Tuesday, May 27, 2014

ProTip: Use Apple? Turn Passcode On! Posted by Sean @ 16:32 GMT

Interesting Apple security news is being reported today. Apparently some Apple devices have been hijacked via Apple's "Find My iPhone" feature. How? Likely via poorly defended iCloud accounts, i.e., iCloud accounts with weak passwords.

Once you have access to iCloud, you have access to the Find My iPhone's "Lost Mode", which can be used to lock associated devices and send messages such as "Reward if found! Call this number."

iCloud, Lost Mode

Or then it could be an extortion attempt.

Here's an example from a German colleague's iPhone:

Find My iPhone

According to the sources linked above, "Oleg Pliss" is demanding money to a PayPal account. If the iPhone user has a passcode, they can unlock their device. If they don't have a passcode set… then they have a problem.

It's also worth mentioning the Find My iPhone feature includes a "Delete" option. Besides extortion, your iPhone can also be burned. And remember too that iCloud provides access to contacts and calendars.

So… besides enabling a passcode, you should also be using a strong and unique password for your Apple/iCloud/iTunes account. Sure, it will be annoying to input when you want to buy an app — but that's the price you'll need to pay.

Or else, disable iCloud functionality.

"Identify the critical accounts to protect, and then make sure the passwords for those accounts are unique and strong."

To do list:

1) Turn Passcode On! (It doesn't have to be required immediately.)
2) Reset your Apple/iCloud/iTunes password.

Optional (but highly recommend):

3) Get yourself a password manager.


Wednesday, May 21, 2014

Three Lessons We've Learned From Our Facebook Partnership Posted by Sean @ 12:42 GMT

On Tuesday, Facebook Security announced its new effort to make malware cleanup easier. And we're very happy to be part of that effort. F-Secure is one of two vendors now partnered with Facebook do to malware clean-up.

With over one billion users, Facebook has a very unique vantage point from which to detect threats. It can see patterns on a scale few others can. And user accounts pumping spam links that have uncommon browser plugins installed… well, those accounts are connecting from computers affected by malware. So what to do about it?

That's where we come in…

When Facebook determines a case of Facebook-focused malware, it introduces this prompt during login:

Facebook, Your Computer Needs To Be Cleaned

The user then has the option to download our Online Scanner:

Facebook, F-Secure Online Scanner

Once downloaded and started, the user can continue to their Facebook feed.

Our scanner runs in the background and produces a Facebook notification when it's finished.

Facebook, F-Secure Online Scanner: finished

While Facebook-focused malware is the trigger which prompts the scan, our scanner will of course detect more threats if present. If a difficult case is discovered, Facebook will move our UI into the foreground.

"Chanki" — our service manager for this project — makes the following observations:

1 — There are a tremendous amount of suspect installers out there, which while not necessarily malicious, are difficult to classify as clean by default. Separating the wheat from the chaff is a challenge when installers can be configured to install multiple items utilizing a common platform that also has legitimate uses.

2 — We also needed to come up with approaches for handling the classification, detection and removal of malicious browser extensions on Firefox and Chrome, which represent a significant attack vector against Facebook's platform. This is typified by families such as the Turkish-oriented Kilim malware, and older attacks such as FBSuper which we have previously written about on this blog. The attack surface is not just Win32 OS; we have to take into account the platforms represented by the browsers as well.

3 — We also discovered that Bitcoin remains a significant motivation for malware authors. We identified at least two malware families, Napolar and Lecpetex, that utilize Facebook as a vector to spread and install Bitcoin miners.

Great work, Chanki!

You don't need to be prompted by Facebook to try our Online Scanner. Feel free to download and run it yourself. Add it to your USB toolkit, it needs online access for our latest detections, it isn't Web-based. If complex threats are discovered, the scanner includes neat tech such as an ability to reboot into a virtual Linux machine and then back to Windows. Nice.

F-Secure Online Scanner UI: Start

You'll always find the latest version here:


Tuesday, May 20, 2014

On The Right To Be Forgotten Posted by Sean @ 12:23 GMT

According to Google, the "right to be forgotten" is "logistically complicated."

Last Week Tonight's John Oliver clarifies the issue here:

Last Week Tonight : Right To Be Forgotten


Thursday, May 15, 2014

"Police Ransomware" Expands To Android Ecosystem Posted by FSLabs @ 16:23 GMT

Crimeware has steadily transferred Windows-based technology to Android. We've seen phishing, fake-antivirus scams, banking trojan components, and now… ransomware.

Yep. "Police ransomware" on Android. Our name for it is, Koler.

main screen

The crimeware ecosystem has long been aware of Android systems it routinely comes into contact with — it's not really much of a surprise to see ransomware attempt to make the jump.

Here's how it works:

Compromise occurs when the user visits a booby trapped (pornographic) website with his Android device. The malware then pretends to be video player and requests installation. This is dependent upon the "enable unknown sources" setting being configured.

When the installation is completed, Koler sends the phone's identification information to its remote server. After this, the server returns a webpage declaring that the user has visited an illegal porn site and the phone is locked. To unlock, the user is told to pay a fine (ransom).

Even though Koler claims to encrypt files, in reality, nothing is encrypted.

These domains are hardcoded to be Koler's remote servers:


At the moment, Koler's servers are offline. Google Cache finds (NSFW) content from only one server but the malware has been removed. The servers are/were hosted in US. Whois lists contact information, such as phone numbers, from Denmark and Russia.

At present, country-specific versions of localization have been seen for more than 30 countries. The content has been ported from Windows versions of "police ransomware" and is formatted for mobile browsers.

How to remove Koler:

The ransomware prevents disables the back button, but the home screen button is active. The user has only a few seconds in which to get to the phone's settings to remove the malware, or to restore factory settings.

Another option is to restart the device to the service menu and remove Koler from there.

Koler also prevents access to the device via the adb.exe. You are able to start shell but the viewing of files is not allowed.

More information can be from our description: Trojan:Android/Koler.

Analysis by — Mikko Hyykoski


Tuesday, May 13, 2014

Microsoft SIR v16 Posted by Sean @ 13:03 GMT

Microsoft recently released volume 16 of its Security Intelligence Report. If you're serious about security issues, SIR is a must read.

And whad'ya know… Finland is once again among the healthiest locations in the world.

lowest infection rates in the world

Is it a coincidence that Finland is the cleanest country in the world? ;-)


Thursday, May 8, 2014

Video: Hypponen and Hasselhoff Posted by FSLabs @ 12:48 GMT

Mikko at re:publica 2014:

re:publica 2014 - Looking for Freedom

Add your thoughts here: F-Secure Digital Freedom Manifesto.


Tuesday, May 6, 2014

Video: NEXT Berlin Posted by Sean @ 12:31 GMT

Mikko spoke at NEXT Berlin yesterday:

NEXT: Arms race

And the video is now online: Arms Race. [24m15s]