smart lock, securing smart homes, security issues internet of things

6 reasons the Internet of Things is difficult to secure

It's a new world when we have to worry about our sprinklers getting hacked. While it's still easier to hack a smartphone or throw a brick through a window to get into our homes, the trend of connecting and automating almost everything presents a bevy of security concerns that many of us are just beginning to consider. In a recent post for our brand new Internet of Things blog, our Mika Stahlberg succinctly laid out the unique challenges for keeping our "things" safe: 1) Most of the devices are cheap and lack a screen and keyboard. 2) Ease-of-use, especially during setting up, is critical for these kinds of products. 3) Devices use wireless protocols to connect to the home, so that there is no need to install wires into the walls. Hence, they and their signals are likely also reachable from outside the walls of the house. 4) Some of these devices, like garden sprinklers or porch lamps, are located outside and hence can be accessed physically without breaking into your house. 5) There are many manufacturers and many ways to buy the device: Devices don’t come pre-installed with any secret code or certificate specifically for your home. 6) Many smart home devices use mesh networking where radios are low power and each device also acts as a relay station and thus devices need some way of communicating with all other devices in the network. If you want to know how you can get ahead of the curve, here are three keys make your smart home safer now. Cheers, Jason [Image by Maurizio Pesce | Flickr]

August 24, 2015
BY 
5825408292_11759e3304_o

Only 10% protected – Interesting study on travelers’ security habits

Kaisu who is working for us is also studying tourism. Her paper on knowledge of and behavior related to information security amongst young travelers was released in May, and is very interesting reading. The world is getting smaller. We travel more and more, and now we can stay online even when travelling. Using IT-services in unknown environments does however introduce new security risks. Kaisu wanted to find out how aware young travelers are of those risks, and what they do to mitigate them. The study contains many interesting facts. Practically all, 95,7%, are carrying a smartphone when travelling. One third is carrying a laptop and one in four a tablet. The most commonly used apps and services are taking pictures, using social networks, communication apps and e-mail, which all are used by about 90% of the travelers. Surfing the web follows close behind at 72%. But I’m not going to repeat it all here. The full story is in the paper. What I find most interesting is however what the report doesn’t state. Everybody is carrying a smartphone and snapping pictures, using social media, surfing the web and communicating. Doesn’t sound too exotic, right? That’s what we do in our everyday life too, not just when travelling. The study does unfortunately not examine the participants’ behavior at home. But I dare to assume that it is quite similar. And I find that to be one of the most valuable findings. Traveling is no longer preventing us from using IT pretty much as we do in our everyday life. I remember when I was a kid long, long ago. This was even before invention of the cellphone. There used to be announcements on the radio in the summer: “Mr. and Mrs. Müller from Germany traveling by car in Lapland. Please contact your son Hans urgently.” Sounds really weird for us who have Messenger, WhatsApp, Facebook, Twitter, Snapchat and Skype installed on our smartphones. There was a time when travelling meant taking a break in your social life. Not anymore. Our social life is today to an increasing extent handled through electronic services. And those services goes with us when travelling, as Kaisu’s study shows. So you have access to the same messaging channels no matter where you are on this small planet. But they all require a data connection, and this is often the main challenge. There are basically two ways to get the data flowing when abroad. You can use data roaming through the cellphone’s ordinary data connection. But that is often too expensive to be feasible, so WiFi offers a good and cheap alternative. Hunting for free WiFi has probably taken the top place on the list of travelers’ concerns, leaving pickpockets and getting burnt in the sun behind. Another conclusion from Kaisu’s study is that travelers have overcome this obstacle, either with data roaming or WiFi. The high usage rates for common services is a clear indication of that. But how do they protect themselves when connecting to exotic networks? About 10% are using a VPN and about 20% say they avoid public WiFi. That leaves us with over 70% who are doing something else, or doing nothing. Some of them are using data roaming, but I’m afraid most of them just use whatever WiFi is available, either ignoring the risks or being totally unaware. That’s not too smart. Connecting to a malicious WiFi network can expose you to eavesdropping, malware attacks, phishing and a handful other nasty tricks. It’s amazing that only 10% of the respondents have found the simple and obvious solution, a VPN. It stands for Virtual Private Network and creates a protected “tunnel” for your data through the potentially harmful free networks. Sounds too nerdy? No, it’s really easy. Just check out Freedome. It’s the super-simple way to be among the smart 10%.   Safe surfing, Micke   PS. I recently let go of my old beloved Nokia Lumia. Why? Mainly because I couldn’t use Freedome on it, and I really want the freedom it gives me while abroad.   Image by Moyan Brenn  

