On Safe and Savvy we blog about how to protect your online life and the irreplaceable content on your computer.

Stellt Fragen, helft mit Euren Antworten… auf Deutsch

January 25, 2012
By Anna

Seit 2011 gibt es die User-Community von F-Secure, erreichbar über die
F-Secure-Website und über unsere englischsprachige Facebook-Seite. Bisher haben dort mehrere tausend Nutzer über 3.270 Beiträge gepostet, um sich gegenseitig bei Fragen und Problemen rund um PC-Sicherheit, Internet-Sicherheit, Backup usw. zu helfen.

Wir sind stolz auf diese Community, aber zugegebenermaßen gab es bisher ein
Problem: Alle Beiträge sind auf Englisch. Unser Kundensupport ist natürlich
in mehreren Sprachen über Chat, E-Mail oder Telefon erreichbar. Aber nur
unsere englischsprachigen Kunden hatten bislang die Möglichkeit, sich
gegenseitig in der Community zu helfen.

Das ändert sich ab heute, denn jetzt ist unser deutschsprachiges Forum
online. Leider können wir dort noch nicht all das Wissen zur Verfügung
stellen, das sich bereits in der englischen Community angesammelt hat. Aber
da kommt Ihr nun ins Spiel!

Wir hoffen, dass Ihr Euch bei dem neuen Forum anmeldet und dort munter
mitmacht. Bereichert die Community mit Eurem Wissen über F-Secure oder über
Computer- und Internet-Sicherheit allgemein und macht Euch selbst dort
schlau. Wir freuen uns, Euch in unserem neuen deutschsprachigen Forum zu
treffen!

Hier geht es zum deutschen F-Secure-Forum:
http://community.f-secure.com/t5/Deutsch/ct-p/Deutsch?skin=de

CC image by: jimwinstead

What Could a Hacker Do with Your Facebook Password?

January 25, 2012
By Jason

Last week, after a hacker posted thousands of what he said were Facebook login credentials, Facebook said that most of the logins were not valid. That’s not exactly reassuring.

That’s why we thought now would a good time to discuss why password security is so important on a site like Facebook.

What does a hacker get if he gets your password?

He gets immediate access to your account and the opportunity to change your password to deny you access. That’s bad. What’s worse? He could then get access to any other sites where you use the same combination of login and password. If this includes your email, he could wreck major havoc.

How to protect yourself

You should use a unique combination of login and password for ANY site that matters to you.
Choose a strong password that can’t be guessed.
Watch where you click on Facebook.
Keep your system and security software patched and protected.
Don’t click on links in your email.

What should you do if you think you’ve been hacked?

Change your password immediately. Then change the password of any account that uses that same password.

Cheers,

Jason

CC image by familymwr

Why You Should Get Rid of Java Now

January 14, 2012
By Jason

We want to pass on some advice that F-Secure Labs has been sharing for a while: “Do you need Java in your web browser? Seriously, do you? If not, get rid of it.”

Sean Sullivan, F-Secure’s Security Advisor, explains why: “The problem isn’t a particular vulnerability; it’s that Java always has the latest, most popular vulnerability to exploit.”

The good news most people do not even use Java anymore. (Some confuse it with Javascript, which is still widely used.) The bad news is online criminals all over the globe are successful infiltrating systems through a program that may not even be necessary.

So if you don’t need it, get rid of it. If you need it later, you can always install it later.

If you don’t want to remove it or need to it to run a specific application, you need to make sure it is always updated.

Cheers,

Jason

Last minute shopping?

December 22, 2011
By Anna

The busier we get around the holidays, the more likely we are to make a mistake online.

We’ve put together a quick snapshot of this year’s online shopping environment in the US. It also includes some useful tips to protect yourself whenever you’re shopping over the Internet.

We hope you enjoy it and have wonderful holiday and new year wherever you are.

Cheers,

Anna

How to really protect your privacy on Facebook

December 20, 2011
By Jason

It’s not just you. A lot of people are concerned about their privacy on Facebook. Some are worried about being tracked, even when they aren’t logged in. Some are worried about unintentionally sharing private information or opinions that can threaten their reputation or relationships. Others worry about exposing the private data on their machine through some tricky attack.

As Facebook’s new Timeline is being introduced now is the perfect time to think about how you use Facebook. We have given you 3 things to do before you activate Facebook’s new Timeline. We hope you’ll take those steps to review what you have and will be sharing and with whom. What more can you do?

You use smart passwords and have your PC patched and protected. You know, of course, the most important privacy feature on Facebook is the ‘Post’ button. If you make a point of NEVER sharing anything that you wouldn’t want your grandmother or your worst enemy to see publicly, you’re off to a good start.

But what extra step can you take prevent invasive tracking and protect the private data on your computer?

Here’s what Sean from F-Secure Labs recommends: Do all of your social networking in a one browser. Use one browser exclusively for “public” behavior. Then use a separate browser for all of your private banking, shopping and viewing. This strategy helps you avoid worries about tracking and information bleeding between your private and public lives.

Want to be even safer? Use a dedicated machine for your social activity. This is an extremely wise strategy if you use your PC to manage your finances and or business.

An added advantage to using a ‘public’ browser or PC for your social networking is that you’ll constantly remind yourself that what you share online stays online.

So we want to know. What do you think of Facebook’s new Timeline?

Cheers,

Jason

Is your smartphone smarter than you are?

December 20, 2011
By Anna

In recent study, 82 % of people said the content on their phone is more valuable than the actual device*. Why is that? Well, imagine this scenario.

You are usually very careful with your phone. But somehow when you had lunch at a nearby café with a colleague, you set it on the table. After you pay the check, you take off but you don’t take the phone. In less than 10 minutes, you’re back in the same spot but the phone is gone. No one has seen it. Where in the world can it be?

Suddenly you think about what’s on that little phone. Contact details of 80 people, both personal and business contacts—names, phone numbers, possibly e-mail addresses. You only use about 20 of those on a regular basis. But you were just about to send out invites to your holiday party.

What about the photos? Photos from your trip to Spain—irreplaceable images of family and friends. And few clips from your trip to Glastonbury Festival. And then there is all the music you listen to every day, on your way to work.

You also have a personal calendar, with your appointments to dentist and loved one’s birthdays. Don’t forget about the dozens of different applications, social media, news services, weather reports, cooks books and games like Angry Birds. You even do your mobile banking on that phone, which reminds you of how much you spent buying that stupid phone.

Using our Mobile Security, you can you can lock your phone with one SMS message. Now whoever picked up your phone can’t access any of your content. Want to know where you phone is? It’s simple, after you sent that SMS message you can see the location on a map. Wait. It’s in your office? Your co-worker accidentally took your smartphone from the table. A happy ending.

Our Mobile Security also features other valuable features. Protect your content from viruses and malware. You can use safe browsing to avoid scams and parental control to protect your children from unsuitable web content. You can also locate your children or block telemarketers.

The time invested and memories stored in our phones can’t be estimated or priced. Mobile security is about more than protecting yourself from the digital threats that stalk our PCs. It’s about giving you control over your digital life. You can try it for free.

We hope you and your phone have a wonderful holiday, wherever you are.

Cheers,

Anna

*According to a VTT Technical Research Centre of Finland survey commissioned by F-Secure. Survey “Customer Value Analysis” was conducted during May-June 2011, in Brazil, Finland, France, Germany, Italy and Sweden. In each country there were 500 respondents, total of 3000 respondents aged 18-65.

CC image by Tanjila

How secure are your files?

December 15, 2011
By Anna

We all value our precious files. Well, maybe not the files exactly, but what they contain: images of our family and friends and our important documents. According to a survey completed by F-Secure ** 93 % of respondents agreed that preventing the loss of personal content is very important. Still we tend to think that only other people will ever have to deal with losing files.

So why worry? I didn’t, not until my home laptop started to crash. I was sure my unfinished thesis work and all the pictures of my loved ones were gone for good. I just wished I had been smarter and backed up my personal files. But I was lucky.

I was able to start my computer one more time and I copied all most of my files to a new external device. That’s the most common way to backup your files; according to another F-Secure survey* 54.4% people backup their important files to external hard drives.

External hard-drives may be good for transporting files but they aren’t the most reliable backup. My house could be robbed or I could lose my device. Even though unexpected things tend to happen to only other people, the other person could be you.

My good friends recently learned this lesson the hard way. One night they woke up to a sound of fire alarm and flames roaring inside their home. They had less than one minute to get out—no time to take anything with them other than their loved ones. Their house was gone for good. So were all of their belongings.

Later, I asked my friend what she misses most from that lost house. The answer was simple: pictures. Especially pictures of her child’s first year, the first steps and first birthday party. These memories were all in digital format, but not shared nor stored anywhere. The computer went up with the house.

Pictures, videos, the work you’ve done–you value them all. But you value them most when they are gone.

You should act before anything happens to you. We at F-Secure are very pleased to announce an effortless way to make backups and also share content with our new F-Secure Online Backup. It automatically makes backup copies of pictures, music and other important content saved on your computer and stores these backups on our secure servers.

You can get F-Secure Online Backup now at or through our global operator partners.

Cheers,

Anna

CC image by jsome1

* F-Secure broadband subscriber survey, April 2011 (Brazil, Finland, France, Germany, Italy, Sweden, 3,000 respondents in total).

** The survey was carried out by F-Secure via SurveyGizmo during April 2011. A total of 609 respondents were solicited from around the globe through F-Secure’s Safe and Savvy blog.

Cyber Shoppers Are Safer Than Ever

CC image by Justin Marty

November 21, 2011
By Anna

As the holiday shopping season begins online, throngs of Internet shoppers are on the hunt for the best deals on gifts for their friends and family.

F-Secure recently surveyed 405 Internet users solicited from all over the world through Facebook, Twitter and the Safe and Savvy blog. We found that 87% of these Internet users were planning on shopping online. Of those 66% of online shoppers are planning on doing most of their shopping online. That is up 12% from last year.

The best news is that shoppers are savvier about online shopping than ever before. 82% reported that they check to make certain that a site is securing their data before they click “Buy.” While this doesn’t remove any and all risks from cyber shopping, it does mean that shoppers are being careful.

Here are four tips to ensure you stay safe while shopping online throughout the 2011 holiday season:

Visit retailers’ websites directly if possible (e.g., www.amazon.com vs searching ‘Amazon’ on Google) and search for gifts directly on retailers’ sites.
Use Internet security software that features browsing protection (or check links with F-Secure’s free Browsing Protection).
Always check a site’s URL before making any purchase (look to make sure you’re at the correct online store and that the page URL begins with https://, which means it’s secure).
Try to use only one credit card for your online purchases and monitor any card you use online regularly.

We’re proud to help making online shopping a safe alternative to waiting in lines at the stores. Enjoy.

Cheers,

Anna

5 Holiday Online Safety Tips

November 14, 2011
By Jason

If you’re going mobile this holiday season, you’ll probably be still connected to the Internet in some way. Whether you’re on your phone or using someone else’s machine, you should keep in mind a few quick tips to make sure the end of your 2011 is happy and secure.

1. ‘Tis the season to change your passwords.
Especially if you haven’t yet in 2011, now is the time change the passwords of you most important accounts. F-Secure’s Chief Research Officer Mikko Hypponen says, “Focus your password efforts to services that actually matter to you. Lousy passwords are not a sin on a site you don’t really care about.” Here’s a system we recommend to create and remember strong passwords. Also keep in mind that you want to limit the private information you share on public machines or over free Wi-Fi networks. If you must do banking or shopping from a machine or network you do not trust, use one-time passwords, if at all possible.

2. Plan ahead but don’t post ahead.
Decide which devices you need on your travels, back up your data, and hit the road. But wait till you get home to post your travel plans on social network. If you would like to make your whereabouts known to a group of people, consider email. If you must use Facebook, make sure you’re a privacy settings master. The general rule is, “Don’t tell anyone online that you’re going out of town who wouldn’t in real life.” After you return home is the best time to share your photos and memories with your social circle.

3. Take the geo-tagging data off your images.
Every few months there is a major news story about how thousands of people are sharing their location unintentionally via the pictures that they take on their mobile devices. Even if you don’t tell your social network that you’re out of town, they already may know from the metadata on the photos you share. Here’s how to turn off geo-tagging on your phone.

4. Shop smart and monitor your credit cards.
Make sure you’re on a secure “https” site when you make any online financial transaction. Use retailers that you trust and search on their sites rather through search engines, if possible. Use one-time use credit cards if your bank offers them. If not use the same card for all online transactions and keep an eye on your credit card account at least weekly to report any suspicious transactions.

5. If possible, put a remote lock software on your smartphone.
Smartphones often contain the keys to our online lives. If you’re out traveling celebrating, you’re much more likely to misplace it. A remote lock software like our free Anti-Theft for Mobile makes it easy to lock your phone from anywhere. It can help you locate your device and, in the worst case scenario, you can remotely wipe it and protect all your sensitive data and private images.

–

Nothing is more irreplaceable than the time you spend with the people you love. Hopefully these tips will help you safely create memories that last a lifetime.

Cheers,

Jason

CC image by Beverly & Pack.

Scariest Digital Threats This Halloween

CC image by SpindlierHades

October 31, 2011
By Anna

Before you go out to haunt the world, we’d like to remind you that zombie computers and digital tricks never take a day off.

F-Secure Labs offers a look at some of the most ghoulish threats your PC and mobile devices are facing this Halloween and a few tricks to keep evil spirits at bay.

Jobs is Not Forgotten
More disturbing than zombies, this one is just sickening. Before Steve Jobs even passed away, affiliate marketers were using the Apple founder’s funeral to rack up sales. Emails are already circulating with supposed links to Steve Jobs’ funeral video, as well as an option to “Pay Tribute to Steve.” Whenever a news story captures the world’s attention, it can be used as bait for scams on everywhere from Facebook to Google search.

