NEWS FROM THE LAB - October 2012


Monday, October 29, 2012

United Nations on the Use of the Internet For Terrorist Purposes Posted by Mikko @ 10:52 GMT

Technology is one of the strategic factors driving the increasing use of the Internet by terrorist organizations and their supporters for a wide range of purposes, including recruitment, financing, propaganda, training, incitement to commit acts of terrorism, and the gathering and dissemination of information for terrorist purposes. While the many benefits of the Internet are self-evident, it may also be used to facilitate communication within terrorist organizations and to transmit information on, as well as material support for, planned acts of terrorism, all of which require specific technical knowledge for the effective investigation of these offenses.

The UN Office on Drugs and Crime has published a 150-page document on the topic: Use of the Internet for terrorist purposes.


It's good to see that this publication does not wonder off to discuss cybercrime, hactivism, or piracy but indeed focuses on the real terrorist and extremist groups and their activities online.

However, a little bit disappointingly the document does not go deeper into the potential of actual online attacks launched by such groups. To quote: "While a considerable amount of attention has focused in recent years on the threat of cyberattacks by terrorists, that topic is beyond the scope of the present publication and, as such, will not be a subject of analysis."

We did some of our own work in this area, which was published in the RSA Conference earlier this year. A transcript is available here.


Friday, October 26, 2012

Ghost in the Drone Posted by Mikko @ 11:13 GMT

The Washington Post has a long and interesting article series on US Drone operations in Africa.


The article has this interesting snippet, taken from declassified US Drone incident reports:

Air Force mechanics have reported mysterious incidents in which the airborne robots went haywire. In March 2011, a Predator parked at the camp started its engine without any human direction, even though the ignition had been turned off and the fuel lines closed. Technicians concluded that a software bug had infected the "brains" of the drone, but never pinpointed the problem. "After that whole starting-itself incident, we were fairly wary of the aircraft and watched it pretty closely," an unnamed Air Force squadron commander testified to an investigative board, according to a transcript. "Right now, I still think the software is not good."

No comments.


Monday, October 22, 2012

Video Interview: On Cybercrime and Digital War Posted by Sean @ 10:03 GMT

Mikko did this video interview for Tweakers (a Dutch website) last week. It's almost completely in English. [11'27"]

Mikko Hypponen – Beveiligingsonderzoeker F-Secure

Mikko Hypponen over cybercrime en digitale oorlog — Mikko Hypponen on cybercrime and digital war


Thursday, October 18, 2012

'Cyber Pearl Harbor' Posted by Mikko @ 16:52 GMT

US Defense Secretary Leon E. Panetta has warned that the United States faces a possible 'Cyber Pearl Harbor' attack by foreign computer hackers.

Is the risk level really so high?

In order to estimate the risk of an attack, you have to understand your enemy.

There are various players behind the online attacks, with completely different motives and with different techniques. If you want to effectively defend against attacks, you have to be able to estimate who is most likely going to attack you, and why.

A common fear people have is that somebody would somehow take down the Internet. If we forget the technical difficulties of such an attack, let’s think for a moment who would want to do that and why. Spammers and online crime gangs definitely wouldn’t want to take down the Internet, as they need it to earn their living. Hactivists groups or movements like Anonymous probably wouldn’t really want to do it either, as these people practically live online. And a foreign nation-state could probably benefit much more by tapping Internet traffic, using the net for espionage or by inserting forged traffic.

We can apply a similar thinking model to any other critical infrastructure sector, including electricity distribution, water supply, nuclear systems and so on. Some of them are more likely to be targeted than others, but the defense must start from understanding the enemy. It’s quite clear that real-world crisis in the future are very likely to have cyber components as well.

If we look for offensive cyber attacks that have been linked back to a known government, we mostly find attacks that have been launched by United States, not against them. So far, antivirus companies have found five different malware attacks linked to operation 'Olympic Games' run by US and Israel. When New York Times ran the story linking US Government and the Obama administration to these attacks, White House started an investigation on who had leaked the information. Note that they never denied the story. They just wanted to know who leaked it.

As United States is doing offensive cyber attacks against other countries, certainly other countries feel that they are free to do the same. Unfortunately the United States has the most to lose from attacks like these.


Mikko Hypponen


Wednesday, October 17, 2012

This Machine Kills Secrets Posted by Sean @ 12:53 GMT

Forbes tech reporter Andy Greenberg's book, This Machine Kills Secrets was published on September 13th.

It's been working it way up the sale charts since.

This Machine Kills Secrets

Here's a New York Times book review by Evgeny Morozov.

