Most Recent News from the Lab

Friday, April 17, 2015

Moving Around Posted by Sean @ 14:35 GMT

We're reorganizing numerous teams here at F-Secure Labs, and that means moving people around between the second and third floors in our Helsinki HQ.

Moving requires moving boxes and this is what the "Platforms" team did with them:

Great Wall of Sofa

Lab Dancing Inside

By the way — we're also expanding. There are several software engineering positions available on our APT team. No box building experience required.

Job openings


Friday, April 10, 2015

Video: Terrorist Groups in the Online World Posted by Sean @ 11:01 GMT

Given recent events, this presentation by Mikko about the possibility of terrorist groups doing online attacks seems timely.

YouTube: Terrorist Groups in the Online World

Protip: don't make yourself an easy target by broadcasting your passwords:

David Delos


Thursday, April 2, 2015

Remote Code Execution Possible Via Dell System Detect Posted by FSLabs @ 12:53 GMT

Journalist John Leyden recently contacted us for our opinion on vulnerability research by Tom Forbes. The focus of Forbes' research was Dell's "System Detect" utility and a flaw that allows for remote code execution. Forbes reported his findings last November and Dell mitigated the issue in January (and also again last week).

But a significant problem remains from our point of view.

Older versions of the software don't update themselves and there remains a lot of vulnerable computers out there. Over time, our customers have scanned various versions of System Detect many hundreds of thousands of times. It's very prevalent software. From just our customer base statistics within the last two weeks, we can see approximately 100,000 customers queried reputation checks on System Detect. Only about one percent of our customers are now running the latest version (6.0.14, represented by red in the chart below).

Dell System Detect, F-Secure customer install-base

Older versions of System Detect create a run key in the registry that starts the service automatically. So vulnerable versions run persistently even though it's only needed when visiting Dell's support site. The latest version — 6.0.14 — doesn't create a run key.

Exploiting older versions of System Detect is very easy. It only requires that the target visits a URL with some variation of "dell" in its domain. Exactly where in the URL varies depending on the version of the software.

We used Forbe's research and our own black-box testing to run three versions of System Detect, observing network traffic and replaying the same traffic with small modifications. We confirmed the older versions can be used to launch calc.exe from a targeted machine (i.e., Remote Code Execution).

Dell System Detect

For the version, the domain part of the referer-field's URL needs to contain "" but it accepts also "", so it's highly vulnerable.

Version 6.0.9 was released after Forbes reported the issue to Dell. It requires that the domain contains ".dell.". This means it also accepts "", so it's also just as vulnerable to a web-based attack.

The current version, 6.0.14, requires that the domain is "*" which more or less addresses the problem, especially when combined with the lack of autostart. If you need to have a version installed, it should be this one.

Older versions should definitely be uninstalled as soon as possible.

Here's an HTTPS enabled download link.

We are continuing to investigate further issues and actions that may be necessary to protect our customers.


Thursday, March 19, 2015

Our VPN Service Takes Your Privacy Seriously Posted by Sean @ 15:26 GMT

TorrentFreak recently asked "leading [VPN] providers about their logging practices and other privacy sensitive policies."

TorrentFreak Questions

Questions such as:

1 — Do you keep ANY logs which would allow you to match an IP-address and a time stamp to a user of your service? If so, exactly what information do you hold and for how long?

2 — Under what jurisdiction(s) does your company operate?

3 — What tools are used to monitor and mitigate abuse of your service?

The folks responsible for our Freedome VPN answered:

TorrentFreak Answers

Read all the questions/answers at TorrentFreak and/or our Safe and Savvy blog.


Friday, March 13, 2015

Variants of Ransomware Targeting Video Game Files Posted by Sean @ 12:09 GMT

"Free" Decryption — but you'll need to pay a ransom first.

Free Decryption

The image above is from the Web interface of a ransomware scheme that is targeting video game files (among others).

Details here and here.

Protip: backup — all — of your important stuff.


Thursday, March 12, 2015

Nordea Phishing Campaign Continues Posted by FSLabs @ 15:29 GMT

Just when we thought this Nordea phishing campaign is over, it reared its ugly head once again. It made its comeback on March 5th.

first_seen (33k image)

The phishing site looks pretty similar to the actual Nordea Finnish website.

site (66k image)

Many of us in the Labs are Nordea customers, so we know that if the perpetrator is able to steal information from this page, there is nothing else they can do other than login to accounts once and check the balance. They will be unable to do any transactions since they would need more than one pin number.

However, the ones behind this did their homework.

If someone falls victim to this attack, they will be led to yet another page that asks for the previous pin and the next four pins.

first_error_page (29k image)

After this page, the victim will be asked for the last 4 digits of their credit card and CVV.

second_error_page (11k image)

Once all those information are stolen, the fake page will redirect to the real Nordea website.

redirection (17k image)

As expected, for the last 7 days, majority of the phishing site visitors were from Finland.

visits (12k image)

We do have a detection already that covers this.

wts_block (61k image)

And it's good to note that if you are using our product, when you visit the real Nordea bank, Banking Protection will trigger and isolate unknown traffic during your banking session.

nordea_real (61k image)


Tuesday, March 10, 2015

Twitter Now Tracking User IP Addresses Posted by Sean @ 13:48 GMT

On Monday, I was testing our Freedome VPN for Windows and eventually… I forgot that I was using our London exit node.

Freedome for Windows, London

And then I attempted to log in to Twitter.

This was the result:

Twitter, Verify your identity

And then I received this message via e-mail:

5ean5ullivan, Reset your password

An unusual device or location?

In order to determine that I was attempting to log in from an "unusual" location, Twitter must be keeping a history of my previous IP addresses to compare against. This type of security feature is not new, Facebook has been doing this sort of thing for years already. But I've not yet seen it from Twitter. (A few years ago, Twitter seemed to be actively against such an idea.) Unlike Facebook, I don't see anyplace from which I can download my own connection history. Previous IP addresses used are available to those who download a Facebook archive. But IP address information isn't in the Twitter archive that I downloaded today.

So then the questions I now have for Twitter is this: for how long have my connections been logged and tracked? And when will a copy of the data be available to me?

March 11th update:

Eagle-eyed reader Tero Alhonen found the answer to one of my questions in Twitter's Privacy Policy.

Twitter's Privacy Policy, Log Data

Twitter "may" receive information such as IP address and will "either delete Log Data or remove any common account identifiers" "after 18 months." The language about 18 months was first included in version 5 of the policy, June 23, 2011.

So then that just leaves this question: can I please get a copy of the data?

Post by — Sean