August 24, 2015
BY 
suicide

Forget the personality tests – Ask Facebook instead (Poll)

It’s amazing how advertising can power huge companies. Google has over 57 000 employees and some 66 billion US dollars in revenue. And Facebook with 12 billion and 10 000 employees. These two giants are the best know providers of ad-financed services on the net. And modern advertising is targeted, which means that they must know what the users want to see. Which means that they must know you. Let’s take a closer look at Facebook. We have already written about their advertising preferences and I have been following my data for some time. Part of the data used to target ads is input by yourself, age, gender, hometown, movies you seen etc. But Facebook also analyzes what you do, both in Facebook and on other sites, to find out what you like. It’s obvious how the tracking works inside Facebook itself. Their servers just simply record what links you click. Tracking in the rest of the net is more sinister, it’s described in this earlier post. Your activity record is analyzed and you are assigned to classes of interest, called “Your Ad Preferences” by Facebook. Advertisers can then select classes they want to target, and the ad may be shown to you based on these classes. You can view and manage the list using a page that is fairly well hidden deep in Facebook’s menus. Let’s check your preferences in moment, but first some thoughts about this. Advertising may be annoying, but it is the engine that drives so many “free” services nowadays. So I’m not going to blame Facebook for being ad-financed. I’m not going to blame them for doing targeted ads either. That can in theory be a good thing, you see more relevant ads that potentially can be of value to you. But any targeted ad scheme must be based on data collection, and this is the tricky part. Can we trust Facebook et al. to handle these quite extensive personal profiles and not misuse them for other purposes? It’s also nice that Facebook is somewhat open about this and let you view “Your Ad Preferences” (Note. Not available in all countries.). But that name is really misleading. The name should be “Facebook’s Ad Preferences for You”. Yes, you can view and delete classes, but that gives you a false sense of control. Facebook keeps analyzing what you do and deleted classes will reappear shortly. I made a full clean-up a couple of months ago, but now I have no less than 210 classes of interest again! This is really amazing if you take into account that I block tracking outside of Facebook, so those activities are not contributing. And I have a principle of not clicking ads in any on-line media, including Facebook. And liking commercial pages in a very restrictive manner. But the thing is that Facebook has realized that people dislike ads. “Suggested posts” or “Sponsored posts” are in fact masqueraded ads and any interaction with them will record your interest in the classes they represent. I have to admit that I do click this kind of content regularly. And where did that suicide thing come from? No, I’m fine. I’m not going to jump off a bridge and I’m not worried about any of my dearests’ mental health. I have not interacted with any kind of Facebook content related to suicide. Except that I can’t know that for sure. Facebook tries to give an open and honest image of itself when presenting its Ad Preferences settings and the possibilities to manage them. But this rosy picture is not the full truth. The inner workings of Facebook advertising is in reality a very complex secret system. When you interact with something on Facebook, you have no way of knowing how it affects your profile. Something I have clicked was apparently associated with suicides even if I had no clue about it. Ok, time to take the Facebook personality test. Let’s see what kind of person they think you are. Follow these instructions: Go to Facebook and locate an ad, a “sponsored post” or a “suggested post”. These items should have a cross or a down-arrow in the upper right corner. Click it. Select “Why am I seeing this?” from the pop-up menu. This screen contains some interesting info but proceed to “Manage your ad preferences”. Review the list and come back here to tell us what you think of it. Delete the inappropriate classes. Deleting all may reduce the number of ads you see.   So let’s see what people think about this test’s accuracy:   [polldaddy poll=9023953]   So using Facebook’s Ad Preferences as a personality test may be entertaining, but not very accurate after all. You should probably look elsewhere for a real test. The catch is that you can select what test to take, but not how others collect data about you. Someone else may rely on this test when evaluating you. You have actually granted Facebook the right to share this data with basically anyone. Remember this clause in the agreement that you read and approved before signing up? “We transfer information to vendors, service providers, and other partners who globally support our business, such as providing technical infrastructure services, analyzing how our Services are used, measuring the effectiveness of ads and services, providing customer service, facilitating payments, or conducting academic research and surveys.” You did read it before signing, didn’t you?   Safe surfing, Micke   Image: Screenshot from facebook.com  

