Real-Time Location Sharing Redux

Google announced on Wednesday that it will soon add real-time location sharing to Google Maps. The feature set appears to be very reminiscent of Google Latitude, which was introduced (way back) in 2009. Location sharing will undoubtedly be a popular option for many, but, it may come with OPSEC considerations for others.

Here’s what I wrote about Latitude, on February 5, 2009.

A new mobile phone application, Google Latitude, was introduced yesterday. It’s an interesting new addition to Google Maps.

According to Google, with Latitude you can:

  • See where your friends are and what they are up to
  • Quickly contact them with SMS, IM, or a phone call
  • Maintain complete control over your privacy

Err… Complete control? True, only the friends that you add/allow are able to follow your movements and Latitude does have a manual override function. But complete control? Perhaps it would be more accurate to claim that there are strong controls.

Assuming that you remember to use those controls of course.

If you want to maintain complete control over your privacy, you probably won’t be installing Latitude.

On the other hand, if you’re willing to share some of your personal details, Latitude could prove itself to be a really useful feature.

Updated to add: Reader Daniel S. posted a comment, Google has modified their text to:

  • Control what your location is and who gets to see it

While Latitude was very popular within a niche, it never achieved mass success and was discontinued in 2013. Google Maps on the other hand is practically everywhere, so, “Latitude” is about to be reborn in a big way.

The new sharing features appear to have solid controls; it’s opt-in, has time limitations, et cetera. But still, if you’re concerned about leaking your location, be sure to review the settings when you receive the update.

It’s Not New To Us

A Turkish hacking group is reportedly attempting to extort Apple over a compromised cache of iCloud account data.

This activity is on the heels of last week’s Turkish related Twitter account hacks via a service called Twitter Counter.

And that brings to mind this article (by Andy)…

OVER THE PAST FEW YEARS, you’ve probably heard phrases such as “the tactics, techniques, and procedures crafted by highly resourced threat actors are falling into the hands of less skilled adversaries”. That’s long speak for “expect a lot more script kiddies to start pwning your systems”. As Dr. Ian Levy from GCHQ recently pointed out, a lot of the attacks we’re seeing nowadays aren’t “Advanced Persistent Threats”, they’re simple hacks performed by “Adequate Pernicious Toerags”.

Nothing illustrates this phenomenon better than the group we’ve dubbed “The Romanian Underground”. This is a group that our Cyber Security Services colleagues have had first-hand experience with on a number of occasions while performing incident response and forensics work.

The Romanian Underground are, simply put, a bunch of IRC chatroom buddies who decided it would be cool to take up the hobby of “hacking”. Most of these kids, upon joining the collective, have little to no Unix skills to speak of. They probably know about five commands in total. Newcomers are taken under the wing of a mentor who provides them with simple tools and training to get them started on their new hobby. These mentors are almost as unskilled as the newcomers – they probably know about five more Unix commands than their apprentices. But they’ve been in the game for a few weeks already, and have a wealth of experience.

As newcomers learn the ropes (which usually implies that they’ve learned to configure the tools they’ve been provided), they’re promoted to mentors, and take on their own set of apprentices. This hierarchical model closely resembles the popular pyramid selling schemes you might have had the misfortune to come across. Of course, the guys involved in The Romanian Underground aren’t looking to become millionaires by selling soap – the pyramid scheme is a form of gamification, where the goal is to collect as many owned systems as possible and move up the ranks.
Of course, it’s the guys at the top of the pyramid who are truly benefitting from all of this. They’re the ones providing the tools, and by pushing all their manual work downstream, they get access to thousands of compromised systems. Meanwhile, the newcomers are happy to proudly identify themselves as “hackers” on their Facebook pages (alongside other random hobbies such as windsurfing or snowboarding).

The toolkits being pushed down the pyramid are usually designed to exploit or brute force common services such as SSH and webmail servers. What might surprise you (or not) is that these toolkits, in the hands of completely unskilled noobs, are being used to compromise even PCI-DSS compliant organizations across the globe.

While this hierarchical method of operations is new to Romania, it’s not new to us. We’ve been aware of Turkish website defacement groups such as Akıncılar (who surfaced in 1999 and appear to have still been active in 2016) for quite some time. Those guys also operate under a hierarchy, albeit a more military-style one. In fact, one of our own web sites was defaced by a Turkish group back in 2007. It turns out they abused a vacation notification plugin to perform the attack (pro-tip: plugins will burn you!). Funnily enough, the popularity of our forums actually increased after the attack due to the publicity we received. Go figure.

These structured groups differ from the also rather prevalent “herd of cats” approach to hacking collectives such as anon or 4chan, where members scratch and claw their way up the pile only to get pulled back down the next day.