The antidote? Use our free ShareSafe app to protect your Facebook friends and always use Google News to search for breaking news.

One Bad App Can Spoil the Bunch
Bad apps are like Vampires that need your permission to enter your house. Bad apps may first appear harmless, then dig into your private information. Mobile banking trojans can now install themselves with the help of phishing sites that ask for your phone’s identifying information. Other apps can even act as a fake installer to get access to send premium SMS messages from your phone. Most of these threats are limited to mainland China, Russia and Eastern Europe. But if you let it in, you’ve been bitten.

The antidote? The same defense of this dark art applies wherever you are in the world: Only download software from official marketplaces or vendors you trust.

Mac Users Forced to Admit the Existence of Mac Malware
For the first time Mac owners are finding that even their fancy dwellings may become haunted. These attacks are like a Ghost of Halloween future as it lays the groundwork for creepy crawlies to come. A new trojan attempts to put a trance on Mac users and convinces them to disable the updater in Mac’s built-in Anti-virus. Another trojan acts as an Adobe Flash update to get users to click install.

The antidote? Now, even Mac users need to learn what all smart trick or treaters know: only take treats from houses you trust. Go to Adobe.com for all official Flash updates.

Bank Robbers Go Mobile
F-Secure Labs has already seen next-generation phishing attacks targeting Eurpoean banks. Phishing scams have given a new life on smartphones, where users expect pages to look odd and unprofessional. Online criminals have seized on this opportunity to launch man-in-the-middle phishing attacks, which allow the attacker to intercept messages between you and your bank.

The antidote? Don’t click on links in emails from your bank, especially on your phone. If your bank has an official mobile app, use it!

Tag You’re Tricked
Facebook now allows anyone to tag anyone. If your friend tags you in a ridiculous picture, that image could pop up on your Facebook profile right as a potential employer or date is checking you out.

The antidote? Go to the arrow in your upper right corner of your Facebook profile > Privacy Settings> Under “How Tags Work” click “Edit Settings.” Then turn “Tag Review” or “Timeline Review” on. This means you get to approve any tagged content before it’s displayed on your profile.

Have a safe and wonderful Halloween,

Anna

3 Things You Should Do Before You Get Facebook’s New Timeline

October 27, 2011
By Jason

There’s one thing I can say for sure about Facebook’s new Timeline: It’s better. I’m just not sure whom it’s better for.

It’s probably better for app makers and brand pages that benefit from the credibility they get from prominent mentions in your Timeline. And it’s probably also better for people who love to use Facebook to tell the story of their lives. But is it better for you? You’ll have to decide.

The idea behind Timeline is: “Tell your life story with a new kind of profile.” Knowing that Facebook’s goal if for you to share your story with the widest possible audience, you should take a few steps to make sure you are only sharing the chapters of your life you really want to.

1. Get your friends’ settings right and audit your friends.
Whenever there are big changes on Facebook, outrage follows. Then it fades and Facebook grows. You can expect a similar cycle as Timeline rolls out. The Timeline is designed to tell your story through the content you’ve posted on Facebook. Some will find that unsettling.

The fact that Facebook built a setting that automatically makes all of your past posts “Friends Only” along with the slow roll out of Timeline indicates that Facebook is anticipating some backlash. Facebook has made the basic friend settings easy and you can now easily change the settings on any old post.

If you’re a “Friends Only” user like me, I recommend that you take advantage of the “reset button” set all of your old posts to “Friends Only”. To do this, go to the arrow in your upper right corner > Privacy Settings> Under “Limit the Audience for Past Posts” click “Manage Past Post Visibility.” If you use this setting, you can’t undo it. You can edit each post’s settings individually but you can’t change them back all at once. You can always make any post only available to you by selecting the “Custom” setting.

2. Check how you are tagged
Anyone can now tag anyone on Facebook. And if a friend tags you in something it could end up in your profile. You can always remove a tag but unless you have your settings right, a joke picture could pop up right at the moment a potential employer happens to click on your Timeline.

Go to the arrow in your upper right corner > Privacy Settings> Under “How Tags Work” click “Edit Settings.”

Here are my recommendations for tagging:

I have Timeline Review and Tag Review on for maximum Timeline control. Timeline Review lets me approved anything tagged with my name before it shows up on my profile. Tag Review lets me approve tags on my content. I also have Maximum Timeline Visibility set to “Custom” “Only Me” for an extra layer of protection. I don’t let Facebook recognize me in photos nor do I let friends check me into Places.

This is about as locked down as you can get. But I’ve found erring on the side of privacy has never been a problem for me on Facebook.

3. Edit your apps.
An app can write directly to your “wall”/timeline if you’ve given it permission to do so. Fact is you probably don’t remember if you’ve done so. And now apps play a more prominent role in your profile. So you should go through your approved apps and delete any that you are a) not using and b) would never like to see show up in your profile.

Go to the arrow in your upper right corner > Privacy Settings> Under “Apps & Websites” click “Edit Settings”> Under “Apps You Use” click “Edit Settings”> Click the light blue “x” next to any app you want to get rid of. Now, whenever you use an app, actually read the permissions the apps want. And it the app can write to your profile, your activity will become visible in your timeline

Extra Tip: Turn of Instant Personalization
Go to the arrow in your upper right corner > Privacy Settings> Under “Apps & Websites” click “Edit Settings”> Under “Instant Personalization” click “Edit Settings”> Uncheck the box that says “Enable instant personalization on partner websites.”

Why?
Facebook has been automatically sharing your public Facebook data with third- party partners through apps for over a year now. Now that apps will be posting to your timeline, you may end up having your activity on sites you didn’t mean to make public show up on your timeline. This is being very cautious. But it could help avoid some unintended consequences.

In Conclusion

The fact is we can’t be fully aware of the implications of Timeline until its widely implemented. When will that be?

On Quora, a, a Facebook employee speculated that it would be before the end of October. (If you’re dying to get the profile, here’s one way people have been able to get it.) The one thing you have to understand up the Facebook Timeline is that it can make your life feel way more public. More than LinkedIn, Twitter or most any other site, Facebook has the content to tell the story of our lives over the past few years.

Going forward, Facebook—I believe—hopes that you will embrace Facebook as the channel for your lifecast and mindcast in a public way. And if you do, Facebook will hit the billion-user mark before the end of 2011.

Cheers,

Jason

21 Comments

Safer Shopping Sweepstakes: Win a Samsung P1000 Galaxy Tab Tablet

CC image by Robert S. Donovan

October 25, 2011
By Anna

This Sweepstakes is now closed. Please follow our Facebook page for future giveaways.

The holidays are coming and so are great online deals along with traditional online scams. To celebrate the even better protection of Internet Security 2012, we thought now would be a good time to talk about safer online shopping. We know it’s early. But better savvy than sorry.

We’ve discussed the basic guidelines for safe online shopping and we’re wondering how online shopping fits into your life.

So we have a question for you: Do you plan on doing more shopping online or offline/ in actual stores this holiday season?

By answering this question in the comments below, you’ll be entered to win an Samsung P1000 Galaxy Tab Tablet with F-Secure Mobile Security.

Just read the rules and post your answer.

Thanks for your time,

Anna

Comments closed

How Do You Make the Best Protection in the World Better?

October 25, 2011
By Anna

How do you improve the product that won AV-Comparatives Product of the Year?

That was the happy challenge we at F-Secure faced with Internet Security 2012. Our goal couldn’t just be improved protection for your computer and online life. We also wanted to make Internet Security 2012 even faster and easier to use for you and family. And we’re proud to say that the best protection in the world…JUST GOT BETTER!

F-Secure Internet Security 2012 is now available here. If you’re a current customer, your free upgrade is available here.

“Our antivirus test success last year was awesome,” says Mika Stahlberg, VP F-Secure Labs.”In spite of that, or rather inspired by it, we have made a large number of improvements to our security core during this year. Our internal tests show that with new technologies like DeepGuard 4 and ORSP online detections, Internet Security 2012 will be a faster product with superior detection rates compared to its predecessor.”

All online safety settings are now personalized for each user to keep virus and spyware out while stopping spam and phishing emails. The firewall hacker-proofs your Internet connection. Browsing Protection protects you whether you’re browsing the web or connecting on Facebook by blocking phishing scams and unsafe websites. Parental Controls keeps kids away from nasty web content and can lock them out before they get getting bleary-eyed from excessive screen time.

Internet Security 2011 was fast. But fast is now even faster. F-Secure’s cloud-based real-time protection delivers instant reputation data about websites and files. This is how we identify and block harmful websites and emerging threats immediately around the world.

For the first time, F-Secure Internet Security 2012 also protects you against unwanted mobile broadband bills. When you’re roaming with a computer using Windows 7, Internet Security automatically optimizes the computer’s mobile broadband use to prevent 3G mobile broadband bills from exploding.

It’s the award-winning protection millions count on, optimized for 2012. We hope you’ll let us know what you think.

Cheers,

Anna

9 Comments

The Right to Remain Private: Comparing Digital Privacy in the US and the EU

October 18, 2011
By Jason

In most of the European Union, even public figures have a right to privacy. Article 8 of the European Convention on Human Rights gives all EU citizens the right to respect for one’s private life. This gives the majority of Europeans privacy rights that are envied around the world, even if Privacy International suggested in 2010 that the privacy situation in Europe is “mixed.”

In the US, there is no explicit right to privacy. While courts have ruled that “penumbras” that implicitly protect citizen’s rights to family lives and correspondence, Americans give up most of their privacy when they go to work.

Here’s a look at how the digital privacy laws of the world’s two largest democracies compare.

The Workplace

EU
In the EU even your personal correspondence on your work computer is protected. Thanks to Data Protection Directive employers not only have to notify employees if any private data is being monitored, they also have to prove there is a good reason to do so.

US
As Melissa Ngo, the publisher of Privacy Lives, points out, in the United States, “Employees have few privacy rights in the workplace.” In most cases, employers can even read personal email sent on a work computer, even if the mail is not stored on work servers.

Recruiting

EU
It is even against the law for companies to Google a job applicant in Finland. Germany is considering a law that would make it illegal to look up an applicant on Facebook . In general, public information may be viewed. But companies must explicitly state what information they keep and how they use it in accordance with the Data Protection Directive.

US
Nearly 90% of American companies use LinkedIn for recruitment. A recent decision by the Federal Trade Commission indicates that the last seven years of your social media activity may be fair game in a background check. Americans should expect that any public post that includes their name may be accessed by a potential employer.

State Surveillance

EU
When the Chaos Computer Club (CCC) identified a software backdoor, which they claimed was being used by the German government, many assumed this was in violation of the German constitution. In fact, the German Federal Constitutional Court declared in 2008 that the “integrity in information-technology systems” is a “fundamental right”. However, German courts have approved over 50 requests by law enforcement to use spyware. So in Germany, at least, spyware is being used by law enforcement, with courts supervising the activity.

US
Government documents indicate that the US government is using spyware to track persons of interest, sometimes without a warrant. Potential government surveillance seems to be an accepted fact of American life as the PATRIOT Act is continually renewed.

(Note: F-Secure joined several anti-virus makers in blocking the German federal malware, though no F-Secure customers had been infected by the backdoor. F-Secure Labs has never been asked to ignore a government backdoor, and would never do so.)

Right to Be Forgotten

EU
The European Union has stated that its citizens should have the right to be forgotten online. This means that “individuals should have the right to have their data fully removed when it is no longer needed for the purposes for which it was collected.” Europe v. Facebook has been advocating that European Facebook users petition the world’s largest social network for a copy of their data. European law gives all citizens the “right to access” such data but the site says Facebook has been ignoring this.

US
US citizens currently have no “right to be forgotten” though the Privacy Act of 1974 requires that all companies disclose how customer data will be used. Senators John Kerry and John McCain have proposed the “Commercial Privacy Bill of Rights Act of 2011” which includes a reasonably scoped “Right To Be Forgotten”. That bill is currently in committee.

***

In April, Google decided to end Street View in Germany. The decision came after a protracted battle with German citizens who saw this initiative to create a digital image record of the country’s public streets as an invasion of their privacy.

Google met no such widespread opposition to Street View in the United States where many realtors and real estate sites depend on Street View to maximize a property’s exposure to potential buyers. Are home owners in Germany sacrificing a powerful tool in favor of privacy? Is this a choice that Americans would be willing to make?

Let us know if your privacy sensibilities are closer to the European or American point-of-view in the comments.

Cheers,

Jason

CC image by rpongsaj

Cyber Security Awareness Month 2011

What Credit Card Fraud Taught Me

October 7, 2011
By Anna

If you love the Internet, you know how important it is to keep it safe and secure.

The US government declares every October Cyber Security Awareness Month (NCSAM). Of course, around F-Secure every month is cyber security awareness month, but we appreciate the opportunity to join with millions of other people to spread the information we all need to stay safe online.

For safety tips from the organizers of NCSAM go to StaySafeOnline.org and for the government’s official cyber security site visit OnGuardOnline.gov.

We also want to share some of our favorite awareness posts from the last few months. Check them out then let us know in the comments of this post if you have any cyber security questions you would like us to answer.

How to Use the Internet Safely—Before, During and After Your Next Vacation

3 Things You Need to Know if You Use Online Banking

An Introduction to LinkedIn Privacy and Security

How to Protect Your Privacy if You Use Facebook

Cheers,

Anna

CC image by br1dotcom

You Should Fire Your Boss (on Facebook)

September 30, 2011
By Jason

If you are “friends” with your boss on Facebook, now is a great time to reboot your relationship. Facebook has introduced two new features that can change the way people relate on Facebook. Now we can stop pretending our relationship with closest friends and family is that same as it is with our direct supervisor.

With Facebook’s new subscription feature, you can follow your boss’s public posts without unintentionally revealing your personal life. And since your boss has most of the power in your relationship, we feel s/he should enable his or her account for a more appropriate relationship.