August 13, 2015
BY 

Latest Posts

smart lock, securing smart homes, security issues internet of things

It's a new world when we have to worry about our sprinklers getting hacked. While it's still easier to hack a smartphone or throw a brick through a window to get into our homes, the trend of connecting and automating almost everything presents a bevy of security concerns that many of us are just beginning to consider. In a recent post for our brand new Internet of Things blog, our Mika Stahlberg succinctly laid out the unique challenges for keeping our "things" safe: 1) Most of the devices are cheap and lack a screen and keyboard. 2) Ease-of-use, especially during setting up, is critical for these kinds of products. 3) Devices use wireless protocols to connect to the home, so that there is no need to install wires into the walls. Hence, they and their signals are likely also reachable from outside the walls of the house. 4) Some of these devices, like garden sprinklers or porch lamps, are located outside and hence can be accessed physically without breaking into your house. 5) There are many manufacturers and many ways to buy the device: Devices don’t come pre-installed with any secret code or certificate specifically for your home. 6) Many smart home devices use mesh networking where radios are low power and each device also acts as a relay station and thus devices need some way of communicating with all other devices in the network. If you want to know how you can get ahead of the curve, here are three keys make your smart home safer now. Cheers, Jason [Image by Maurizio Pesce | Flickr]

August 24, 2015
5825408292_11759e3304_o

Kaisu who is working for us is also studying tourism. Her paper on knowledge of and behavior related to information security amongst young travelers was released in May, and is very interesting reading. The world is getting smaller. We travel more and more, and now we can stay online even when travelling. Using IT-services in unknown environments does however introduce new security risks. Kaisu wanted to find out how aware young travelers are of those risks, and what they do to mitigate them. The study contains many interesting facts. Practically all, 95,7%, are carrying a smartphone when travelling. One third is carrying a laptop and one in four a tablet. The most commonly used apps and services are taking pictures, using social networks, communication apps and e-mail, which all are used by about 90% of the travelers. Surfing the web follows close behind at 72%. But I’m not going to repeat it all here. The full story is in the paper. What I find most interesting is however what the report doesn’t state. Everybody is carrying a smartphone and snapping pictures, using social media, surfing the web and communicating. Doesn’t sound too exotic, right? That’s what we do in our everyday life too, not just when travelling. The study does unfortunately not examine the participants’ behavior at home. But I dare to assume that it is quite similar. And I find that to be one of the most valuable findings. Traveling is no longer preventing us from using IT pretty much as we do in our everyday life. I remember when I was a kid long, long ago. This was even before invention of the cellphone. There used to be announcements on the radio in the summer: “Mr. and Mrs. Müller from Germany traveling by car in Lapland. Please contact your son Hans urgently.” Sounds really weird for us who have Messenger, WhatsApp, Facebook, Twitter, Snapchat and Skype installed on our smartphones. There was a time when travelling meant taking a break in your social life. Not anymore. Our social life is today to an increasing extent handled through electronic services. And those services goes with us when travelling, as Kaisu’s study shows. So you have access to the same messaging channels no matter where you are on this small planet. But they all require a data connection, and this is often the main challenge. There are basically two ways to get the data flowing when abroad. You can use data roaming through the cellphone’s ordinary data connection. But that is often too expensive to be feasible, so WiFi offers a good and cheap alternative. Hunting for free WiFi has probably taken the top place on the list of travelers’ concerns, leaving pickpockets and getting burnt in the sun behind. Another conclusion from Kaisu’s study is that travelers have overcome this obstacle, either with data roaming or WiFi. The high usage rates for common services is a clear indication of that. But how do they protect themselves when connecting to exotic networks? About 10% are using a VPN and about 20% say they avoid public WiFi. That leaves us with over 70% who are doing something else, or doing nothing. Some of them are using data roaming, but I’m afraid most of them just use whatever WiFi is available, either ignoring the risks or being totally unaware. That’s not too smart. Connecting to a malicious WiFi network can expose you to eavesdropping, malware attacks, phishing and a handful other nasty tricks. It’s amazing that only 10% of the respondents have found the simple and obvious solution, a VPN. It stands for Virtual Private Network and creates a protected “tunnel” for your data through the potentially harmful free networks. Sounds too nerdy? No, it’s really easy. Just check out Freedome. It’s the super-simple way to be among the smart 10%.   Safe surfing, Micke   PS. I recently let go of my old beloved Nokia Lumia. Why? Mainly because I couldn’t use Freedome on it, and I really want the freedom it gives me while abroad.   Image by Moyan Brenn  

August 24, 2015
Hackers Love Multitaskers

This is the sixth in a series of posts about Cyber Defense that happened to real people in real life, costing very real money. Chris, a very ordinary businessman, was on a very ordinary business trip when he received an urgent call from one of his business partners asking him to make a money transfer. Chris was waiting for a train at a station, but he was happy to have the opportunity to help out his colleague, so he quickly pulled his laptop out of his bag to make the transfer. The account for his company-owned mobile phone was maxed out, so he wanted to take advantage of the train station’s Wi-Fi while he had a chance. He booted up his laptop and started looking for a free connection. Fortunately, “Railway_Station_Name” was open to the public – no username, password, or registration required. “Phew! Caught a lucky break there,” thought Chris. Fueled by motivation to get the job done, Chris went ahead and connected to the seemingly trustworthy network. He noticed it was a little bit slow, and not wanting to risk missing his train, he closed all the background apps and processes, including his anti-virus software. He really wanted to use the opportunity to show his initiative to his team, and he didn’t want to risk missing his meeting or not finishing the transfer because his computer was slow. He figured that as long as he avoids opening emails or browsing the web, he wouldn’t have any problems. And just like he thought, it was all over in a couple of minutes. He completed the money transfer without any issues. He shut down his laptop and hurried off to catch his train, confident that he had done the right thing by taking a few minutes to help his business partner. “A job well done,” Chris thought to himself. Chris arrived back at his hotel later that evening and booted up his laptop again to send some emails and wrap up his day. But his computer wasn’t working properly. It was slow. Error messages were spreading over his desktop like flies on spoiled fruit. He tried running an anti-virus check, but even that wouldn’t work. He decided to take it into a computer store he had passed earlier to see if they could take a look at it for him. He only had to wait at the shop for a few minutes while the store’s staff checked his laptop. “The problem is your computer’s infected by a virus – several in fact,” said the clerk. “One of the viruses disabled your AV software, and you’ve also got a ton of spyware. We’ve cleaned it up for you so you should be good to go now, but try to be more careful in the future.” The satisfaction Chris had felt earlier was suddenly gone. Now he was plagued with doubt about whether or not his information was secure, and even worse, he was concerned that perhaps the bank account he had used earlier had been compromised. He’d heard of such things happening to other people working for other companies. He thought that maybe these other people had just been suckers, scammed by some spam emails or clicking random links they found online. But now he wasn’t so sure, so he decided to change all of the passwords for his online accounts. Chris retired to his hotel, feeling stressed, and with a lighter wallet from paying the guys at the computer shop for helping him out. He told himself that he would think twice before disabling his AV software in the future. But Chris’ doubts about what he’d done, and what kind of threats he had been exposed to, continued to linger. Chris didn’t realize that he’d fallen into a trap, and connected to a rogue Wi-Fi hotspot that a hacker had prepared at the train station. These kinds of opportunistic attacks are quite common because they capitalize on people taking Wi-Fi security for granted, and are quite easy and cheap for hackers to put together. As this video shows, it’s a small feat to trick people into connecting to public Wi-Fi hotspots that hackers can use to steal account credentials and intercept communications. [youtube https://www.youtube.com/watch?v=qk2RPOBpZvc&w=560&h=315] F-Secure Security Advisor Su Gim Goh recently conducted an experiment in Hong Kong to see how many people connect to Wi-Fi hotspots without verifying that the connections are safe. He put together a Wi-Fi hotspot for less than 200 U.S. dollars, and took it to different cafes and restaurants in Hong Kong. Goh was able to determine that 55% of people automatically connected to his hotspot, which was set up to spoof legitimate connections that people want to use. “Spoofing” legitimate Wi-Fi hotspots means that the bad Wi-Fi hotspots are able to trick devices into thinking they’re legitimate hotspots that have been used before, so anyone that’s used the legitimate (“spoofed”) Wi-Fi hotspot in the past, and has their device recognize it as a preferred or safe network, will be automatically connected to the “spoofing” hotspot. Goh and many other security researchers warn people against taking Wi-Fi security for granted. “Auto-connecting is typically bad for security, so you should disable that option on your phone, or even just keep your Wi-Fi off when you’re not using it. It’s really not that hard to toggle it on/off, and it’s better than learning the hard way.”

August 20, 2015
suicide

It’s amazing how advertising can power huge companies. Google has over 57 000 employees and some 66 billion US dollars in revenue. And Facebook with 12 billion and 10 000 employees. These two giants are the best know providers of ad-financed services on the net. And modern advertising is targeted, which means that they must know what the users want to see. Which means that they must know you. Let’s take a closer look at Facebook. We have already written about their advertising preferences and I have been following my data for some time. Part of the data used to target ads is input by yourself, age, gender, hometown, movies you seen etc. But Facebook also analyzes what you do, both in Facebook and on other sites, to find out what you like. It’s obvious how the tracking works inside Facebook itself. Their servers just simply record what links you click. Tracking in the rest of the net is more sinister, it’s described in this earlier post. Your activity record is analyzed and you are assigned to classes of interest, called “Your Ad Preferences” by Facebook. Advertisers can then select classes they want to target, and the ad may be shown to you based on these classes. You can view and manage the list using a page that is fairly well hidden deep in Facebook’s menus. Let’s check your preferences in moment, but first some thoughts about this. Advertising may be annoying, but it is the engine that drives so many “free” services nowadays. So I’m not going to blame Facebook for being ad-financed. I’m not going to blame them for doing targeted ads either. That can in theory be a good thing, you see more relevant ads that potentially can be of value to you. But any targeted ad scheme must be based on data collection, and this is the tricky part. Can we trust Facebook et al. to handle these quite extensive personal profiles and not misuse them for other purposes? It’s also nice that Facebook is somewhat open about this and let you view “Your Ad Preferences” (Note. Not available in all countries.). But that name is really misleading. The name should be “Facebook’s Ad Preferences for You”. Yes, you can view and delete classes, but that gives you a false sense of control. Facebook keeps analyzing what you do and deleted classes will reappear shortly. I made a full clean-up a couple of months ago, but now I have no less than 210 classes of interest again! This is really amazing if you take into account that I block tracking outside of Facebook, so those activities are not contributing. And I have a principle of not clicking ads in any on-line media, including Facebook. And liking commercial pages in a very restrictive manner. But the thing is that Facebook has realized that people dislike ads. “Suggested posts” or “Sponsored posts” are in fact masqueraded ads and any interaction with them will record your interest in the classes they represent. I have to admit that I do click this kind of content regularly. And where did that suicide thing come from? No, I’m fine. I’m not going to jump off a bridge and I’m not worried about any of my dearests’ mental health. I have not interacted with any kind of Facebook content related to suicide. Except that I can’t know that for sure. Facebook tries to give an open and honest image of itself when presenting its Ad Preferences settings and the possibilities to manage them. But this rosy picture is not the full truth. The inner workings of Facebook advertising is in reality a very complex secret system. When you interact with something on Facebook, you have no way of knowing how it affects your profile. Something I have clicked was apparently associated with suicides even if I had no clue about it. Ok, time to take the Facebook personality test. Let’s see what kind of person they think you are. Follow these instructions: Go to Facebook and locate an ad, a “sponsored post” or a “suggested post”. These items should have a cross or a down-arrow in the upper right corner. Click it. Select “Why am I seeing this?” from the pop-up menu. This screen contains some interesting info but proceed to “Manage your ad preferences”. Review the list and come back here to tell us what you think of it. Delete the inappropriate classes. Deleting all may reduce the number of ads you see.   So let’s see what people think about this test’s accuracy:   [polldaddy poll=9023953]   So using Facebook’s Ad Preferences as a personality test may be entertaining, but not very accurate after all. You should probably look elsewhere for a real test. The catch is that you can select what test to take, but not how others collect data about you. Someone else may rely on this test when evaluating you. You have actually granted Facebook the right to share this data with basically anyone. Remember this clause in the agreement that you read and approved before signing up? “We transfer information to vendors, service providers, and other partners who globally support our business, such as providing technical infrastructure services, analyzing how our Services are used, measuring the effectiveness of ads and services, providing customer service, facilitating payments, or conducting academic research and surveys.” You did read it before signing, didn’t you?   Safe surfing, Micke   Image: Screenshot from facebook.com  

August 13, 2015
SMS premium text message, comic, angry boss

This is the fifth in a series of posts about Cyber Defense that happened to real people in real life, costing very real money. Kamil left a business meeting and immediately took out his phone to call a client. During the conversation the device buzzed with an incoming text message. After Kamil unlocked the screen, a text popped up: “Thank you for activating the WEATHER TODAY service. You will be receiving a text message with the forecast three times a day. The daily cost of the service is one Euro. If you want to cancel your subscription, please text us ‘STOP.A133’ at 92590.” Nothing of this made any sense to Kamil. He had never activated any service on that phone. It was a company phone, he used only to contact clients. In any case, he didn’t need any weather forecasts. In order to save his company money, he quickly followed instructions from the text and cancelled the service. “Done!”, he thought and went back to his car to return to the head office of his firm, a consulting company. But this was only the beginning of his troubles... “Came to my office immediately”, read the email Kamil got from his boss Jacek two weeks later. “This must be about the contract with the bank that I finally closed,” thought Kamil and rushed upstairs to see his supervisor. “Are you out of your mind?! There an extra 500 Euro on top of your phone subscription fees because you’ve activated some extra services! You have everything you need to work, unlimited calls, online access. But I will not burn the firm’s money for some stupid extras!”, Jacek fumed. “Boss, I got a strange text about some weather forecast service, but I immediately blocked the subscription, I didn’t know there was any problem”, explained Kamil, surprised. He agreed to pay the fees out of his own pocket and immediately explain the whole situation. Jacek seemed to cool down a little, but promised that he would place a note on Kamil’s file if the issue wasn’t solved by the end of the month. “This time, I’m gonna keep it off-record, but I’m watching you”, the manager warned Kamil. Startled and confused, Kamil decided to do some online research about WEATHER TODAY. As he saw the first browser hits, he already knew he found what he was looking for. An article on a professional computer security portal reported that the activation message was a ruse used to wrangle money out of unaware recipients of the text message. It was precisely the STOP.A133 message that cost Kamil 500 Euro. He followed the article author’s advice and decided to install mobile security software that protects against spam. Having compared available options, he chose the best app from a reputable developer and never risked his job over an SMS message again. Is there anything you can do to protect yourself besides installing mobile security and not responding to unsolicited texts from unknown senders? "Some mobile operators will let you opt out of or disable billing through SMS messages," F-Secure Security Sean Sullivan explained. "It is very surprising to me that many businesses don’t demand bulk disabling by default for their employer provided plans." To get an inside look at business security, be sure to follow our Business Insider blog.

August 12, 2015
Password Manager

Passwords are the keys to online accounts. A good password known only to account owners can ensure email, social media accounts, bank accounts, etc. stay accessible only to the person (or people) that need them. But a bad password will do little to prevent people from getting access to those accounts, and can expose you to serious security risks (such as identity theft). And sadly, many people continue to recycle easy to guess/crack passwords. A recent study conducted by researchers from Google attempted to nail down the most common pieces of advice and practices recommended by security researchers, and unsurprisingly, several of them had to do with passwords. And there were several gaps between what security experts recommend people do when creating passwords, and what actually happens. Here’s 3 expert tips to help you use passwords to keep your accounts safe and secure. Unique Passwords are Better than Strong Passwords One thing experts recommend doing is to choose a strong and unique password – advice many people hear but few actually follow. Chances are, if your password is on this computer science professor’s dress, it’s not keeping your accounts particularly secure. Many major online service providers automatically force you to choose a password that follows certain guidelines (such as length and character combinations), and even provide you feedback on the password’s strength. But security researchers such as F-Secure Security Advisor Sean Sullivan say that, while strong passwords are important, the value of choosing unique passwords is an equally important part of securing your account. Basically, using unique passwords means you shouldn’t recycle the same password for use with several different accounts, or even slight variations of the same word or phrase. Google likens that to having one key for all the doors in your house, as well as your car and office. Each service should get its own password. That way, one compromised account won’t give someone else the keys to everything you do online. A strong password will be long, use combinations of upper-case and lower-case letters, numbers, and symbols. The password should also be a term or phrase that is personal to you – and not a phrase or slogan familiar to the general public, or something people that know you could easily guess. But there are still many ways to compromise these passwords, as proven by The Great Politician Hack. So using unique passwords prevents criminals, spies, etc. from using one compromised password to access several different services. Sullivan says choosing strong and unique passwords for critical accounts – such as online banking, work related email or social media accounts, or cloud storage services containing personal documents – is a vital part of having good account security. Experts Use Password Managers for a Reason One study showed that the average Internet user has 26 different online accounts. Assuming you’re choosing unique passwords, and you fit the bill of an “average Internet user”, you’ll find yourself with a large number of passwords. You’ve now made your account so safe and secure that you can’t even use it! That’s why experts recommend using a password manager. Password managers can help people maintain strong account security by letting them choose strong and unique passwords for each account, and store them securely so that they’re centralized and accessible. Keeping 26 or more online accounts secure with strong and unique passwords known only to you is what password managers do to keep your data safe, which is why 73% of experts that took part in Google’s study use them, compared to just 24% of non-experts. Take Advantage of Additional Security Features Another great way to secure accounts is to activate two-factor authentication whenever it’s made available. Two-factor (or multi-factor) authentication essentially uses two different methods to verify the identity of a particular account holder. An example of this would be protecting your account with a password, but also having your phone number registered as a back-up, so any kind of password reset done on the account makes use of your phone to verify you are who you say you are. While the availability of this option may be limited, security experts recommend taking advantage of it whenever you can. You can find a list of some popular services that use two-factor authentication here, as well as some other great tips for using passwords to keep your online accounts secure. [Photo by geralt | Pixabay]

August 10, 2015
StageFright, stage fright, StageFright Android exploit

The Android vulnerability known as StageFright has revealed the Android operating system's "heart of darkness." In theory, a simple MMS could take over your phone. The F-Secure Labs is actively monitoring for threats that target the exploit. The good news is that while the theoretical risk of attack is high and Android is consistently the target of nearly all mobile malware, we have not seen any active attacks that target it yet. But this is still a huge event that should trigger a major reconsideration of Android security in general. Our Micke explained: Android is the most widespread operating system on this planet. 48 % of the devices shipped in 2014 were Androids (Gartner). And that includes both phones, tablets, laptops and desktop computers. There’s over 1 billion active Android devices (Google’s device activation data). Most of them are vulnerable to Stagefright and many of them will never receive a patch. This is big! The ability to keep software updated is the essential task that makes security possible. Android's adaptability has helped lead to its remarkable growth. But it's also led to remarkable fragmentation in the ecosystem. "Recent data from Google suggests there are 6 different versions of Android that are widely used, with KitKat (Android 4.4) being the most popular. But it’s used by less than 40% of devices," Adam wrote on the F-Secure Business Insider blog. "The remaining 60% or so are spread out among the other five versions of the OS, and each is customized differently and receives varying levels of support from operators and OEMs." Many users cannot update at all. "Apparently the best supported method of updating your Android phone is to buy a new Android phone," F-Secure Chief Research Officer Mikko Hypponen tweeted. Obviously that option isn't available to millions of Android users. "Fragmentation also has socioeconomic implications," the EFF's Cooper Quintin wrote. "Older and cheaper phones tend to run older versions of the Android operating system, and vendors often give up supporting them or updating the software running on them. On the other hand newer and more expensive phones tend to receive updates faster and more reliably (especially Google Nexus devices)." So what should you do until then -- besides update your OS if possible and run mobile security that targets threats that take advantage of exploits like StageFright? 1. Examine the app that handles your MMS messages. Check out your Android device's default messaging app or Google Hangouts.  Make sure to disable their automatic retrieve/fetching options. This will prevent automatic execution of potential exploits on any received messages. 2. Avoid viewing or opening any pictures or videos from untrusted sources. We'll keep you updated about this situation as it develops. Cheers, Sandra [Photo by Photo Cindy | Flickr]  

August 3, 2015
Windows 10, Windows privacy and security, Windows 10 new features

New versions of windows used to be like an international holiday. PC users around the world celebrated by sharing what they liked -- much of Windows 7 --- and hated -- all of Windows 8 and Vista -- about the latest version of the world's most popular operating system. In this way, Windows 10 is the end of an era. This is the "final version" of the OS. After you step up to this version, there will be continual updates but no new version to upgrade to. It's the birth of "Windows as a service," according to Verge. So if you're taking free upgrade to the new version, here are 5 things you need to know as you get used to the Windows that could be with you for the rest of your life. 1.Our Chief Research Office Mikko Hypponen noted Windows 10 still hides double extensions by default. “Consider a file named doubleclick.pdf.bat. If ‘hide extensions’ is enabled, then this will be shown in File Explorer as ‘doubleclick.pdf’. You, the user, might go ahead and double-click on it, because it’s just a PDF, right?” F-Secure Security Advisor Tom Gaffney told Infosecurity Magazine. “In truth, it’s a batch file, and whatever commands it contains will run when you double-click on it.” Keep this in mind when you do -- or DON'T -- click on unknown files. 2. You could end up sharing your Wi-Fi connection with all your contacts. There's some debate about whether or not Windows 10's Wi-Fi Sense shares your Wi-Fi connection with social media contacts by default, as Windows Phone has for a while now. ZDNet's Ed Bott says no, noting that "you have to very consciously enable sharing for a network. It's not something you'll do by accident." Security expert Brian Krebs is more skeptical, given how we're "conditioned to click 'yes' to these prompts." "In theory, someone who wanted access to your small biz network could befriend an employee or two, and drive into the office car park to be in range, and then gain access to the wireless network," The Register's Simon Rockman wrote. "Some basic protections, specifically ones that safeguard against people sharing their passwords, should prevent this." Gaffney notes that Wi-Fi Sense is “open to accidental and deliberate misuse.” So what to do? Krebs recommends the following: Prior to upgrade to Windows 10, change your Wi-Fi network name/SSID to something that includes the terms “_nomap_optout”. [This is Windows opt-out for Wi-Fi Sense]. After the upgrade is complete, change the privacy settings in Windows to disable Wi-Fi Sense sharing. 3. There are some privacy issues you should know about. Basically "whatever happens, Microsoft knows what you're doing," The Next Web's Mic Wright noted. Microsoft, according to its terms and conditions, can gather data “from you and your devices, including for example ‘app use data for apps that run on Windows’ and ‘data about the networks you connect to.'” And they can also disclose it to third parties as they feel like it. Here's a good look at the privacy and security settings you should check now. Want a deep dive into the privacy issues? Visit Extreme Tech. 4. The new Action Center could be useful but it could get annoying. This notification center makes Windows feel more like an iPhone -- because isn't the point of everything digital to eventually merge into the same thing? BGR's Zach Epstein wrote "one location for all of your notifications is a welcome change." But it can get overwhelming. "In Windows 10, you can adjust notifications settings by clicking the notifications icon in the system tray," he wrote. "The click All settings, followed by System and then Notifications & actions." 5. Yes, F-Secure SAFE, Internet Security and Anti-Virus are all Windows 10 ready. [Image by Brett Morrison | Flickr]

July 30, 2015