Gamification seems to be a growing trend amongst unskilled hacker groups. In 2016, Turkish hackers set up a DDoS-for-points game designed to be played by noobs. Players were provided with a custom tool designed to carry out DDoS attacks against specific, mostly politically motivated targets. Participants earned points for every 10 minutes’ worth of DDoS achieved. Those points could be redeemed to purchase various clickfraud tools. The grand prize was an “unlocked” version of the DDoS tool that allowed its owner to target any site of their choosing.
At the end of the day, we feel that boxes being owned is a lot scarier than website defacements and DDoS attacks, especially when you consider that this is the first time we’ve encountered it being done on such a large scale, and by script kiddies.

We’re not surprised that the majority of cyber attacks that happened during 2016, from the San Francisco MUNI to the Dyn outage, were carried out using simple, scriptable techniques against badly maintained infrastructure. The fact that folks with very little skill or know-how can carry out successful attacks against PCI-DSS compliant organizations paints a grim picture of the state of our global computing infrastructure going into 2017.

This article was originally published in our State of Cyber Security 2017 report.

A stand-alone version is also available: The Romanian Underground.

FAQ Related To CIA WikiLeaks Docs

We’ve been asked numerous questions about WikiLeaks’ March 7th CIA document dump.

Did the news surprise you?

No. Spies spy. And that spies use hacking tools… is expected. (“Q” does cyber these days.)

Does this mean that the CIA will have to start over and rebuild a completely new set of tools? Does it need to start from scratch? Is everything “burned”?

The CIA’s developers would probably need to retool anyway. OS’s get major updates annually. There’s always churn, and thus, tools to be rebuilt or created anew. A vulnerability analyst and exploit developer is always busy.

Do you think the documents are real?


What are the documents about?

The documents appear to have come from an internal wiki of some sort. They look like notes written by a developer.

Where did they come from?

A (very plausible) theory we’ve heard: former Booz Allen Hamilton contractor Harold Martin’s cache of documents.

F-Secure was mentioned in the documents. What do they mean by “annoying troublemakers” and “lower-tier”?

Don’t know, ask them. (Not sure we care.) Sounds cool though.

How is F-Secure Labs reacting to the alleged “by-pass” documented in the leak?

Very seriously. Investigations began immediately. Notes don’t equal a good bug report however, so it will take time to be thorough.

How do you normally handle vulnerabilities?

Via our own bug bounty program.

Will you be paying a bug bounty to the CIA? (Seriously, we’ve been asked this.)


Do you handle vulnerabilities often?

A fact of life: all software has bugs. End-point protection software is a popular target of university researchers. And that’s a good thing, bug hunting makes for better software.

Any other thoughts?

Cyber security companies are frequently asked if they add backdoors to their products for the benefit of law enforcement and/or nation states. We think these documents conclusively dispel that theory (at least on our part). As you can see, nation state adversaries need to make an effort to bypass our products, just like cyber criminals.

Apple, Google, And The CIA

Apple and Google have issued statements to the media regarding WikiLeaks’ March 7th publication of CIA documents.

Here’s Apple’s statement via BuzzFeed News.

Apple is deeply committed to safeguarding our customers' privacy and security.

“Apple is deeply committed to safeguarding our customers’ privacy and security.”

According to Apple, its “products and software are designed to quickly get security updates” to its customers. So, just how well does that statement hold up to what we see in-the-wild? Well, indeed, iOS users update fast.

Based on “first launch” telemetry from our Freedome VPN, we consistently observe rapid adoption of the latest version of iOS. In short order, the latest version is the majority of what we see from first-time users.

Mobile OS take up rate - iOS

And then… there’s Google’s statement, again, via BuzzFeed News.

The CIA can also compromise smartphones that run Google's Android OS…

“The CIA can also compromise smartphones that run Google’s Android…”

Google is “confident that security updates and protections in […] Android already shield users from many of these alleged vulnerabilities.” But here’s the big problem – while the latest version of Android OS might be secure – the version of Android actually installed on the vast majority of phones is not. Not by a long shot.

Based on our Freedome VPN telemetry, we can say that it takes a significant amount of time for Android updates to arrive on customers’ devices.

Mobile OS take up rate - Android

Here’s a breakdown by a selected set of countries.

Mobile OS take up rate - Freedome on Android

The Nordics have a relatively high percentage of Android versions 6 and 7. But the majority of the world? Versions 4 and 5 still dominate.

Bottom line: if you run Android and care at all about your device’s security… choose your hardware with care. Only a few select vendors are currently focused on providing Google’s monthly security updates to end users.

The graphs in this post were originally published in our State of Cyber Security 2017 report.

A stand-alone version is also available: Mobile OS Take Up Rate.

Taking Poika Out On The Town: 2017

AV-Test has awarded F-Secure Client Security with Best Protection 2016! And as tradition dictates, we took it on a tour of Helsinki.


The traditional “poika at the cathedral” shot.


Poika in the woods.


Poika by the lake.


Poika in our newly renovated lobby.


Poika with cake.


All the pojat.

As a reminder, AV-Test’s Best Protection award is based on continuous real-world testing, over the entire year, against the most reliable and well-trusted endpoint protection vendors on the market. We’re proud to have, once again, been bestowed this award, and thank everyone involved in making this happen!

Reflash Flash Research Framework

Jarkko Turkulainen, a Senior Researcher on our Threat Intelligence team, has (today!) publicly released a research tool called Reflash. It’s a proof-of-concept framework for analyzing Adobe Flash files. It produces an SQL database of Flash VM stack trace by injecting dynamically generated instrumentation to Flash files. The SQL database can later be analyzed with various tools.

Jarkko presented the tool at AVAR 2016 and some people have asked about its availability. So… here it is, released as open source under a GPL-v3 license.

In the Reflash repository, there is also a technical research paper for those interested in the internals of the tool.


And Jarkko’s presentation, available here, is helpful for those wanting to set up the tool.


Jarkko presenting at AVAR 2016.

Share and enjoy.

Bitcoin Friction Is Ransomware’s Only Constraint

In January 2017, I began tracking the “customer portal” of an innovative new family of crypto-ransomware called Spora. Among its innovations are a dedicated domain (,, et cetera) running a Tor web proxy, HTTPS support, an initially lower extortion demand, and tiered pricing with options to unencrypt individual files (up to 25Mb in size) rather than all.

Also part of the portal… a group chat function for support requests. Multiple conversations all strung together, making for a fascinating read overall. Public Communication

Among recent conversations is a link to a forum page on the site Bleeping Computer where the “Spora Administrator” wanted reviews left, as evidence that paying the extortion results in unencrypted files.

The bulk of clicks, according to statistics, occur on a Tuesday. FYI: running a cyber extortion scheme is a regularly scheduled job and spam runs go out on Tuesdays.

A great deal of the chat support issues revolve around one thing… Bitcoin.

7: I dont have a bitcoin account yet and cant make it within 3 days, as you know.

Support: We removed all deadlines for you.

Apparently “7” thinks it’s not so easy to setup a Bitcoin account “as you know”.

And here’s another practicality, many people exist in the cash economy.

A: Admin, I dont know what checked the course means. It is hard to purchase bitcoins in the US I drove over 200 miles to purchase 500 worth, they took 10% you take 11% I had USD70 in a different wallet you took 11%, you have USD466 and I have no way to purchase more until tomorrow and will once again have to drive 200 mile to get them and get home. Please consider.

Support: No problem

Many people don’t have the needed resources to buy Bitcoins online. Credit is required, and there are plenty of people with insufficient credit. For them, a physical Bitcoin ATM or “brick-and-mortar” retailer is required.

We should be thankful that there are at least some limits on purchasing Bitcoin. If it were any easier to do so, very little else would check the growth of crypto-ransomware’s business model. The malware technology to encrypt data has been possible for many, many years; the bigger challenge has always been getting paid.

In the past, cyber crime schemes (such as scareware) have been killed off by disrupting the money supply. The same may well be true of cyber extortion; to kill the business model, it may be necessary to ban Bitcoin.

This article was originally published in our State of Cyber Security 2017 report.

Now available! A new supplemental appendix which includes 34 pages (more than 20,000 words) of Spora “tech support” chats.

F-Secure Does Cyber Security

For more than 10 years, we’ve released an annual report/summary featuring observations, research, and malware trends. And in past years, this publication has included the word “threat” in its title. But no more! There are rather significant changes this year in our… State of Cyber Security.

The new title reflects a change in the type of content you can expect to read in the report. Although we still have portions devoted to this year’s malware landscape, the report is largely focused on cyber security at large and stories from the field.

In my previous post, I mentioned we’d be making a lot more noise about the work of our Cyber Security Services division. This report is one of the steps we’ve made in that direction. And another nice change you’ll notice is that this year’s report includes several contributed articles from some of our friends and partners.

This report took a lot of hard work to put together, but my colleagues and I had fun creating it. We hope you have just as much fun reading it!

Finally… here’s a link to the report.

“F-Secure does red teaming?”

On June 2nd 2015, F-Secure announced via a press release its acquisition of the Danish Cyber Security firm, nSense. That press release contained the following snippet:

the combined portfolio will allow F-Secure to provide top-tier incident response and forensic expertise, comprehensive vulnerability assessment, and threat intelligence and security management services to enterprises and businesses with critical IT infrastructure.

Last week, we released a new brand video. See below.

In response to the video, we started to see some interesting (and in some cases flattering) comments on Twitter.

(See the thread here.)

Yes, F-Secure really has been doing red teaming since June 2015 (and nSense well before that). And incident response, digital forensics, risk assessments, penetration testing, fuzz testing, vulnerability assessments, software security consulting, and a whole bunch of other things is now something that F-Secure does. We possibly didn’t make enough noise about that fact. Expect that to change this year!

Noun: Confirmation Bias

Confirmation bias, according to Google, is “the tendency to interpret new evidence as confirmation of one’s existing beliefs or theories.”

Technology… potentially opens up a vast new realm of evidence, and that, if not very carefully analyzed, risks feeding confirmation bias.

Last Friday, Journal News reported that a man from Middletown, Ohio was charged with the crime of arson, in part due to data from his artificial heart implant.

Data from man’s pacemaker led to arson charges

Artificial heart implant? Get the data!

Data from man’s pacemaker led to arson charges

But… only asking one professional to analyze the data?

Data from man’s pacemaker led to arson charges

That runs a high risk of confirmation bias.

Arson investigations unfortunately utilize a lot of pseudoscience and assumptions.

There’s a case from Texas in which the prosecutor’s theory focused on a pentagram.

Death By Fire

It was just an Iron Maiden poster.

Death By Fire

Evidence of nothing.

Perhaps the heart implant / pacemaker data actually supports law enforcement’s theory. But perhaps not. Time will tell.

What do we know now?

I know that I can predict this story will stoke fears of our data being used against us. In a age in which multitudes of people are wearing fitness trackers and smart watches tracking their heart rates, how can it not?

But it’s not data we should fear, it’s the humans “interpreting” it.

Noun: Sockpuppet

An Internet sockpuppet, according to Google, is “a false online identity, typically created by a person or group in order to promote their own opinions or views.” Sockpuppets are nothing particularly new… they go back as far as USENET. But it feels that recently, sockpuppetry has reached new heights. Twitter is an easy place to […]


F-Secure Vulnerability Reward Program Update

A message from Calvin, a security vulnerability expert and member of our Anti-Malware Unit. The AMU team has a customer care/support focus. Happy New Year to all you readers out there! A year has passed since we launched our F-Secure Vulnerability Reward Program (bug bounty) and time really flies. Here’s a snapshot of what we’ve […]


What’s The Deal With Digital Forensics, Incident Response, And Attribution?

After several high-profile cyber attacks made big news headlines this year, it’s become evident to me, through online commentary, that there’s some confusion in the public space about how incident response services are utilized, how attribution is performed, and how law enforcement’s role fits into cyber crime investigations. I’m hoping this article helps to clear […]


On Botting, Cheating, And DDoSers

On November 10th 2016 Blizzard enacted a “ban wave” on thousands of World of Warcraft accounts for “botting”, a term widely used to describe using third party programs to automate gameplay. Technically it wasn’t a “ban wave” – the accounts in question received between 6 and 24 month suspensions based on how often they’d been […]


A Joint Centre To Combat Hybrid Warfare Threats

Helsinki will host a new centre focused on curbing the growing threat of hybrid warfare according to recent reports. Disinformation and fake news is considered “hybrid warfare” in this context. The proposed annual budget is reportedly estimated at two million euros. I think… they’re gonna need a bigger boat. Fighting against hybrid warfare disinformation will […]


Yahoo! Voice Call 2FA Fail

Netflix recently fixed an account takeover vulnerability involving automated phone calls and caller ID spoofing. The issue? An attacker could use Netflix’s “forgot email/password” feature to reset an account’s password by directing the reset code to a voice call. In order to force the code to voice mail, the attacker would need to call the […]


What’s The Deal With “Next Gen”?

We’re frequently asked about “Next Gen” antivirus companies, which is not surprising. They’ve been making a lot of noise and bold claims during the last couple of years (so, basically, since they were founded). So let’s take a look at what they’re all about. Coopetition in the AV industry But before getting into what “Next […]


A RAT For The US Presidential Elections

A day before the controversial United States Presidential elections, an email was distributed to inform the recipients of a possible attack during election day as mentioned in a manifesto, allegedly from the ISIS terrorist group, entitled “The Murtadd Vote”. The email was supposedly sent by the head of a US-based terrorist monitoring group. The message […]


How To Vet URL Shorteners #2016CampaignEdition

John Podesta, the Chairman of Hillary Clinton’s 2016 presidential campaign, allowed his Gmail account to be compromised in March 2016. And as a consequence, his correspondence has been in the news throughout the month of October. Recently, the March 2016 phishing message itself was published. Do you notice anything odd about the message? The very […]


CSS Disclosure: tar Extract Pathname Bypass

T2’16 Infosec Conference kicked off this morning in Helsinki. And to celebrate this, F-Secure CSS security consultant Harry Sintonen has a vulnerability disclosure to publish. See below for more info. tar Extract Pathname Bypass Full Disclosure: POINTYFEATHER / tar Extract Pathname Bypass (CVE-2016-6321)