20,000 of iterations. This makes it much more difficult to recover the keys through exhaustive search or dictionary attacks even for weak passwords.
• Each password record is individually encrypted using a unique and strong random encryption key. The record-specific keys are encrypted using a master encryption key which is derived from your master password using the PBKDF2 algorithm.
• Your master password and the master encryption key are never stored anywhere. The encryption keys live only when you use the product. There is no way to recover your password or data if you forget the master password.
• When we developed F-Secure KEY, our guiding design principle was: "We don't need to know who you are. We just hope you like the product." Consequently, all the F-Secure KEY users are fully anonymous. We don't track you in any way, even when you synchronize your data across devices.
• The F-Secure KEY servers are owned and operated by F-Secure within the European Union in compliance with Finnish law and applicable EU rules.
Question: You state that my information is encrypted. What encryption do you use, and are you able to decrypt my information and hand it over to a third party?
Answer: We use AES-256 encryption in CCM (counter with CBC-MAC) mode. We have no way of decrypting any information that you have saved. In addition, anyone using F-Secure Key is anonymous to F-Secure, so we have no way of identifying an individual user's data. So we never see any of your information at any stage, and therefore we can't decrypt it or hand it over to a third party.
Both the choice of encryption and anonymity of users were conscious decisions made to improve the security of the product and protect the privacy of people using it.
One password to rule them all.
A young woman holding what appears to be an Ikea coffee cup in one hand and a smartphone in the other.
Just another day in Finland.
KEY is free for individual device use — an optional paid sync service across devices is available.
Bitcoin, and other digital currencies such as Litecoin and Peercoin, will change the way we exchange money. But they come with a major flaw: they can also be used to turn infected computers into devices that "print" money.
The beauty of the algorithm behind Bitcoin is that it solves two main challenges for cryptocurrencies - confirming transactions and generating money without causing inflation - by joining them together. Confirmations are given by other members of the peer-to-peer network, who in return are given new Bitcoins for their labour. The whole process is known as "mining".
When Bitcoin was young, mining was easy. You could earn Bitcoins by mining on a home computer. However, as the currency's value grew (from $8 to $1000 during 2013) - more people applied to do it, and, in response, mining became (mathematically) harder and required more powerful computers. Unfortunately, those computers don't have to be your own. Some of the largest botnets run by online criminals today are monetized by mining. Any infected home computer could be mining Bitcoins for a cybercrime gang.
Using botnets to mine is big business. The second-largest botnet in the world, ZeroAccess made tens of thousands of dollars a day by using the infected machines to mine for cryptocurrencies. This is especially effective when the infected machines have a high-end GPU chip on its video card.
Mining botnets such as these do not require a human user - just processing power and a network connection. The internet of things will bring millions more connected computers on to the web, embedded in devices such as cars and rubbish bins. And not all of them will have to have as high a spec as even a Windows PC to mine money: Litecoin, for example, uses more memory-intensive algorithms that can be run on a regular CPU rather than on high-end GPUs.
The mythical internet-connected fridge may at last have found an - admittedly criminal - reason to exist.
Mikko Hypponen Originally published in Wired UK 12/2013
1. The price of Bitcoin has been wildly volatile lately. And that type of commodity volatility affects Bitcoin's ability to act as a currency because prices are quickly driven out of whack. Even for ransomware such as CryptoLocker.
Here's a screenshot from a November 20th variant:
The price of decryption is now 0.5 BTC.
Just a few weeks ago, the going rate was two Bitcoin.
2. This is the wallpaper CryptoLocker sets:
While the text shown above notes the destruction of "your private key" — it isn't actually destroyed.
The site from which CryptoLocker can be downloaded also offers a "Decryption Service" that can be accessed after the countdown. (But you'll have to pay more.) Because the service isn't tied to a particular computer, a file must be uploaded in order for the service to match it with a key.
Uploading a file includes "Pac-Man" animation while you wait: