Cyber Security Sauna

Democracy in the digital age is a wonderful yet wild beast. When it comes to electing our leaders nowadays, we're faced with questions about how to escape the influence of malicious actors. With the US midterm elections just around the corner, F-Secure security adviser Sean Sullivan joins us this episode to explain the complexities of the US election system to a European. Sean covers campaign misinformation, why security is not as simple as going back to all paper ballots, and how the hacker mindset can help. Links: Episode 15 transcript (including campaign videos) Vox: The Brexit ballot is amazingly simple New York Times: See which Facebook ads Russians targeted to people like you Sample US election ballots 2018

Should your laptop ever get stolen and fall into the wrong hands, you would probably be comfortable in the knowledge that the data on it is protected by full disk encryption. But what if a malicious adversary could get around that encryption and access the data anyway? F-Secure's Olle Segerdahl and Pasi Saarinen have discovered a flaw that allows attackers to do just that, and it affects almost all modern corporate laptops - probably yours too. Olle and Pasi join us today to talk about bypassing the mitigations vendors have put in place against cold boot attacks, and what companies can do to mitigate the risk. Links: Episode 14 transcript The Chilling Reality of Cold Boot Attacks

Passwords. You plug them into your accounts and the services you use at work, you try little tricks to make them more unique, but have you ever wondered what a hacker thinks of your passwords? For episode 13, ethical hacker Jan Wikholm joins us to talk about passwords – how he cracks them in his job at F-Secure, the tricks hackers know you're using, and what you should do to keep your credentials safe. Jan also fills us in on hashing, how he does brute forcing, how companies should protect their users' passwords, and how to create a secure password you can actually still remember. Links: Episode 13 transcript

How can companies know if their security investments are actually working? Getting attacked is the ultimate test, but hiring a red team is a less disruptive way to find out. These guys rely on technical chops, acting skills and pure creativity to engage in an all-out attack on a company’s defenses. Joining us this episode is Tom Van de Wiele, Principal Security Consultant at F-Secure, to talk about how red teaming can help companies improve their security posture, his tricks for hustling his way into a company, and why the coffee machine is a red teamer's best friend while on a job (but not for the caffeine). Be warned: You’ll never look at strangers around your office the same way again. Links: Episode 12 transcript Video - The Value of Red Teaming, with Tom Van de Wiele

Disinformation. Fake news. Social media manipulation. Lately another dark side of the internet has come into focus - its use as a tool for deception. Technologies like machine learning and artificial intelligence are being employed to play hoaxes and mislead on purpose. Seeing is no longer believing - and moving forward, it's only going to get harder to distinguish facts from falsehoods.  Andy Patel from F-Secure's Artificial Intelligence Center of Excellence has been studying this phenomenon. He joins Janne in this episode to share what he's learned about Twitter bots, deepfakes, voice cloning and the tools that make it all possible. Do concerns about these technologies outweigh the benefits, and how will they affect society? Links: Episode 11 transcript Andy's Twitter research

Over the past few years, ransomware stole headlines as the biggest malware threat to worry about. Consumers and businesses alike were being hit and forced to shell out money to retrieve their files. But the cybers never stand still, and neither does malware. Nowadays ransomware is being eclipsed by new trends. F-Secure Labs researchers Paivi Tynninen and Jarkko Turkulainen join us to explain why ransomware is on the decline, and what’s taking its place. Listen for the story on cryptojacking and the current world of cybercrime. Links: Episode 10 transcript 2016 study: Evaluating the Customer Journey of Crypto-Ransomware

The summer holiday season is upon us, and people are looking forward to trading their daily workplace grind for a new adventure. Traveling is always exciting, but it takes you out of your comfort zone, and that gives thieves and criminals opportunities to exploit you. F-Secure principal security consultant Tom Van de Wiele is back to tell us how we can keep our devices and data safe while enjoying a fabulous vacation. Are the kids safe from strangers when playing Minecraft on the hotel WiFi? Is it OK to use Bluetooth in your rental car? What are the most common vacation scams to watch out for? Don't miss this episode, complete with Tom's checklist for what to pack. Links: Episode 9 transcript How You Can Travel Like an Ethical Hacker: Do's and Don'ts

After months and months of anticipation, the May 25 deadline has passed and the GDPR is finally in effect. Companies around the world are being held to strict new standards for protecting the data of EU citizens. So what now? How well-prepared are most companies, and what about organizations who still aren't compliant? We're joined by F-Secure's Erik Andersen, who's spent the past few years helping organizations prepare for GDPR, and Hannes Saarinen, Privacy Officer at F-Secure, to get the rundown on GDPR myths and misconceptions, what to expect going forward, and the big idea some companies who object to GDPR are missing. Links: Episode 8 transcript The Big Idea Behind GDPR GDPR - F-Secure Learnings and Best Practices, with Hannes Saarinen

When people look for logos or symbols that emanate security, they often choose a lock. Sure, we know locks can be picked. But what would the world look like if attackers could just walk in without breaking their stride? After years of research, two F-Secure researchers have discovered that by exploiting design flaws in an electronic hotel lock system used in tens of thousands of hotels worldwide, they could create a master key to open any room in the building. In this episode, F-Secure’s Tomi Tuominen and Timo Hirvonen share their story, plus they get real with the unvarnished truth about hacking. The road wasn't easy, but these guys proved that after countless dead ends you can still come out on top.  Links:  Episode 7 blog post and transcript Hotel lock hack webpage & FAQ Hotel lock hack presentation at Infiltrate 2018  

Operational security is about turning the tables, looking at things from an attacker's point of view, and identifying how your own actions are making you vulnerable. Listen as Erka Koivunen, CISO of F-Secure, gets us up to speed on opsec: selecting your appropriate threat model, why you should never trust the office network, and tips for "spring cleaning" your opsec (potato chips and nail polish are recommended tools). And don't miss his favorite story of an epic corporate opsec fail. Links: Episode 6 blog post & transcript If you travel with your laptop, you probably should travel with nail polish Common Sense security tips from Erka  

With the disclosure of Meltdown and Spectre early this year, hardware security has come into focus. What are the special challenges of securing hardware versus software? What about securing high-risk industries like aviation and automotive? In this fascinating episode, Andrea Barisani, head of hardware security at F-Secure, shares why we should be thankful for Meltdown, why security problems do not equal safety problems, the one piece of advice he would give hardware manufacturers, and much more. Links: Episode 5 blog post

The Internet of Things promises futuristic smart homes, energy savings and efficiencies, and improvements to health and well-being. But the IoT still has a long way to go before we can safely enjoy these benefits - currently, it threatens our security and privacy. Steve Lord, a 20-year industry veteran and director at Mandalorian, joins the show to talk about the IoT, from smart cars and TVs to Amazon Alexa and Apple Health. You'll learn why companies love your data, the biggest misconception about the IoT, and the one thing you can do to stay secure if you own a smart device. Links: Episode 4 blog post You Actually Own Your Device, and Other Myths About the IoT F-Secure Report: Pinning Down the IoT Corey Doctorow, The Coming War on General Computation  

Data breaches. They're every organization's worst fear. Why are companies so ill-prepared, and what are companies missing in their approach to data breaches? Host Janne Kauhanen is joined by Marko Buuri, Principal Risk Management Consultant at F-Secure, and Tuomo Makkonen, Principal Security Consultant, to give you the lowdown on breaches and what you need to know. Links: Episode 3 blog post

Between zero day news flashes and stunt hacking reports, there are a lot of false conceptions about what it's like to be an infosec professional. So what should you focus on to get into the world of infosec testing or to become a security consultant? What background do you need? How valuable are conferences and certifications? These are just a few of the questions our guest Tom Van de Wiele answers to help you on your way in this rewarding field. Tom is a principal security consultant at F-Secure with 15 years of infosec experience. He specializes in red team operations and targeted penetration testing for the financial, gaming and service industries. When not breaking into banks, Tom acts as an advisor on topics such as critical infrastructure and IoT as well as incident response and cyber crime. Links:  Episode 2 blog post Tom's Top 21 Tips for Becoming an Ethical Hacker

The recent allegations against Russian antivirus vendor Kaspersky have prompted wider questions about antivirus in general - how it operates and what sort of data it collects from customer machines. In the first episode of Cyber Security Sauna, F-Secure's chief research officer Mikko Hypponen joins host Janne Kauhanen to answer these questions. You'll also hear his thoughts on Kaspersky and why it's important to trust your vendor. Links: Episode 1 blog post Episode 1 transcript FAQ: Everything You Wanted to Know About AV Data Transmission But Were Afraid to Ask F-Secure Data Transfer Declaration