The book is about whistleblowing (a history) and of the tech used by today's leakers.

And here's a cool thing: the book contains a cryptographic puzzle within its pages.

A puzzle that our Timo Hirvonen solved!


Congrats, Timo!


Book excerpts, so you can get taste:

Forbes: Meet The 'Spiritual Godfather Of Online Leaking'
Wired: The WikiLeaks Spinoff That Wasn't
Slate: The WikiLeaks Copycat That Worked

Check it out.


Friday, October 12, 2012

Mikko Hypponen: One of the Good Guys Posted by Sean @ 12:27 GMT

Our Chief Research Officer, Mikko Hypponen, is considered by some to be an "infosec rock star".

Rock star

Also, he is known by many for his ponytail.

(Something which really isn't all that uncommon in infosec — but his is rather more blond than most.)

His ponytail has even been mentioned by malware:

Virus:W32/Divvi, circa October 2007

So, why do I bring this up? Well, yesterday I saw the following Tweet:

Twitter WeldPond 11102012

Mikko cutting his hair?

A bad joke I thought… nobody is going to fall for that. (A rickroll setup?)

This Tweet soon followed:

Twitter k8em0 11102012

And the "evidence":


Evidence? Of hair. But whose? I still wasn't buying it was actually Mikko's.

And then… this Tweet:

Twitter Mikko 11102012

A YouTube video of Mikko and @k8em0 having their hair cut:

So, who is @k8em0? Katie Moussouris, Senior Security Strategist at Microsoft.

Twitter k8em0
Katie Moussouris. Also: Roguery.

She and Mikko were convinced to take part in an auction for a cancer charity at the HITB2012KUL conference:

Twitter k8em0 12102012

And it was quite a success! Mikko's ponytail went for 7000MYR. (1770EUR/2288USD)

On a serious note.

Two years ago, while going through stuff during some office renovations, I came across a photo of Mikko with (relatively) short hair. When Mikko saw the photo he said, "I'm never going to do that again…".

(I can tell you that he didn't want to cut off his ponytail.)

But he did.

For a very good cause. I am proud of him for it. I am very proud to work with him.

And I'm confident in saying the same is true for the rest of the folks here at F-Secure.

He's one of the good guys.


On a different (and threat related) note:

After watching the video, I sent a link to an internal F-Secure list.

This is by far the best reply I received:

Ponytail attack

Indeed. That would have been the perfect link bait! Why didn't I think of that? ;-)



Thursday, October 11, 2012

Next Week: "World War" Posted by Sean @ 12:21 GMT

This is the event that will be making headlines next week… if you aren't yet aware of it, you should be.

The ITU Telecom World 2012 conference in Dubai:

ITU World2012

Why will it be making headlines?

World War 3.0

The answer to that question can be found in this Vanity Fair article from May: World War 3.0.

And for the policy wonks among you, check out:

  •  Civil Society is Key to the Debate on International Control Over the Internet
  •  The ITU WCIT And Internet Freedom

There will be a "war" for control of the Internet next week.

Be informed now.


Wednesday, October 10, 2012

Hackable Huawei Posted by Sean @ 17:23 GMT

The U.S. House of Representatives Permanent Select Committee on Intelligence created quite a stir on Monday with its report on Chinese telecom companies Huawei and ZTE.

U.S. House of Representatives

The report recommends excluding the companies from sensitive systems and for U.S. network providers to seek other vendors, among other things. In response, Huawei claims U.S. protectionism is the real reason behind the charges of Chinese government ties and potentially backdoored equipment.


But seemingly lost in all of the news is not whether Huawei can be trusted, but can it be hacked?

If you follow DEFCON news, you may already know that the answer is… yes.

Risky Business #250

So perhaps vendors have another less jingoistic reason why they wouldn't want to use Hauwei.

Check out this episode of the Risky Business podcast: Risky Business #250 -- Hack it like it's 1999.

You'll also find a PDF of Lindner and Kopf's DEFCON talk there.

Updated to add: from ZDNet: Hack In The Box: researcher reveals ease of Huawei router access.


Friday, October 5, 2012

VB2012 Paper: Flashback OS X Malware Posted by Sean @ 13:03 GMT

F-Secure Labs Analyst, Broderick Aquilino, recently presented at Virus Bulletin 2012 in Dallas.

His topic of research was the OS X malware, Flashback, which was spreading back in April.

Flashback OS X malware

You can download Broderick's paper from here. [PDF] The paper was originally published at VB2012.


Global James Bond Day Posted by Sean @ 12:27 GMT

Today, October 5th is Global James Bond Day celebrating the 50th anniversary of Agent 007 (in film). Okay, it's a promotional thing for the upcoming film — Skyfall — but it's still pretty cool.

And it got us thinking, over the last 50 years, how many "fantastic" James Bond gadgets now seem to be quaint?

Global James Bond Day

Hmm, well, we still don't have Jet Packs… but fingerprint scanners are common place. And a TV watch? Not likely. Watches went from utilities to fashion accessories years ago. Today, we're more likely to watch television on our phones. So it makes you wonder, what kind of "Q-tech" currently exists in the Internet security world?

Perhaps it's espionage tech such as Stuxnet and Flame?

Fortunately for most of us, such things are likely to remain in the realm of jet packs. Unfortunately, just like Q, people get ideas when they see fantastic gadgets. And that may just spur malware innovations so that what seems fantastic today, could be common place tomorrow. Enjoy your James Bond Day.

(Thank you for the cool graphic, Ville.)


Thursday, October 4, 2012

Scareware and "Scary" Scams Aren't the Same Thing Posted by Sean @ 12:21 GMT

Two big headlines to comment on.

First, there's this: FTC Case Results in $163 Million Judgment Against "Scareware" Marketer.

FTC, Winfixer

The defendant, Kristy Ross, has been involved in U.S. FTC cases going back to 2008: Court Halts Bogus Computer Scans.

Her boyfriend "Sam" Jain is still at large:

Sam Jain

You can read more about Jain in this June 2011 post.

An important judgment to be sure, but remember, Ross is one of yesterday's scareware vendors getting the hammer.

Here's a site where you can see example's of today's: S!Ri.URZ.

And the second headline:

On October 3rd Australian, Canadian, UK, and U.S. agencies announced action against another type of "virus scam". Here's the FTC's release: FTC Halts Massive Tech Support Scams.

FTC, Pecon

Excellent work! But, there appears to be some confusion as to just what was halted. Some news networks appear to be confusing this action with October 2nd's, possibly due to FTC Chairman Jon Leibowitz when he said the following:

"And the tech support scam artists we are talking about today have taken scareware to a whole other level of virtual mayhem."

Err… no, no they haven't. There's no "ware" (malware) involved in tech support phone scams — it's pure social engineering. He really shouldn't have used the term scareware.

Tech support phone scams involve: people calling up from call centers; telling the receiver that "IP traffic" or some other such nonsense indicates their computer is infected with a virus; making a remote connection to the computer in order to "clean" it; and then selling them free or trial security software.

It's a social engineering scam — there's no scareware, there.

For a better understanding, we recommend this VB2012 paper from ESET: My PC has 32,539 errors: how telephone support scams really work [PDF] by David Harley (ESET), Martijn Grooten (Virus Bulletin), Steven Burn (Malwarebytes), and Craig Johnston (an independent researcher). The paper was first published at Virus Bulletin Conference, September 2012.

And if you want to listen to some folks trolling tech support scam callers…

Google results for tech support phone scam:

Google, tech support phone scam


Wednesday, October 3, 2012

WordPress Premium Theme XSS Vulnerability Posted by Sean @ 10:20 GMT

On Tuesday, we shared a rather silly video which made a serious point about the need to keep websites secure.

Unfortunately, limiting potential website vulnerabilities is not exactly intuitive. There's always additonal stuff one needs to consider.

For example, let's take the very popular WordPress(.org) publishing platform. WordPress itself does a pretty good job when it comes to maintaining its security. Unfortunately, the same cannot be said for everybody that runs WordPress websites. Many website admins allow their WordPress installations to fall out of date, and there are numerous compromised WordPress sites online as a result.

But even those admins that do keep their platform up to date still have things to worry about, such as themes.

Product security professional and pentester, Janne Ahlberg, has discovered several WordPress themes by Parallelus that are affected by a reflected cross-site scripting (XSS) vulnerability.

Here's a screenshot of the XSS vulnerability demonstrated with the Unite theme: Unite

Based on Ahlberg's tests, the XSS vulnerability can be used to execute remote JavaScript. Affected sites include personal blogs, but also corporate websites. You can read more information on his blog: Janne's corner.

And for more information on securing your WordPress installation, see this article: Hardening WordPress.

Update: According to the developer — affected Parallelus themes are now corrected.


Tuesday, October 2, 2012

When You're in the Wild with Websites Posted by Sean @ 12:26 GMT

This StopBadware video by Bluehost is simply too odd not to share:

And it offers some decent advice for keeping your website secure.