Here’s how to properly fire your boss on Facebook. (This is option 1 for nice bosses. See below for less-nice bosses.)

Unfriend your boss now.
Ask your boss to activate Facebook subscriptions by going to this page.
Encourage your boss to open his/her public posts to comments, so you can respond to his/her posts.
Subscribe to the feeds of your boss you’re interested in.

Making these changes will avoid crossing work with play. It also keeps open a channel of communication if, say, your boss has additional shifts or projects for you to take on. Plus your boss won’t know that you turned down extra work to go to a concert—unless you make that post public and open your profile to subscribers.

The “Subscribe” button brings “asymmetrical relationships” to Facebook profiles for the first time. Asymmetrical relationships exist when one side enjoys some privilege over another as an employer, teacher or supervisor might. And these asymmetrical online relationships create are sparking controversy.

Some union leaders have advised teachers to limit their social networking in general to shield them from claims of abuse. And the US government recently restored the jobs of four employees who used Facebook to discuss the workplace in a harsh but appropriate manner. But the line between appropriate and inappropriate discussion is fine and evolving.

Missouri recently passed a law restricting teachers from Facebook friending any children, including their own. It’s currently being blocked by a judge but a law like this suggests that many people are at a loss on how to relate asymmetrically on Facebook.

By unfriending your boss and subscribing, you’re setting up clear boundaries that are less likely create complications in the workplace.

Now, if you’re already friends with your boss and you’re not comfortable “bossing” them around online, you have another way to stop your private and work lives bleeding together. Here’s option 2 for less-nice bosses.

Wait till “smart lists” are active for you on Facebook. (If you open your page to subscriptions, you’ll likely get smart lists soon if not immediately.)
Add your boss to your “Restricted list”, which means they’ll only have access to your public posts.
Consider using a List or Group for co-workers/work related discussions.

Using Facebook responsibly requires us to turn on the good features Facebook offers—like Profile Review. And changing your online relationship with your boss/“friend” to more closely resemble real life is a smart way to protect your job and your future.

Facebook’s New Timeline: How to Protect Your Privacy

September 27, 2011
By Jason

Most television is free because it comes with ads. And most websites are free because the ads come with you.

The launch of Facebook’s new timeline has sparked many Internet users’ fear of their personal data being used in unethical ways. Early users spotted ways of figuring out who defriended you (which have since disappeared). F-Secure Security Advisor Sean Sullivan points out that you can still go through your Messages and wall posts and figure out if a friend has cut you off.

Many users were particularly alarmed to learn that Facebook was tracking users even after they log out. Facebook says they have fixed this “bug” and is no longer tracking you if you are logged out, unless the site you’re on integrates with Facebook.

Past Facebook changes have triggered a backlash that quickly abated as the the site grew. Generally, the privacy concerns of the new Facebook in mirror the new Facebook. And there are some privacy tools that you can take advantage of including the “reset” button along with Profile Review and Tag Review.

If you’re afraid of snoopers on your timeline, make sure to edit your friends list, set your default privacy setting to “Friends Only” and only share with your friends. If you want to take extra steps to secure your browsing from Facebook, here are two things you can do now.

1. Use a separate browser in Privacy Mode for anything you don’t want “anybody” to see.
When it comes down to it, we know what activity we’d like to hide. By separating your Facebook activity from your browsing, you’re removing the chances of your “private” browsing being tracked. In Firefox, you turn on Privacy Mode by pressing Ctrl+Shift+P. It doesn’t make you anonymous, but it will keep the information from being tracked on your computer.

2. Consider quitting Facebook.
If you’re still not comfortable, you can quit Facebook and perhaps start over with Google+. But before you do this, ask someone who uses Gmail and gets ads based on their most intimate communication, “Is this a company you trust not to track you?” Google’s +1 buttons are becoming as common as Facebook’s “Like”. Not to mention the endless Google ads and services that proliferate across the web. And if you’ve ever created any sort of Google account, you may be shocked at what a detailed history Google keeps of your activity. Go to https://www.google.com/history/ to check it out.

Cheers,

Jason

An Introduction to LinkedIn Privacy and Security

September 23, 2011
By Anna

When F-Secure Labs discovered the email behind the RSA hack, it was remarkable how simple it was. Yet it was targeted to hit just the right professional who clicked on exactly the wrong attachment. The consequence of this one mistake sent ripples across the world.

As we get better at avoiding traditional threats, online crooks have to innovate. Not only do they have to count on you making quick decisions, they will use anything you share online against you. Hacktivists may just use your content to humiliate you. And criminals may use it to hack you or your employer.

LinkedIn presents many of the security and privacy issues of Facebook. Yet you rarely hear the concerns or horror stories that seem to come out of Facebook on a regular basis. Why? People tend to treat it as a function of work. Best behavior abounds.

Still whenever you’re using social media, you need to make sure your system and security software are up to date (our Health Check makes that easy). And here are a few additional precautions you can take to safeguard your online life.

1. Connect wisely.
Facebook says that they expect you to really know all your friends. Then they make millions off games the encourage you to befriend strangers. LinkedIn expects you to have some sort of connection with the people you connect with. As these are opt-in relationships, you have to decide what your boundaries are. If you are searching for work or sales, you may wish to extend your network, if you’re feeling secure and/or overexposed you can trim your connections by going to Contacts > Connections > (Upper right) Remove Connections>.

2. Revisit what you share.
LinkedIn offers an opportunity to share both your email address and your phone number. The more people who have this information, the easier it can be for someone to use it against you. If you share your email, you need to remind yourself that the right attachment can still get around your security if you make the wrong click. To see if you what you’re sharing, go to Profile > Edit Profile> (Scroll all the way down to find “Personal Information”).

If your security is extremely important to you and others, you probably shouldn’t share your contact information online voluntarily. And you should also not share your connections with your connections. By letting people know who you expect emails from, you’re tipping potential hackers who to pose as. You can turn this feature off by looking in the right corner for your name > Settings. On Settings, click “Select who can see your connections.” Select “Only Me.”

3. Be careful about what you post on any site, of course.
The power of the Internet turned against an individual can be frightening. If you share anything online, a digital copy may exist even if you take it down. Anything truly private should not be shared through anything but private channels protected with secure passwords. If you do not want a future employer to see something, don’t take the risk. Don’t post it on a social site. EXTRA STEP: Google your name and image so you know what others are finding when they search for you now. Try to improve your Google results with new more positive posts that feature your name in the title.

Your LinkedIn profile is your digital resume. Using the service with caution and savvy will help you build relationships and impress your peers.

Cheers,

Anna

3 Things You Need to Know if You Use Online Banking

September 14, 2011
By Jason

Banks are well aware that criminals will use any trick they can to get control of your money. To stay ahead in the cat-and-mouse game, financial institutions use one-time passwords and verification codes that render most conventional phishing attacks useless. Thus online criminals have had to innovate quickly.

Man-in-the-middle attack allow the attacker to intercept messages between you and your bank. The criminal then sends its own messages to both parties. Just this week, F-Secure Labs has observed multiple man-in-the-middle attacks against at least two Finnish Banks. Other new man-in-the-middle attacks utilize the computing power of our smartphones to trick us out of account information.

Here’s what you should know to keep the thieves out of your digital piggy bank.

1. Never click on links from bank e-mails.
When you’re busy, it’s easy to make a mistake and click on a bad link, especially on our phones. Sean Sullivan from F-Secure Labs says the best strategy is to, “Go to the bank via a browser bookmark.”

2. Know that criminals are targeting your smartphone.
F-Secure Labs has followed Spitmo, a man-in-the-middle attack that targets phones, since spring. And now an Android version has been spotted. This attack pretends to install application that protects the phone’s SMS messages. If you receive an SMS that asks you to install such software on your phone, take the time to contact your bank directly.

3. Keep your system and security software updated.
The registered owner of the site being used for this week’s Finnish bank attack owns more than 90 sites. So as one attack goes down, another one might go up. It’s important to have browsing protection that could prevent you from visiting a site hosting a known attack. And it’s even more important to make your PC is patched and protected. Our free Health Check makes that easy.

Bank robber Willie Sutton never actually said that he robs banks because “That’s where the money is.” But if he lived today, he might have tweeted it.

Criminals will never stop scheming of ways to get into your bank account. By staying aware of their latest tricks, you’ll do your best to keep your money where it belongs.

Cheers,

Jason

10 Comments

Facebook’s Profile Review and Tag Review: Turn Them On

September 8, 2011
By Jason

Facebook is quietly rolling out the most dramatic updates to its privacy settings in a year. While critics have quickly dismissed the updates as typically lacking in user control, there are two new features that we believe you should turn as soon as they are available to you: Profile Review and Tag Review.

Profile Review keeps photos and posts tagged with your name from showing up on your profile without your approval. Tag Review gives you the ability to approve tags that are added to your pictures.

Here’s how to activate Profile Review:

A. Go to Account> Privacy Settings.
B. Next to “How Tags Work” click “Edit Settings”.
C. In the “How Tags Work” pop-up, click “Edit” next to “Profile Review”.
D. In the next pop-up, click “Turn on Profile Review”.

Now, whenever you are tagged in a photo or a post, you’ll have to approve it before it appears on your wall. Tagged posts and photos will appear in your profile wall in a new section called “Pending posts.”

This feature is important because it gives you control over your profile. If a potential employer or an organization considering you for a scholarship is viewing your profile, you don’t want to give others the ability to post questionable images directly on your wall. And even if you aren’t worried about looking professional (or you’ve locked down your profile effectively), there are just some pictures of you that you may not want to help your mom or your friends see.

Photos or posts tagged with your name will still appear on your friend’s wall and feed, so your mutual friends will see them. But Facebook now gives you the option to ask your friend to take down photos of you that you don’t like. And you can always block a friend who refuses to consider your opinions.

Tag Review gives you the power to approve tags from your friends as they are as added to pictures or posts. Facebook is now in the process of allowing any Facebook user to tag any Facebook user in a post or a picture. You’ll be asked to review any tag by a non-friend before it shows up on your wall and feed. Tag Review extends that approval function to your friends’ tags.

Here’s how to Activate Tag Review:

A. Go to Account> Privacy Settings.
B. Next to “How Tags Work” click “Edit Settings”.
C. In the “How Tags Work” pop-up, click “Edit” next to “Tag Review”.
D. In the next pop-up, click “Turn on Tag Review”.

Why is Facebook finally improving its tagging systems?

Clearly, Facebook is obsessed with making it so easy to tag others. It has even put together what could be the largest facial recognition database ever to make it easy to tag your friends.

Tagging creates feed and wall activity even when you’re not logged in while encouraging the one feature probably most responsible for Facebook’s success: photo sharing. Unfortunately, tagging is also one of the most problematic identity/privacy issues that Facebook users face.

While these privacy updates do include some potentially troubling changes, especially in how your information is shared through apps, Facebook has given you a tool to make it a little less easy for others to tag you. We say: turn them on.

Follow F-Secure on Facebook for more security and privacy tips.

Cheers,

Jason

(Thanks to Andreas on our Facebook page who pointed out Tag Review.)

22 Comments

Hit the Reset Button: A New Guide to Facebook Safety and Privacy

August 31, 2011
By Jason

Facebook is now in the process of releasing dramatic updates to its ever-evolving privacy features. These updates contain some new tools to help secure your privacy and online identity. And if you haven’t reviewed your settings recently, now it the perfect time to do so.

How do you know if the new features are available to you? Go to Account> Privacy Settings. If you see the settings above, you’re in.

F-Secure Labs Security Advisor Sean Sullivan walked me through the updates, identifying the most relevant changes for cautious users. Based on what we’ve found, here’s what you need to do now—if you haven’t already—to secure your Facebook account.

1. Secure your PC and password.
How to do it:
A. Update your system and security software. Our Health Check makes this easy.
B. Choose a password that can’t be guessed. Make it a password that you only use for this account and none of your “friends” will able to guess. Don’t choose a word in the dictionary or any word mentioned on your profile. Here’s system that our Labs recommend.

Why?
Updated Windows 7 or Mac OSX software along with updated security software will protect you from most threats in case you ever make a mistake online. I also recommend you back up your data in a remote location (off-site physical backup or online backup) for complete protection.

2. Go “Friends Only”.
How to do it:
A. Go to Account> Privacy Settings.
B. Under “Control Your Default Settings” click “Friends.”

Why?
Go with “Friends Only” because you can now choose how to share any post or picture with “Public”, the maximum audience, “Friends” or “Custom”. Custom includes options to select specific friends, “Friends of Friends” or “only me.” Or you can block specific people from each post. You can make this decision each time you post. So start it’s smart to start with the safest setting just in case you post something you shouldn’t have.

Also, you can now change the privacy setting of any old post or media you posted. This is a good new addition. However, certain things like your name, friends lists and the comments you make on Facebook pages will always be public.

You can decide how and who can find and contact you on Facebook in your Privacy settings by clicking “Edit Settings” for “How You Connect”.

3. Hit the “reset button” and turn all your past posts to “Friends Only”.
How to do it:
A. Go to Account> Privacy Settings>
B. Next to “Limit the Audience for Past Posts” click “Manage Past Post Visibility”.
C. In the pop-up, click “Limit Old Posts”.
D. In the next pop-up, click “Confirm”.

Why?
Why not? You can always change an old post to make it public again if necessary. Anything you share on Facebook can be reshared in some way by anyone who has access it. With this one step you’re saying I only want my friends who I trust to have access to everything I’ve done on Facebook. Facebook assumes you know your friends. That’s the official word in a recent official Guide to Facebook Security (PDF).

Of course, Facebook also profits from social games that flourish because people friend new people ravenously. So it’s a good idea to give your Friends List a quick scan and unfriend anyone you don’t know or trust—unless you’re a game player. Then you should know that Facebook appreciates your business but isn’t designed to protect your privacy

4. Turn on Profile Review to approve all posts and pictures tagged with your name before they’re posted on your wall.
How to do it:
A. Go to Account> Privacy Settings.
B. Next to “How Tags Work” click “Edit Settings”.
C. In the “How Tags Work” pop-up, click “Edit” next to “Profile Review”.
D. In the next pop-up, click “Turn on Profile Review”.

Why?
Anyone on Facebook can now tag you in a photo or a post. With Profile Review, you’ll be able to decide which photos and posts tagged with your name show up on your wall.

While you’re on the “How Tags Work” pop-up, you may also want to disable “Friends Can Check You Into Places”. This won’t stop someone from saying you’re at a bar on your lunch break, but it may prevent your friends from seeing such a fictional check in. If you don’t want Facebook to put you in its facial database to recognize you when you appear in your Friends pictures, click “Edit” next “Tag Suggestions” on the “How Tags Work” pop-up. Then select “Disable”.

5. Set your Account Security.
How to do it:
A. Go to Account> Account Settings>
B. On the left-hand column, click “Security”.
C. Click “Edit” next to the “Security Question”. Pick a question only you will be able to answer.
D. Click “Edit” next to “Secure Browsing”. Click the box next to “Browse Facebook on a secure connection (https) when possible” and then click Save Changes. You’re browsing will now be secured when it can be.
(Many apps and games are not yet updated for secure browsing. Using these may boot you out of Secure Browsing. But Facebook seems to put you back into secure browsing as soon as it can.)
E. For extra protection, click “Edit” next to Login Approvals. Then click the box next to “Require me to enter a security code each time an unrecognized computer or device tries to access my account” and click Save Changes. This will create a little hassle but could also prevent your account from being hacked.

Why?
These tools are the extra protection you need to greatly reduce the chances of your account being hacked. And if you do get hacked, an active secondary email account and a good security question will help you get it back.

6. Turn off Public Search
How to do it:
A. Go to Account> Privacy Settings>
B. Next to “Apps and Websites” click “Edit Settings”.
C. Next to “Public search”, click “Edit Settings”.
D. Make sure the box next to “Enable public search” is NOT checked.

Why?
Do you want your Facebook page to be the first thing to come up if an employer, an ex or your mom does a Google search of you? If your answer is yes, click that box. If not, limit the ability to find you within Facebook and Facebook apps.

7. Click with caution.
How to do it:
A. Think twice before you ever click the “Post” button.
B. Think thrice before you click on the links posted by friends.

Why?
Clicking on a bad link could expose you to malware or scams. This is when you need your updated software to protect you most. For extra protection, use our free ShareSafe App to share links with your Facebook friends. You’ll even earn points that can be used to win rewards.

8. Limit the information shared with Apps.
How to do it:
A. Go to Account> Privacy Settings>
B. Next to “Apps and Websites” click “Edit Settings”.
C. Next to “Apps you use”, click “Edit Settings”.
D. Click the “X” box to delete any app you aren’t using.
F. Go back to App settings, and click “Edit Settings” next to “How people bring your info to apps they use”. Uncheck every box and click Save Change.
E. For extra protection, turn off all applications until you need them. Do this by clicking “Turn off all platform apps” in the Apps, Games and Websites settings.
F. For even more protection, turn off “Instant Personalization” which automatically shares your public information with Facebook’s partner sites. Do this clicking Edit Settings next to “Instant personalization”. UNCHECK the box next to “Enable instant personalization on partner websites.”

Why?
When you’re dealing with apps, you’re dealing with third-party developers who you may not know or trust. The actual language Facebook uses to clarify how and when your information may be shared through apps and friends is difficult to decipher.

The more you limit the data you’re sharing, the more control over your identity you have. We say eliminate the unknowns; opt out of sharing until you have a reason to opt in. You should also know if you use an app, there’s a chance your friends could find see that. So keep that in mind every time you try out a new app.

BONUS TIP: Tell Facebook not to use your image or name in ads.
How to do it:
A. Go to Account> Account Settings>
B. On the left-hand column, click “Facebook Ads”.
C. Click “Edit third party ad settings”.
D. Next to “If we allow this in the future, show my information to” select “No one.”
E. Click Save Changes.
F. Click “Facebook Ads” again and click on “Edit social ads setting”.
G. Next to “Pair my social actions with ads for” select “No one.”

Now check your work. See how other people see your profile.
How to do this:
A. Go to Profile.
B. In the upper right corner, click on View As…
C. View how specific friends or the “public” sees you.

A sign posted on a wall in Facebook headquarters says: “Move fast and break stuff.”

Facebook’s transition into secure/https browsing, is a good example of how Facebook improves privacy and security in a steady, if occasionally buggy, way. As you explore these new features, you may notice, for instance, that Facebook still may use the word “Everyone” in one or two places, though they announced that they’re transitioning to the word “Public.” But the changes here are for the better.

These updates are, of course, not enough for some critics. As usual, you should expect some unforeseen consequences, as there nearly always are when 750 million active users have to reexamine how they use the largest social network ever created.

Your security depends on you and your friends knowing how Facebook works. Now that you know how to protect yourself, I hope you share this information with someone you care about.

Follow F-Secure on Facebook for more security and privacy tips.

Cheers,

Jason

New Facebook privacy settings: 3 things to do now

August 24, 2011
By Jason

1. Check out what’s coming.
On August 23, Facebook announced big changes are coming to the site’s privacy settings over the next week. We’ve identified the following changes. Even more changes are hinted at in the accompanying videos.

For adults, “Friends”, “Public”, or “Customize” are now the three standard privacy settings for sharing. “Friends of Friends” is no longer an upfront option.
“Everyone” is now “Public”, which is the maximum audience for any adult post.
For minors, “Friends of Friends” is still the maximum audience for a post.
Inline profile controls will now allow adults to choose share status updates with “Friends”, “Public”, or “Customize”.
You can now set the privacy levels of the elements on your profile through settings actually located on your profile.
You can change the privacy setting of a status update after it has been posted.
You can now choose to approve all posts or a photos you are tagged before they appear on your profile with Profile Review.
It’s a little easier to check how others see your profile with a prominent button on your profile.
You can now tag anyone on Facebook. If a non-friend tags you, it will only appear on your profile if you approve it.
You can tag a location on “anything” you post to Facebook.
Places is gone—Facebook is no longer in the Foursquare business.
You can now remove a tag of yourself on a photo, remove a tag and ask a friend to take it down or remove a tag and block the person who tagged you.

If you think that list is long, check out Facebook’s Dig Into the Details chart to get a sense of how much these changes will affect your Facebook experience . Yep. Much is changing.

Some say that these changes are a response to Google+. However Larry Magid, who works with Facebook’s Safety Advisory Board, says these changes have been in the works for months.

2. Make sure you are comfortable with your current settings.

This grid thing is going away.

It’s always a good time to check your Facebook privacy settings. The settings you have now will be converted into the new settings. You shouldn’t end up being shocked by what you’re sharing, unless you’re not aware of what you share now. Keep in mind that ‘Friends only’ will still exist in the new settings. Assuming you know your friends—which Facebook does, as stated in its recent Guide to Security (PDF)—“Friends Only” should be a safe route for most of what you share on Facebook.

3. Be ready to opt-in into Profile Review
For F-Secure Labs Security Advisor Sean Sullivan, the most promising new privacy feature is Profile Review. This feature allows you to approve of every photo or post that includes a tag of you before it appears on your profile. As you probably know, Facebook tends to opt you into any new feature, except if it prevents your from sharing. Hopefully as the changes go live, you’ll be asked to opt in to Profile Review.

If not, you’ll have to go to your Privacy Settings> Manage How Tags Work and click on “Change Settings”> Next to Profile Review click “Edit” > Click Turn On Profile Review. Note: This will not be available to you until all the changes have been completely rolled out to you.

We’re still investigating these changes and looking forward to bringing you more insight on the evolving Facebook privacy situation in the near future

Cheers,

Jason

25 Comments

How concerned are you about your child’s online safety?

August 22, 2011
By Anna

As students head back to school with mobile devices and laptops in hand, we asked parents about how safe they feel setting their digital natives free on the Internet.

Here’s what we found out:

How concerned are you about your child’s safety online?

Not concerned 6%
Somewhat concerned 44%
Very concerned 50%

Are you more or less concerned about your child’s safety online than you were in the past?

More concerned 82%
Less concerned 18%

Are you more concerned about your child’s online safety at school or at home?

School 53%
Home 47%

What are you most concerned about in regards to your child’s online safety (choose from below):

Encountering predatory individuals on social networks or forums 63%
Contracting dangerous viruses or malware which can compromise personal or financial data 23%
Lack of exercise/dangers of extended PC use to physical health 13%

Do you feel you know where to find information about how to keep kids safe online?
- Yes 58%
- Somewhat 37%
- No 5%

Here’s a quick analysis of the results.

1) Despite most people knowing where and how to find info to keep kids safe online (58%), 94% are still concerned about their child’s safety online, with the majority of that group describing themselves as ‘very concerned’. Also, the vast majority of parents (82%) are more concerned about their child’s safety online now vs in the past.

2) Parents are approximately three times more concerned about their children encountering predatory individuals online vs contracting malware which could compromise financial or personal data (63% vs 23%)

3) Parents are nearly twice as concerned about their children encountering viruses and other malware online than the potential negative effects of extended computer use, such as muscle strain or obesity.

Cheers,

Anna

CC image by Tim & Selena Middleton

How Safe Is Your Phone?

August 18, 2011
By Anna

Compared to their PC cousins, smartphones have mostly enjoyed a near immunity to viruses and spyware. But that, unfortunately, is changing.

In the first half of 2011, F-Secure Security Advisor Sean Sullivan has seen seismic shifts in the mobile phone landscape that has prompted F-Secure Labs to warn that consumers and developers to stop taking mobile security and privacy for granted.

“As phones began to support applications, strict approval processes, such as those employed by Apple and Symbian, combined with the diversity of phone software made PCs much more profitable targets for criminals than mobile devices,” Sean explains. “However, criminals are finally finding cracks in mobile security just as millions of smartphone owners have begun to regularly use their devices for business and banking.”

According to a new international F-Secure survey*, 51% of smartphone owners use their devices for business.

“Many professionals use their mobile devices like portable PCs while taking few if any of the security precautions they do on their desktop computers,” says Sullivan. “But mobile technology is quickly evolving past the era of worry-free security and privacy.”

This past April, many smartphone owners were shocked when a security researcher announced that their iPhones had been tracking their travel history. Apple said that this feature was a bug in the iOS software, and that the history was supposed to be erased every 7 days. An iPhone update quickly ‘fixed’ the bug and allowed users to opt out of location services completely for the first time.

“If you read the many, many pages of the iTunes Privacy Policy, Apple does say that your data can be used anonymously to improve Apple products. And Google’s Android and Windows Phone 7 collect anonymized location data in similar ways,” says Sean. “This was only international news because people realized for the first time how much private data they may be revealing through their phones.”

Sean sees the mobile landscape transforming even more rapidly as manufacturers and mobile carriers capitalize on massive opportunities to acquire customers and data.

In February of 2011, Nokia, the world’s largest maker of handsets, announced a pact with Microsoft to transition from the Symbian operating system to Windows Phone 7. This colossal strategic shift followed news that Google’s Android had passed Symbian as the world’s most popular smartphone operating system. And in August 2011, Google purchased phone manufacture Motorola Mobility.

“Google’s open application development may have fueled Android’s rapid ascendancy. But it also created a ‘Wild Wild West’ atmosphere that has been exploited by rogue developers,” Sean explains.

Over the past year, trojanized apps have appeared in several third-party marketplaces. In March 2011, more than 50 rogue apps were even removed from Android’s official market place for the first time, requiring Google to remotely remove the infected apps from phones using its “kill switch.”

Sullivan says, “Google’s purchase of Motorola is likely to support Android’s growth, and not just on smartphones. Android 4 is scheduled to arrive this October, and that will reunify Android, creating tablet competitors to the iPad. Tablets are more likely to be used by North Americans to do things traditionally done on PCs, such as online banking, and that could increase attacks on tablets.”

For the millions who already own Android devices, the security situation will evolve as apps become more secure and device software ages. “Android Marketplace’s ability to tame rogue apps could improve, but the growth of the platform will increase the incentives for crime. Additionally, Motorola competitors may move away from Android, potentially making them less likely to update vulnerabilities.”

For software developers, device makers and operators, mobile security is growing concern as users rely on their phones and tablets more and more for confidential business and mobile banking.

“This year we’ve seen the cat-and-mouse game pitting banks and law enforcement agencies against online criminals go mobile,” says Sean. An attack on a European bank was driven by the SpyEye mobile malware working in combination with a PC banking Trojan to take advantage of the growing use of SMS messaging in online banking for one-time passwords.

“It’s easy to forget how much confidential data is stored on a smartphone,”Sean explains. “But criminals never forget. We’re seeing mobile malware that has the potential to steal even steal the photos on your device. Smartphone owners and developers need to be aware that they face many of the same threats as PC users in addition to new, unprecedented privacy issues.”

Here are six steps you can take right now to protect your smartphone.

Cheers,

Anna

* The survey was carried out by F-Secure via SurveyGizmo during April and May of 2011. 602 smartphones were solicited from around the globe through F-Secure’s Facebook and Twitter. F-Secure asked respondents a series of questions about how they used their smartphones.

CC image by kiwanja.

Seismic Shifts Shake Mobile Security

August 18, 2011
By Jason

When a security researcher revealed that the Apple iPhone was tracking its owner’s travel history, the revelation made news around the world.

For the first time millions of smartphone users woke up to the fact that their mobile devices may be collecting data that has generally been considered private. As billions of users around the globe adopt smartphones as a tool of choice for business and banking, rapid shifts in marketshare are creating a mobile landscape with unprecedented privacy issues and increasing security risks.

On February 11, 2011, the world’s largest phone manufacturer Nokia announced that it will be transitioning from the Symbian operating system to Windows Phone 7. This historic alliance can be seen as a response to the increasing global popularity of Apple’s iOS and Google’s Android mobile platforms. In early 2011 Google’s Android has passed Symbian as the world’s most popular mobile OS,.

Thus far, the diversity of mobile platforms—as compared to the PC world where Windows dominates—along with application approval processes—such as those employed by Symbian and Apple—have limited the impact of mobile attacks thus far.

Yet Android’s growing popularity and open application development process may present some concerns for consumers. Not only have trojanized apps appeared in third-party marketplaces but in March 2011 more than 50 rogue apps were even removed from Android’s official market place.

As Android evolves to 3.0 to support tablets with customized interfaces from various manufacturers, its lack of a centralized process to patch security holes may create the possibility of ongoing exploits. These vulnerabilities will surely be exploited as the number of users using their phones for financial transactions on these platforms grows. Meanwhile, privacy concerns have sparked a federal grand jury investigation in the United States about the kinds of user data mobile app makers are collecting and sharing with advertisers.

Finally, the SpyEye mobile malware, which works in combination with a PC banking Trojan, exemplifies the high stakes cat-and-mouse game pitting financial institutions and law enforcement agencies against online criminals. This game began on PCs and has now—like most games that start on a PC—gone mobile.

Mobile OS News

In February of 2011, Nokia announced that Windows Phone 7 will be the primary operating system for its future devices. This is a historic switch from the Symbian platform that introduced most of the globe to smartphones. Windows Phone 7 and Xbox are the only Microsoft platforms where applications must be pre-approved by Microsoft before users can run them. As a result, F-Secure does not expect any major mobile malware outbreaks just because of Nokia’s partnership.

Android is now the most popular mobile platform with 39.5% market share. Android’s rise, which was most striking in the United States, went from being the fourth most popular mobile platform to overtaking Apple’s iOS and Blackberry’s OS to become the leading mobile OS in just twelve months. Symbian is currently the world’s second most popular mobile platform, running on 20.9% of mobiles around the globe. As a result of the Nokia/Microsoft deal, IDG predicts that Symbian will be on less than 1% of smartphones by 2015 while Windows Phone 7 will rise to the 20.9% market share now occupied by Symbian.

Android 3.0, also known as Honeycomb, is designed to support tablet computing and compete with Apple’s iPad. Google worked with Motorola and HTC to support the launch of Honeycomb on the Motorola Xoom and the HTC Thunderbolt. These collaborations indicate that Google may be trying to somewhat rein in how developers deploy its OS. However, it also creates uncertainty in how exploits focused on different versions/implementations of the OS will be patched, which could leave some devices vulnerable to zero-day attacks.

iPhone Location Data Controversy

In March of 2011 Forensic researcher Alex Levinson announced that he had found a way to map out where an iPhone has been. The information comes from a location cache file found on an iPhone (Library/Caches/locationd/consolidated.db).

F-Secure Labs’ Mikko Hypponen guessed that this data was for Apple’s global location database. This theory was later confirmed by Apple who claimed that the tracking was a bug. Apple said that the data was track anonymously, per their Privacy Policy, for a record of existing networks similar to the one Google recorded world-wide when their Maps Street View cars were driving around the globe. Apple released a ‘fix’ for the bug that allows users to opt out of location tracking completely for the first time.

Most mobile carriers and smartphone OS makers, including Android and Windows Phone 7, track some form of location data. In addition, a small and growing percentage mobile users use location-based social networks to track their location. However, few had any idea that their entire travel history could be tracked. For the very first time, millions of device owners had to face the new and unchartered privacy implications of smartphone ownership and use.

Dangerous Apps and More Privacy Problems

Apple has embraced a “walled garden” approach for the development of applications that run on the iPhone iOS. All apps available through its official App Store require Apple’s approval. Apple also holds all developer revenue in escrow for 30 days or so. As a result, most scams are shut down and removed before the scammers can benefit. Of course, the iPhone “jailbreak” has created an underground market of unsanctioned apps that Apple has no control over. But users must actively seek out these alternatives.

In contrast, Android’s approach to application development has created what could be called a “Wild Wild West” atmosphere that has been exploited by rogue developers. Malicious apps are often copies of copyrighted apps that have been trojanized and then sold to consumers as legitimate software. These trojans can lead to information leakage and high data usage, which could leave users with inflated phone bills. Previously these malicious apps were primarily distributed in third-party marketplaces, primarily in mainland China. However in 2011, they reached the official Android Market.

In January, a Chinese version of the “Steamy Window” application for Android was found repackaged with a trojan. F-Secure Labs saw this as a clear sign that Android malware was on the rise.

Soon thereafter a new Android trojan named ADRD appeared. ADRD was mostly found included in several applications from a third-party application provider in China, with the applications repackaged to contain the trojan. Most of the infected applications were wallpaper-related.

Then in March, the threat of trojanized apps hit the mainstream. More than fifty apps were removed from the official Android Market. The malicious applications were uploaded using various developer names. According to the androidpolice.com report, one of the malicious applications contained a known exploit (“rageagainstthecage”) for gaining root access.

In response to the breach of security, Google used its “Kill Switch” to remove the trojans from Android handsets. Google also forced an install of a program called Android Market Security Tool to affected phones. This was only the second time Google has used its Kill Switch.

Google also realized a security tool to affected users. Ironically, a trojanized version of the tool was found on a mainland Chinese network.

Google’s purchase of Motorola is likely to fuel Android’s growth on smartphones and tablets. Android 4 is scheduled to arrive this October, creating tablet competitors to the iPad. Tablets are more likely to be used to do things traditionally done on PCs, such as online banking, and that could very likely increase attacks on tablets.

Consumers will soon recognize that mobile devices require many of the same security precautions as PCs. Software needs to be updated and applications should be researched before installing them on your smartphones. F-Secure Labs released a list of tips for protecting your mobile device.

Even when applications aren’t malicious users still need to be aware that phones may be sharing confidential data with app makers without the owners’ knowledge. Federal prosecutors in New Jersey are investigating several smartphone application creators, including Pandora, for allegedly sharing user data—such as GPS location, gender and age—with third parties without notifying users, in violation of the United States’ Computer Fraud and Abuse Act. While no charges have been filed, this can be seen as a serious wake-up call to application developers in regards to how they protect customer data.

Both Twitter and Facebook released https browsing support in early 2011 for PC-based web browsers in response to Firesheep, a tool that makes it possible to see what information is shared over free open Wi-Fi networks. Facebook’s implementation still has some glitches and not all social networking sites secure their data this way. Users need to be aware the information on phones (and laptops) shared over unsecured Wi-Fi is vulnerable to eavesdroppers. Use a VPN when connecting over Wi-Fi whenever possible. At the time of writing, many mobile apps and mobile web browsers do not support https browsing.

The Cat and Mouse Game Hits Mobile

For nearly a decade, financial institutions have been striving to keep ahead of online criminals. They’ve secured their sites, implemented anti-phishing technology and offered to SMS one-time passwords or mTANs to customers to protect their accounts. As banks innovate, criminals make it their business to keep up.

In late 2010, security blogger Brian Krebs discovered that -the authors of two popular botnet kits had merged to form what he called a “supertrojan.” In March, a variant of SpyEye was used in a new “man-in-the-mobile” attack on a European bank. This attack combined a trojan that affects a PC’s web browser with a mobile trojan that verifies itself, forming a unique new attack that might have tricked even the savviest of users.

The trojan injects fields into the bank’s webpage to phish the customer’s mobile phone number and the IMEI of the phone. This is done under the guise that the bank needs that information to make SMS transfers MORE secure. The bank customer is then told the information is needed from their mobile. A “certificate” is sent to the phone with a notice to the user that it can take up to three days before the certificate is ready. Using the IMEI of the phone, the criminals can create a “developer certificate” that bypasses security prompts. If the trojan is installed, the one-time password can be stolen, along with all of the customer’s money.

Users should keep in mind that while banks make their best effort to secure digital transactions, actually going into a bank for important transactions or transfers is still a wise idea.

Where is Mobile Malware Headed

Recent mobile malware makes it very easy to imagine what data e-criminals are after. In addition to banking and other crucial credentials, photos are an attractive target. This malware targeting Symbian phones can’t steal your photos, yet. But it’s close.

The data we keep in our pocket holds an incomprehensible amount of data and access to our lives. The question is, what are we willing to do to protect it.

The 8 Most Important Ways to Protect Your Identity and Privacy on Facebook: #7

August 17, 2011
By Jason

Tell Facebook not to use your name and image in Facebook ads.

Yes. Facebook opts you into to almost every new feature, including using your name and image in Facebook “social” ads. Facebook isn’t alone in this. LinkedIn also recently decided that it can use your name and image in ads. Fortunately, this feature is easy to opt out of.

Facebook only uses your image in ads shown to your friends and only to promote things you’ve already “liked.” That’s the good news.

The bad news is that the average Facebook user has 120 friends and likes 100 more pages or groups. Do you remember everything you’ve liked? Might you end up endorsing something you don’t believe in? Would you rather not endorse anything? Turn it off now. Here’s how:

Go to Account> Account Settings. On the left navigation click Facebook Ads.

Under “Ads and friends” click “Edit social ads setting”. At the bottom of the screen you’ll see this:

In that pulldown menu, select “No one”. Click Save Changes.

Facebook does not give third parties the right to use your name or picture in ads. But they might. How do I know? Am I psychic. No. They already have a setting for it.

To opt out of giving Facebook the right to use your name and image in ads, click on Facebook Ads again. Under “Ads shown by third parties” click “Edit third party ad settings”.

At the bottom of that screen, you’ll see this:

In that pulldown menu, select “No one”. Click Save Changes.

You’re done.

The 8 Most Important Ways to Protect Your Identity and Privacy on Facebook

Unless you have a good reason not to, use the “Friends Only” privacy setting.
Turn on Secure Browsing.
Secure your account.
Control how the world sees you via Facebook.
Turn off Instant Personalization and audit your apps.
Watch where you click.
Tell Facebook not to use your name and image in Facebook ads.
Start using Facebook lists.

Cheers,

Jason

DIY: computer sleeve

August 12, 2011
By Marja

I would love be skilled in handicrafts. However, in reality this is not the case. I have many unfinished, quite laborious projects on my hands – a fall jacket, a sweater and a pair of pants just to mention a few. The problem might be that they all require more patience than I truly have.

But here’s something a bit easier and it can even protect your PC. Best of all, it doesn’t require a sewing machine – not even scissors or glue.

Tutorial – How to transform you hoodie into a laptop case, folding guide. Via The Trendy Girl.
Thanks Outi for pointing this out!

Marja

Will the Google+ gender gap make it… or break it?

August 8, 2011
By Jason

If you saw the movie The Social Network, you may remember how it depicts Napster founder Sean Parker discovering Facebook. He spies a female college student who he’s ‘dating’ using the site almost immediately after they’ve woken up together. It’s a telling detail.

Several of the men around F-Secure discovered Facebook did so by looking over their wives’ or girlfriends’ shoulders. This anecdotally confirms what Comscore found in July of 2010: social networks reach more women than men and women spend 30% more time on social networks than men do.

In 2004, I was working at a company that was building a social network to compete with MySpace, which had quickly replaced Friendster as the most popular social network in the world. Our team saw how MySpace courted club culture and built celebrities up as they lured bigger celebrities in. We wanted to replicate this feeling of digital nightlife.

Of course, the theory that women attract men to real life social events has motivated nightclubs around the world to offer discounts to females through various promotions for generations. Thus we decided that it was women who drive the growth of social networks, most effectively recruiting others. Sadly, for business reasons, we never got to test that theory out.

But now it seems Google+ may be employing a strategy that is having an opposite effect: men are clearly growing the network. Based on a 46,573 sample of users, SocialStatistics.com finds 86% of Google+ users are male. That’s probably an overestimation, but an abundance of males is a very familiar statistic to those of us who have targeted beta audiences and early adopters.

When you look at total users, there’s no doubt that Google+’s beta is successful. Some have called it the fastest growing social network ever. And Google definitely has not repeated the privacy gaffes in the launch of its Buzz network, which immediately connected users to Gmail contacts.

By only launching a limited field trial, Google has made Plus exclusive, attracting, as F-Secure Security Advisor Sean Sullivan points out, “…just the type of folks that you want as beta testers.”

But will this beta tester population grow a network big enough to compete with Facebook, the largest social network in human history? This privacy-sensitive decision could end up hurting Google+’s bottom line. And it seems that the search giant is beginning to recognize this.

Google+ has now extended 150 invites to all users of the site, a variation on the strategy that made Gmail a global powerhouse. And users can now invite friends via Twitter links.

But the question remains, since you can’t advertise on Facebook, how do you reach those non-beta users who will make your network social? Ask Tom Anderson your friend from MySpace. He’s advising Google+ to court the influencers that made MySpace such a juggernaut and to do so quickly.

Cheers,

Jason

CC image by: Sean MacEntee

Worst Place to Lose a Phone Sweepstakes: Win an HTC Sensation

August 3, 2011
By Anna

THIS SWEEPSTAKES IS NOW CLOSED. Please ‘like’ our Facebook page for more giveaways and Internet security tips.

Earlier this summer, my friend’s husband was enjoying the Helsinki nightlife. He had a good time, such a good time that he didn’t notice that he’d lost his phone till the next day. Unfortunately, he never got his phone back. But he did find an extra 100 Euros in calls on his bill made by whoever was lucky enough to find his lost phone.

When you’re out and about enjoying your summer, it’s much easier to lose track of your phone. That’s why our Free Anti-Theft for Mobile makes it easy to lock most Symbian, Android and Windows Mobile phones from wherever you are.

So we have a question for you: Where would be the worst place in the world to lose your phone?

You answer could be one word. It could be based on a true story or a fictional situation. By answering this question in the comments below, you’ll be entered to win an HTC Sensation with F-Secure Mobile Security.

Just read the rules and post your answer.

ADDITIONAL CHANCE TO WIN: Once you’ve entered this sweepstakes, you can take this one-minute survey on Online Safety. Once you’ve complete the survey, post one ADDITIONAL COMMENT with the words “Survey completed”.

Cheers,

Anna

CC image by brokinhrt2

Comments closed

Stay safe, discover stuff and earn rewards with ShareSafe

July 28, 2011
By Sandra

We’re proud to introduce the beta of our first Facebook application F-Secure ShareSafe.

ShareSafe helps you share better. Win rewards for sharing great links while protecting your friends from spam and malicious links. This video shows you how it works:

You earn 10 points whenever you share a link with ShareSafe. Earn even more points when your links are clicked or liked. If a friend of yours accept your invitation to join ShareSafe, you earn 50 points plus bonuses as more and of your friends join. And these points will help you win prizes picked out just for you.

This is the beginning of a movement to make Facebook an even better place for connecting with your loved ones. Thanks for checking it out and sharing it with the people you want to protect most.

Cheers,

Sandra

12 Comments

How to start over with Google+

July 24, 2011
By Jason

Will Google+ ever replace Facebook? It’s difficult to imagine. While 15 million people—including tens of thousands representing businesses—have reportedly signed up for the beta, Google+ is still some 700 million users behind Facebook.

However, it’s clear that the search giant has created a social platform with interesting features—like Circles and Hangouts—worth checking out. And for me, Google+ represents more than a Facebook clone that lets me know I have new friends whenever I log into my Gmail or Google Reader. It’s a chance to rebuild my social network using what I learned from years of using Facebook, Twitter and MySpace.

In many countries you can start your Google+ account now, by logging in here. Here’s a nice preview of what you’ll find there:

To be honest, I’m not the world’s biggest Google fan. I’ve even tried to get it out of my life. But I do recognize that there is an opportunity here to make my social interactions on the web more interesting with a little less risk. So here’s how you can start your social network over on Google+.

1. Know why you’re using a Google+.
When Nirvana’s Kurt Cobain used to complain about the burdens of fame, critics would say, “No one ever started a rock band to NOT become famous.” And no one goes on a social network to be ignored. We just want control over what kind of attention we get.

Google is a business that gives away the vast majority of its products for free. Why? The old saying goes, “If you aren’t paying, you are the product.” Google makes billions selling you to advertisers. When you search (or check your Gmail), you pay for it by experiencing ads. Search will always be the core of Google’s business. So what you share on Google+, if you allow it to be public, is likely to show up in a Google search.

Some say Google+ isn’t a vast improvement over Facebook. The same potential to share information you shouldn’t exists and soon even things like games and apps that create privacy problems on Facebook will appear on +. I agree. However, you have improved. You are get what is at stake when using a social network. You know that people have lost jobs and scholarships because of their social media presences. And in the US, your social networking history is even fair game for potential employers. Knowing all this, there are tools in Google+ that make sharing more logically and potentially safer.

If you’re at the point that you feel you still want to be social but you’re existing network doesn’t work anymore…. If you’re sick of having your information shared and being opted into new features all the time… If you just want to start over, Google+ is perfect for you.

2. Get your privacy settings right.
Are Facebook’s privacy settings purposely confusing or is there just so much going on with the site that they have to be complex? Both answers are true. Some features—like facial recognition, using your identity in ads and Instant Personalization—are, I believe, purposely hidden. Others just naturally are buried to make the site easy to use.

Google+ is still relatively simple. It will become more complex but you still can quickly get most of your privacy settings right. Here are the three most important settings.

Prevent anyone on Google+ from emailing you

As my social networks use has grown, my email has become more sacred. I use it for business and close family and friends, exclusively. Google+ as a default gives everyone on the network the right to email you.

To turn this off, go to the gear in the top right corner and select “Google+ Settings”.

Select “Profile and privacy”.

Next to Public profile information click “Edit visibility on profile”.

Under your profile image, you’ll a “Send an Email” box. Click on that.

Until, at least, you have your circles set uncheck the box next to “Allow people to email you from a link on your profile”.

Turn off email notifications

Go to the gear in the top right corner.

Click on Google+ settings.

On the left of the next screen click on “Google+”.

I recommend you uncheck every box on this screen. How will you know if you have any Google+ activity? There’s a notification box that will automatically pop up in red on the black interface bar that appears whenever you use any Google site.

Now, while you’re on this page.

Edit who can see your pictures and videos

On the bottom of the Google+ Settings screen, you’ll see “You can change the visibility of your photos and video tabs on your profile.”

Click on “photos” first.

Until you set up your Circles, you may want to turn this tab off.

When you’re done adjusting these settings, click save then go back in your browser and do the same thing for videos.

3. The most important step: Take your circles seriously.
The average Facebook user has 120 friends. They also follow over 100 groups, brands, celebrities and organization. This produces a tremendous amount of information. As a result, Facebook edits your feed to give you the updates you’re most likely to interact with.

You may be following people you haven’t talked with in years and missing updates from your mom. And you’re probably sharing everything with everyone—unless you use Lists or Groups, which are challenging. As a result, people are often sharing much more than they realize.

Google+ aims to fix that. You don’t want to share your travel plans with anyone but your family? Only Google+ that is easy if you take your Circles seriously. As you add new friends, place them in the right circles.

And as you share, only share with the Circles who you want to reach. It’s much simpler than Facebook’s Groups and just requires a little thought before each post.

More on Google+

Many people think Google+ isn’t just about competing with Facebook, it’s a social backbone for web. Regardless, these 21 Google+ Privacy Tips will put you ahead of the curve on the fastest growing social network in history.

Cheers,

Jason

Wow…Mikko received a standing ovation for his TED talk

July 20, 2011
By Sandra

The TED conference brings together some of the most prestigious thinkers in the world to share “Ideas Worth Spreading”. It’s an honor just to be selected to participate in the conference and even greater honor to be asked to give a talk. Al Gore, Bill Clinton, Richard Dawkins, Bill Gates, Richard Branson and several Nobel Prize winners are among those who have given a TED Talk – each of which is 18 minutes in length.

At last week’s TED Global my colleague Mikko Hyppönen, F-Secure’s Chief Research Officer, gave an awesome talk on computer crime issues. He became only the second presenter to give a TED Talk about computer security. The first one was Ralph Langner, who spoke about Stuxnet in TED at Long Beach in February 2011.

Photo: James Duncan Davidson / TED

Mikko has been described in US government documents leaked by Wikileaks as an “infosec rock star” and in his talk he highlighted our collective role as the first generation that got online. He described his journey to find and meet the creators of the first PC virus. Defeating the next global virus outbreaks depend on international cooperation to track down and stop cybercriminals. That’s why Mikko is calling for the creation of an international collective of law enforcement to fight online crime.

To understand why Mikko received a standing ovation, you have to see the talk itself. It’s now live at http://on.ted.com/Hypponen

After you watch Mikko’s talk, be sure to check out his journey to meet the creators of the PC virus:

Enjoy!

Cheers,

Sandra

How to Use the Internet Safely—Before, During and After Your Next Vacation

July 15, 2011
By Jason

Before laptops and smartphones, getting away from the Internet was easy. At least, you had a choice. Now most anywhere you are, your most useful and addictive sites, apps and feeds are as close as your pocket or purse.

In a recent Facebook Question, we found that more than 83% of respondents plan to use the Internet in one way or another while on holiday. 41% will connect on their laptops while 35% will depend on their mobile devices for their digital fix.

Using your devices while away from home presents some security risks. Whether you chose to plug in, tune out or a little of both, a few precautions will help keep your data and your identity safe while you enjoy a little rest and relaxation.

Before

Backup your PC and update your system and security software
A patched and protected PC is your best defense against any online threat. But because you can’t always predict what will happen to your actual laptop or device, you should make certain your irreplaceable documents and media are all backed up and safe in cloud or at home.

Contact your credit card company to let them know if you’ll be traveling abroad
If you’ve ever been a victim of credit card fraud, you know the charges can start coming from anywhere. Thus credit card companies often block transactions that are made far away from your home. While this is for your own protection, it can hinder you when you’re in the midst of your travels. Be proactive. Let your card company know your travel plans when you’re going abroad.

Don’t post your travel plans on your public social networks
When you live online, it makes feels comfortable to share your personal lives with people you don’t know that well. If you’re a master of privacy settings or Google+ Circles, you can feel more comfortable sharing your itinerary. They key point: don’t tell anyone your travel plans who you online wouldn’t tell in real life.

During

Secure your browsing when using public Wi-Fi
If you’re connecting to a wireless network you don’t control, use a VPN. If you can’t, secure your browsing whenever possible with https connections.

Use extra precautions on public computers
You never can know for sure what sort of malware is on a public computer. Your every keystoke could be logged. When using a public computer, avoid online banking and shopping. And use one-time passwords if they are available as they are for Facebook and Google.

Watch for shoulder surfers
Keep on an eye who is watching what you type and input. And if you leave your laptop in your room, leave it in a safe when available.

After

Check the credit card you used for irregularities
Reviewing the bill of the card or cards you’ve used for travel and/or online purchases is always a good idea. Report any questionable charges ASAP.

Backup your pictures and videos from your trip
The sooner you get your media backed up, the better the chance that you’ll be enjoying digital memories of your trip for years into the future.

Now share your pictures with you social networks
Or don’t. Either way, you’re safely back up home with your PC and your memories intact.

Cheers,

Jason

CC image by Spree2010

The 8 Most Important Ways to Protect Your Identity and Privacy on Facebook: #5

July 13, 2011
By Jason

Turn off Instant Personalization and audit your apps.

In 2010, Facebook began sharing users account information along with profile pictures with sites including Yelp, Rotten Tomatoes and Bing. These partner sites then serve Facebook users public information from the users’ friends.

Facebook calls this Instant Personalization. And you’re probably already using it on the following sites:

Bing – Social Search
Pandora – Personalized Music
TripAdvisor – Social Travel
Yelp – Friends’ Local Reviews
Rotten Tomatoes – Friends’ Movie Reviews
Clicker – Personalized TV Recommendations
Scribd – Social Reading
Docs – Document Collaboration

Do you LOVE seeing all of your Facebook friends’ activity on any web site you visit? Then keep Instant Personalization on and simply opt out of each site you don’t want to have access to your Facebook account individually. Otherwise, I recommend you do the following now.

How to turn Instant Personalization and Audit Your Apps

Go to Account and click on Privacy Settings.
Below Apps and Websites click “Edit your settings”.
Under Instant Personalization click Edit Settings.
Close the video, unless you have a lot of spare time.
Uncheck the box next to “Enable instant personalization at partner websites”.
Click Back to Apps.
Under “Apps you use” click Edit Setting.
Click the little blue x next to any app you aren’t using.
Don’t worry if you remove an app you still use, you can add it again later.

Here’s why you should turn Instant Personalization off

A general principle of privacy is you should not give anyone who you do not need to have access to your data. This is why if you’re not using an app, that app’s developers do not need access to your account.

The problem with Instant personalization is that Facebook makes the choice about which third-parties get access to your information. Additionally, Facebook makes it too difficult to turn Instant Personalization off—especially if you’re trying to shut off one partner but not the others. This is good for a social experience but a privacy problem.

You may now be sharing information with people you didn’t mean to ever see it. Do you want your boss to see your scathing review of microbrewery? Do you need your child’s babysitter seeing that you liked the movie Borat when she’s searching on Bing?

Facebook will be adding more and more sites to Instant Personalization. Doing so is crucial because they have to make as many of your favorite sites social before a competitor like Google+ does it first.

We know Facecbook has the incentive to share. But do you?

The 8 Most Important Ways to Protect Your Identity and Privacy on Facebook

Unless you have a good reason not to, use the “Friends Only” privacy setting.
Turn on Secure Browsing.
Secure your account.
Control how the world sees you via Facebook.
Turn off Instant Personalization and audit your apps.
Watch where you click.
Decide if you want your name and image to appear in Facebook ads.
Start using Facebook lists.

Blessed are the nerds (for they break the software)

July 6, 2011
By Sandra

Beta programs usually have two mutually exclusive goals:

To build up buzz for a new product—as in the case of Gmail and now Google +.
To test and improve a piece of software nearing release.

Right now we are in the middle of the beta for Internet Security 2012. And if you are now thinking, “Yes, I want to test this piece of new software till smoke is coming out of my PC” then we hope you’ll sign up for our beta program. However, as Internet Security 2012 is still being developed we don’t think the beta is for everyone.

We offer free licenses for our Anti-Theft for Mobile and have in the last year given out licenses to our Mobile Security and even our 2010 AV-Test Product of the Year Award-winning Internet Security via our Facebook Page. And when Internet Security 2012 is available to the public, we hope the whole world will take our free trial.

But for the beta, we’re only looking for passionate software experts who will help break our software. Yes, break it. Or at least tell us how to make it perform better for you. That’s how we work to bulletproof the protection we provide. It’s hard work and the finished result is a tribute to the beta testers’ tenacity and ingenuity.

Are you a software aficionado yourself ? Do you know any experts that would like to put our protection to the test?

The sign up process is in-depth and it will help you or your friends and us know if the program is a good fit.

Thanks for following us. Your interest in F-Secure is greatly appreciated.

Cheers,

Sandra

CC image by Ryan Tir

How to Turn Off Facebook Facial Recognition

June 30, 2011
By Jason

Facebook’s Facial Recognition is a tool that makes it easier to tag photos. Using all the images that have been updated to the site, Facebook has created a faceprint of every member. When you upload photos, it uses the faceprint to identify all faces and will then tell you if your friends are in the picture.

This feature only identifies your friends and it’s probably already on in your account, as Facebook opts you into most new features. The biggest privacy risk of Facial Recognition, as it exists, is that you may end up being identified in photos you don’t want people to find.

How to Turn Off Facebook Facial Recognition

Go to Account>
Privacy Settings>
Click on “Customize settings”>
Under “Things Others Share” find “Suggest photos of me to friends” and click the Edit Settings button >
Click the button that says Enabled and select Disabled.

You may also want to take these other steps to control your image on Facebook.

Background

This week on our Facebook page we’ve been experimenting with Questions. We got some good news: 38% of those who responded said that they had gotten rid of an app they weren’t using and another 30% said they don’t install apps they don’t use. And we got some bad news: 35% of those who we asked if they’d turned off Facebook’s Facial Recognition responded with “WTF??”, an answer added by one of our followers.

That over one-third of our followers seemed to be saying they were confused by Facebook Facial Recognition led me to believe that my post on the topic wasn’t clear enough.

A quick guide to mobile malware (part 3)

June 28, 2011
By aliafs

This is the third and final article in this series on mobile malware.

How (Can I Protect Myself)?

Permissions request list from Trojan:Android/AdSMS

In my previous articles, I’ve covered what kind of mobile threats have emerged in the first half of 2011 and why these malicious programs may cause concern for smartphone users.

Now, let’s assume you’re a cautious smartphone user who wants to make sure you don’t get hit by a malware infection on your smartphone. What can you do?

Well, you can’t do much better than getting advice from an expert. Zimry, an Analyst from our Response Lab, wrote an excellent piece on mobile security in our Labs Weblog a while ago. The post includes some practical actions a user can take to protect themselves from mobile malware, so rather than repeat that here, I’ll just say – check out Zimry’s pos t!

Trust issues

For this post, let me focus instead on the central issue that any mobile security tips deal with, either directly or indirectly – evaluating trustworthiness. I won’t be offering a step-by-step how-to guide, but rather a change in the way an average user might be looking at mobile security, which would hopefully lead to better security practices.

Of course, there are mobile antivirus programs that can provide an independent evaluation for apps and websites. Still, just as with the PC, mobile security isn’t just ‘install a program and forget about it‘; secure browsing habits and an alert user play a big part in security too.

Now, to even begin to appraise a site or an app, you first have to have some kind of benchmark or a mental framework that can help you accurately evaluate the potential security concerns. Unfortunately, since the whole ‘mobile environment’ (as opposed to the ‘online’ or ‘PC’ environments) is still rapidly evolving, there simply aren’t that many ‘landmarks’ or ‘signposts’ (right now) that can help a user gauge the risks they may be facing.

So to help you start getting a ‘feel’ for evaluating mobile security risks yourself, here are a few things you might want to consider when you’re navigating the mobile environment (if you have any other suggestions, feel free to comment!).

‘Levels’ of trustworthiness for app sources

“Only download apps from trusted sources“ – this is by far the most common advice you’ll probably hear for mobile security. It also brings up the obvious question: how do you know a source can be trusted? This does require a bit of a judgement call, but you could very roughly grade sources into three levels of trustworthiness based on two factors:

How much security checking the source provides on the apps it promotes
And how much independent feedback is available for you, as the user, to make an informed judgement

Top Level Trusted Sources would comprise the official download site maintained by each operating system vendor – Google’s Android Market, Apple’s Appstore, Blackberry’s App World and so on. The apps posted on these sites are usually vetted by the respective agencies (to varying degrees). This is also the easiest ‘standard’ source for most users; Android devices require the user to change a setting in order to install apps from non-Market sources, while iPhone users need to jailbreak their device before using apps from outside the Appstore.

Second Level Trusted Sources would comprise of the popular but unofficial sites or forums that also host apps, usually for a particular operating system. There are quite a few of these sites around around, ranging from dependable community-run portals for developer/enthusiasts to outright warez sites for users wanting cracked versions of paid apps. Most of these sites do post reviews form other users, which can serves as a rudimentary safety check for a browsing user, but still, the caution ‘Buyer Beware’ applies.

Third Level Trusted Sources are basically anything that aren’t ‘official’ sources or major community sites with a large pool of active users – the ones you’ve personally tried and are comfortable with using. In this category, we could put files shared between online friends and really any other kind of informal app sharing. The risks involved here are really up to the user.

Evaluating an app’s trustworthiness

“But wait!” I hear you cry, “Wasn’t there a malware outbreak on Android Market itself? And a couple trojans on the iPhone as well? How do I know if I can trust even the apps on a ‘trusted source’?”

Very good point. Despite any security checks an official site may have, malicious-minded folks can and do manage to slip through the cracks from time to time. This means that even on trusted sources, users shouldn’t relax their vigilance entirely.

Before downloading an app, it’s worth your while to scrutinize it closely; a little research before installing can save hours of regretful clean-up later. So, what should you be looking at?

Check the application permissions
Read through, understand and make sure you’re comfortable with the controls the applications request. Also, make sure they make sense. A media player probably shouldn’t be asking to send SMS messages. Don’t forget to check all the permissions – some apps have a long list of permission requests, and the more objectionable ones could be conveniently off-screen, or even require the user to click additional buttons before being displayed.If there are any permissions requested that seem inexplicable, or make you uncomfortable, you could also try contacting the developer directly. Most reputable developers provide a channel – whether it’s a website, Facebook page or direct replies to user reviews – to receive and respond to feedback.
Check the reviews
All the official download sites show a user reviews section, which can give illuminating feedback about the app. Most unofficial forums will also post reviews from other users. You may also want to check through the reviews to see if anyone else using the same device model as yours has contributed any useful feedback. If a malware is using a particular vulnerability on a specific operating system version to run, its possible the malware won’t work on any other version.

Verifying a site’s trustworthiness – on a mobile browser

A phishing site viewed on a mobile browser

Phishing was one of the malicious activities we predicted would be a issue on mobile devices, particularly as the small screen real estate makes it difficult to conveniently check a webpage’s URL. This is one area where user vigilance has a direct impact on security.

Manually typing in the correct URL for a site you want to visit – particularly if it’s a banking or social networking site, or any site where you have to enter in log-in credentials – is the surest bet. In this case, unless the site itself has been thoroughly compromised, there’s simply very few ways for an attacker to divert you to a site of their choosing.

If you’re directed to a website by any other method, you would need to consider evaluating a) the site that sent you; and b) the site you’re being sent to. Were you directed to the new location by a reputable site you frequent? A search engine? A bookmark? An ad? The sender’s trustworthiness would depend entirely on your familiarity with and confidence in it.

Once you’re on the new site, even if it looks perfectly legit, taking a quick glance at the full URL is a good way to evaluate the site’s trustworthiness. It’s particularly important to double-check the URL on any site that asks you to enter information. If there’s anything ‘phishy’ about the site – try searching for the site in a search engine and compare the URL with the one you’re on.

You can also look for and use a mobile security program that performs real-time URL checking and displays a warning if it leads to a known malicious site. Depending on the program, there may be an impact on the speed of browsing, so you’ll have to evaluate for yourself whether the risk outweighs the inconvenience. Of course, we have a Mobile Security app, but look around as well and find something that suits your needs.

Summary

Though mobile security is a relatively new field, and we expect to find unique threats targeting mobile users in the months to come, there’s one thing that doesn’t change whether you’re on a smartphone or a PC – the need to stay alert, cautious and informed.

With just a little bit of knowledge and care, you can enjoy all the benefits of having a spankin’, shiny smartphone – without any nasty trojans or worms to worry about.

Surf safe!

Facebook Facial Recognition Questions and Answers

June 23, 2011
By Jason

What is Facebook facial recognition?
Facebook says facial recognition is a way to make photo tagging easier. Using image data taken from the more than 90 billion photos that have been uploaded to the site, Facebook uses faceprints to find your friends in your photos as you upload them. This feature has been available in the US since the end of 2010 and is now available in most countries.

Is it on in my account?
Yes. It probably is. Facebook opts all users into facial recognition, as it does to most new features.

Ew. Can I turn this off now?
Yes. Go to Account> Privacy> Click on “Customize settings”> Under “Things Others Share” find “Suggest photos of me to friends” and click the Edit Settings button > Click the button that says Enabled and select Disabled.

Am I safe now?
You’re probably safe, unless you’re reading this as you’re driving. But if you’re worried about controlling your image on Facebook, you should probably check your profile, adjust your photo tagging settings and stop search engines from finding your profile.

Okay. I can feel my hands again. Now why was I so scared?
You’re not alone. Maybe you thought strangers would be able to identify you by just posting a picture?

Yes. I don’t want strangers to be able to point their phones at me and know who I am. Can they do that?
Not using Facebook’s facial recognition. Only your friends will be able to identify you in pictures. For strangers to have access to your faceprint, Facebook would have to radically change the feature. This seems unlikely given how sensitive users are to facial recognition. Google has indicated they wouldn’t pursue such a stranger search because the former CEO found the technology “very concerning.”

So there’s no danger?
Well, are you looking for a job or might you be at some point?

Probably.
Then your images could end up as part of a pre-employment background check. And this feature may help your friends tag you in a photo that may not impress your future employer.

How can I make sure that never happens?
You can’t opt out of new photos you are tagged in on a one-by-one basis. Or you can just make sure you’re the only one who can see that you’ve been tagged in a photo…

I want to do that. I want to be the only one who can see if I’m tagged in a photo. How do I do that?
Go to Account> Privacy> Click on “Customize settings”> Under “Things Others Share” find “Photos or videos I’m tagged in” and click Edit Settings> Next to “Who can see photos and videos I’m tagged in” select Custom> Below “Make this visible to” select “Only me.”

Why does Facebook make it so hard to make it so I’m the only one who can see if I’m tagged in a photo?
Facebook has complex settings because it has complex features. Additionally, photo tagging is also extremely important to Facebook’s growth. Photo sharing is the site’s core competency and photo tags generate updates in your feed that bring you back to the site. Additionally, Facebook’s growth is coming from countries where mobile phone adoption is massive. Quick tagging tools enable mobile users to tag on the go. Facebook really does want to make photo tagging easy for you—for business and not surveillance reasons.

Shouldn’t this be something that I have to opt into?
Lots of people say, “Yes.”Facebook opts users into new features because Facebook is a business and this feature is much more useful to its business if everyone is using it. Since Facebook didn’t see a change in what you share with whom, it rolled facial recognition out to all users. Facebook has said it should have been “more clear’ about the feature.

So it’s not the end of the world.
It’s the beginning of a new world. Privacy issues involving facial recognition and location sharing are evolving on a daily basis. All of us have to think of the practical implications of making ourselves easier to identify and locate. Numerous unforeseen benefits and costs likely await us all.

Cheers,
Jason

A quick guide to mobile malware (part 2)

June 20, 2011
By aliafs

This is the second article in a 3-part series on mobile malware.

Why (should I be worried)?

Worm:iOS/Ikee.A changed the phone's wallpaper

Last week I gave a brief summary of the kinds of threats a user might encounter on the smartphones of today. This week’s article is supposed to cover the reasons why a user would worry about mobile malware, so let me give the short answer now:

Usually, mobile malware attacks are motivated by: Bragging rights; money; stealing personal information that can be sold for money. For the user that gets hit by the malware, it means: Losing control over your phone; losing your money; someone else might be using your personal details for who-knows-what.

So let’s assume your phone’s been infected. Just how much should you be worried? Well, that kind of depends on your luck and what kind of malware you’re dealing with.

“Hey folks! Look what I can do!”

Like PC-based malware, the first threats to appear on the phone are often the product of some technically-minded person finding a loophole in the phone’s operating system, writing a program to exploit it, then releasing it to the general public to, basically, prove that it can be done. A prank for bragging rights, more or less. There may also be more subtle motivations involved, but if your phone is on the receiving end, you probably wouldn’t care.

Sometimes, if you’re lucky, that first malicious program doesn’t do anything worse than changing the phone’s wallpaper (Worm:iOS/Ikee.A is a good example here). So, for the user, the cost for the malware creator’s bragging rights is: time spent dealing with the problem and probably a massive headache.

Not a good loss, but bearable. Unfortunately, the next two potential losses for a user hit by mobile malware – money and/or personal data – are more serious.

“Give me back my phone!”

As other attackers get hold of that pioneer program and modify it to be more malicious, the next few versions (or variants) of it usually get more ‘risky’ to the user. If the malware is really malicious, it can alter the phone’s functionality to the point that the device is basically ‘bricked’ – it can’t be used for anything other than a paperweight.

Some examples we saw on the Symbian platform – which, by virtue of being the first widely used smartphone platform, also suffered the most threats – were Cardtrap, Skulls, Romride and Locknut. At this point, if the damage isn’t recoverable, the user is also out by the price of the phone and loss of the data stored on the phone itself. Ouch.

SMSes = $$$

Still, not everyone has to be concerned about data loss, if they have their contacts backed up elsewhere and they don’t keep financial or confidential details on their phone. What if you do, though? Say, you do mobile bank transactions, or store your PINs or account log-in details on the phone? Can an attacker find a way to pull confidential data off the phone?

‘Early generation’ smartphones – for the sake of this article, let’s say they’re the ones that sent data out by WAP – didn’t give crooks a lot of options for getting hold of data they could make money from. On these phones, the ‘traditional’ way for crooks to make money was through what amounts to SMS fraud (an example is the Redoc trojan family).

In this kind of scheme, the attackers has to plant a trojan on the device that forces it to send SMS messages to a premium phone number, which can wrack up a high phone bill for the user. Though effective, these attacks tend not to be very widespread, as they are limited by the geographical location and size of the telecom networks and target-able users. If you’re not in the target group, the threat is almost nonexistent.

Stealing data

Nowadays though, ‘new generation’ smartphones – as in ones with fast data connections back up by unlimited or cheap data packages from telco providers, making it convenient for a user to just leave the data connection open – offer a crook more options. Instead of bothering with SMS fraud, they can create malware that find and retrieve specific information stored on the device, which could potentially give far greater returns. Case in point is the very next Ikee variant, Ikee.B, which stole financially-sensitive information stored on the phone.

In this case, the loss is hard to estimate as fortunately, this type of malware isn’t common and the risk they pose is highly individual, depending on what details you store on your phone. It would probably also depend on how the attacker would be able to convert the details stolen into hard cash – sell it off in bulk together with details stolen from others? Find a way to log into a compromised account and withdraw the money?

There’s no ‘standard scenario’ here, so it’s hard for a user to realistically evaluate the fallout of having data stolen off their phone. All that can be reliably said is that personal and financial details are major targets on a PC and they’re probably no less attractive on mobile devices; it’s just that up until now, attackers didn’t have a way to scam these details out of someone on a mobile device.

Going straight for the money

As with PC threats, the main motivation for mobile threats seems to have transitioned from bragging rights to making money. And in a totally unscientific personal observation, it sure seems like mobile malware made that transition much faster than PC threats did. As a very rough comparison:

Brain, the first PC-based malware, came out in 1986; it was only in the early 2000′s that profit-motivated malwares became prevalent (though there doesn’t seem to be any agreement on which was the first).
By comparison, the iOS was launched in early 2007; its first trojan (of the bragging rights variety) came out almost exactly a year later; and shortly thereafter came Ikee.B, which was more malicious (but only on jailbroken iPhones).
The Android OS was launched in late 2007; its first trojan was also the first to try an SMS fraud scam, and it appeared in August of 2010.

It’s early days yet for mobile threats so we really don’t know how they are going to evolve.

It would probably be a safe bet to say that there are going to be more new threats though, and not all of them are going to be as benign as a plastering on a Rick Astley wallpaper.

Next week, the last in this series – How (can I protect myself)?

3 Predictions for the Second Half of 2011

Creative Commons image by skenmy

June 16, 2011
By Sandra

Internet security evolves fast. And once it changes, it’s almost impossible not to see the world in a new way.

Malicious software has only been effectively used to make large sums of money for less than a decade. But now it’s hard to ever imagine a world without online crime.

In 2011, we’ve already seen hackers take down Sony’s PlayStation Network for weeks. Dozens of Malicious apps have been removed from Android marketplace. And the United States government indicated that it could retaliate to cyber attacks as they would to conventional attacks.

We asked F-Secure’s Chief Research Officer Mikko Hypponen what he forecasts for the rest of 2011. Here’s what he expects:

We’ve linked to a Labs blog post about current events related to each prediction for more insight. For breaking news, be sure to follow Mikko and F-Secure Labs Advisor Sean Sullivan on Twitter where they break news pretty much every day of the week.

Cheers,

Sandra

F-Secure Launches New Community Powered by Experts Like You

June 15, 2011
By Sandra

We’re proud to invite you to join the all-new F-Secure Community. This state-of-the-art forum provides all-new ways to connect, to share and to discover what is secure and safe in the digital world.

Whether you are currently an F-Secure customer or not, you can post questions in the community and get an answer ASAP. Or you ask a question in the app on our Facebook page and your answer will be posted directly to your profile, thanks to the industry-leading technology of the Lithium Community Platform. Either way you’re participating in the creation of a wealth of knowledge that will be appreciated by people all over the world.

The F-Secure Community continues our efforts to support you using the tools you use most. Just last year our Customer Care team launched chat support that has already become the choice of 45% of our English-speaking users. Chat services are now available during most of the day in 7 languages and around the clock in English.

We’re just getting started and invite you to come along for the ride. The most active participants will be recognized and rewarded. We’re looking forward to adding additional language coverage and Twitter integration. Check it out and let us know how it works for you.

Cheers,
Sandra

A quick guide to mobile malware (part 1)

Part 2 – Why should I be worried?

June 14, 2011
By aliafs

Message shown by the Cabir Bluetooth-Worm

From late 2010 to the first few months of 2011, there’s been a fair bit of buzz in the tech media about how mobile malware may be the big IT security issue for 2011. (To be fair, I also said something similar in a previous post.)

Even though PC threats are still hugely more prevalent, mobile malware tends to get more press because they’re like the up-and-coming starlets of tech threats – they’re fresh, new, interesting, and frankly, just a little sexier than plain ol’ Windows malware.

At least – they are to IT security pros. For the average man on the street? Not so much. For many smartphone users, especially those only recently transitioning from ‘dumbphones’ to smartphones, ‘mobile threats’ can still be a pretty nebulous concept.

Since it seems likely that we’ll be talking more and more about mobile threats from now on, I reckoned this would be a good time for a quick tour through the world of mobile malware. And to make thing easier, let’s break this guide into 3 articles covering the 3 most important questions for a new (or even not-so-new) smartphone user:

What (should I be worried about)?
Why (should I be worried)?
and How (do I protect myself)?

So let’s get this tour started with…

What (should I be worried about)?

Mobile malware is nothing more than malicious programs designed to run on operating systems (OS) used by mobile devices. The most common devices affected are mobile phones, though PDAs, tablets and other consumer electronics may be affected if they also use the targeted OS.

A very short history

Mobile threats aren’t a new phenomenon – the earliest mobile malware we have on record is Cabir (image above), which came out in June 2004. However, until the last 2 years or so, mobile malware hasn’t been a big deal. For most of the last 10 years or so, the number of distinct mobile malwares created has been in the low hundreds – a drop in the ocean compared to their millions of PC counterparts.

Why? Mostly because PCs are easier to attack, there’s more of them, and there’s enough financial and personal information on them to make it worth the attacker’s efforts. Nowadays though, smartphones are rapidly gaining more allure as targets for malware authors, and for much the same reason PC threats have become so prevalent: exposure to the Internet.

Getting connected – to malware

Up until about 3 years ago (the ‘DumbPhone Era’, if you like), mobile threats were most commonly transmitted from user to user as Bluetooth worms, SMS-worms, etc. This limited distribution pattern tended to reduce the impact of mobile malware – the attacker had trouble distributing the malware to huge numbers of people, and an individual user generally couldn’t spread the infection very widely either.

That was before the Internet came to the phone. Nowadays, almost all smartphone users can connect to the Internet via a browsing program on their mobile phone (a mobile browser). Taking advantage of (currently) cheap data plans from telecom companies, smartphone users have been going online via their phones in record numbers in the last couple years .

Unfortunately, this new-found connectivity comes with an unintended side effect. For PC users, their broadband connection to (and behavior on) the Internet has proved to be the most significant pipeline for malware distribution. For mobile users – ditto.

In the last few months, almost all mobile threats we’ve seen have arrived via the mobile browser or by the user downloading a bad app from the Internet – and it seems safe to say that in future, most of the major mobile threats will be distributed over the Internet.

Threats evolving

Image displayed by Skulls.D

There are a few distinct threat types favored on the mobile device, though these preferred types can change over time. Even as recently as last year, trojans (malware distributed using fake names, such as Skulls.D at right) and worms (particularly Bluetooth-worms) were the main threats for mobile users. By end 2010 and early 2011 though, we started seeing trojanized apps, rogue apps and online attacks targeted at mobile audiences.

Trojanized apps are a more sophisticated take on the ‘classic’ trojan, which was usually just a malicious file distributed under the stolen name of a legitimate one – say, a system update or game. Trojanized applications, on the other hand, are legitimate files that were reverse-engineered and adulterated with malicious code. The ‘Frankenstein’ program that results is usually very similar to the original, and may even be fully functional. Examples of this type of malware are Trojan:WinCE/Terdial and more recently Trojan:Android/BgServ.A and Trojan:Android/DroidDream.B.

Rogue apps are simply fraudulent programs that say they do something, but don’t. This is the mobile equivalent of a rogue, PC scareware that’s been around for many nears. There’s nothing particularly new about this threat on phones either – we posted about possibly fake mobile banking trojans in 2010 and even earlier – but as new smartphone users are still likely come in contact with these malicious programs, the danger remains present.

On a different front, now that mobile browsing has become a major activity for smartphone users, online attacks that have troubled PC users for years are starting to affect mobile surfers too. Our Labs Weblog reported one phishing website that appeared to have formatted its fake URL to make it harder for mobile viewers to tell it’s a fake site.

An interesting point mentioned in the post was that a phishing attack may even work better on mobile browsers, as the lack of screen real estate works against the user by concealing any tell-tale ‘phishiness’ in a website’s URL. It’s early days yet, but I suspect it won’t be too long before we have to start coming out with a new Web Browsing Do’s and Don’t list specifically for mobile users, as PC-focused lists may not work for a mobile audience.

Summary

Of course, these are just the three most notable types of mobile malwares we’ve seen in the first few months of 2011. Only time will tell how the attackers will refine their strategies and creations to take better advantage of mobile audiences. If the recent trend we’ve seen in the Labs is any indication, with more mobile samples being sent in for analysis, it seems pretty plausible that the next six months will see some new threat types turn up.

In summary though: Now and for the foreseeable future, PC threats will still be much more prevalent, no question about that. We are however starting to see more mobile threats emerging, as the large numbers of mobile phones accessing the Internet present a new, accessible and attractive target for attackers. At the moment, these new threats require the user to either download a malicious app or visit a malicious site.

Part 3 – How can I protect myself?

The 8 Most Important Ways to Protect Your Identity and Privacy on Facebook: #4

June 8, 2011
By Jason

Control how the world sees you via Facebook.

It seems to always make the news when someone loses a job over something they did on Facebook. What we don’t hear about is the countless jobs, opportunities and relationships that may have been lost because of Facebook activity.

Even if you have nothing to hide and no opportunities to lose, you still have to recognize that you will be judged by how the world sees you on Facebook. This brief guide will show you in 4 quick steps how to control your Facebook identity.

1. See how the world sees your Facebook profile.

Go to Account > Privacy Settings

Under “Connecting on Facebook” click “View Settings”

In the upper right corner, click on the Preview My Profile button

This is how most of the world sees you. If you don’t like what you see, go back and adjust your privacy settings. If you’re okay with what you see, continue on.

2. Decide if you want your Facebook profile to show up in search engines.

Depending how unique your name is, your Facebook page could show up at the top of a Google search for you. If you’re fine with how your profile represents you to all past and potential friends, family and employers, you don’t need to do anything. If you’d rather not be found on Facebook, do the following:

Go back to Account > Privacy Settings

Under “Apps and Websites”, click “Edit your settings”

At the bottom, next to “Public search”, click the Edit Settings button.

Uncheck the box next to “Enable public search”

Note the message there that explains your information may still be accessible on some search engines for a while.

3. Decide who can see photos you’re tagged in.

Facebook wants to tag you in as many photos as possible. Why? They know they became the world’s biggest social network by becoming the world’s biggest photo sharing site. The more photos, you’re in, the more you use Facebook. But allowing others to tag you in photos allows others to control your identity. You can be misidentified or shown in situations that you do not want made public. And these photos can end up representing you, as Facebook displays the last 5 pictures in a row on top of your profile.

You can always un-tag yourself from photos one-by-one, but I suggest that you adjust this setting to only allow friends to tag you in photos. Personally, I only allow myself to tag me in photos, which is the surest way to control my identity.

To adjust who can tag you in photos, go to Account > Privacy Settings

Under “Sharing on Facebook”, click “Customize settings”

In the “Things others share” section next to “Photos and videos you’re tagged in” click Edit Settings

Next to “Who can see photos and videos I’m tagged in” select Friends Only

Or for increased protection, select Customize then under “Make this visible to” select Only Me

4. Decide if you want Facebook to “Suggest photos of me to friends”.
As a Facebook user, you have to be aware that you will most likely be opted in to any new features they offer. This policy is controversial but it’s also part of the price of using Facebook to communicate with friends. Facebook’s “Suggest photos of me to friends” is an especially creepy new feature since it employs facial recognition. It’s been available in the United States since 2010 and will roll out across the globe in 2011. You should be aware that Facebook may already be identifying you in your friends pictures to make it easier for you to be tagged.

You may want to turn off this feature simply because it is so new that it is difficult to imagine the ways it can be used or misinterpreted. Or you may just not like the idea of your identity being determined by a machine. Here’s how to turn it off.

go to Account > Privacy Settings

Under “Sharing on Facebook”, click “Customize settings”

In the “Things others share”, next to “Suggest photos of me to friends” click on Edit Settings

Next to “Suggest photos of me to friends” select Disabled

The 8 Most Important Ways to Protect Your Identity and Privacy on Facebook

Unless you have a good reason not to, use the “Friends Only” privacy setting.
Turn on Secure Browsing.
Secure your account.
Control how the world sees you via Facebook.
Turn off Instant Personalization and audit your apps.
Watch where you click.
Decide if you want your name and image to appear in Facebook ads.
Start using Facebook lists.

The 8 Most Important Ways to Protect Your Identity and Privacy on Facebook: #3

June 1, 2011
By Jason

3. Secure your account.
Facebook connects 700,000,000 people around the globe. Some say it’s a tool to spread democracy in a viral way. Other people just see it as a way to tell strangers that you are “playing hooky”.

Our Facebook accounts have become, in many ways, our online selves. Our digital identities mirror our real identities in that there is some information we don’t want to share with everyone. Even if you have your Facebook privacy settings literally set to “everyone”, you still may have private messages that you do not want public. Our challenge to share the right things with the right people. And to do that, you need to keep control over your account.

There are endless ways to hack unsecured accounts . While account cracking is a tough thing for a stranger to pull off, sloppy Facebooking can make it easy for your friends to take control of your account.

You’ve already secured your browsing. Now there are a few things you can do now to protect your Facebook. They’re listed in order of importance.

Use a strong password NO ONE can guess and don’t let your browser remember it
Creating and remembering strong passwords isn’t easy. That’s why we recommend this simple system. And don’t let Firefox, or any browser you use, remember your passwords. To clear your passwords in Firefox, go to “Tools” then “Clear Private Data” the close and reopen Firefox.)

Use unique passwords for all of your important accounts (and update them every few months)
For any account that really matters—your email, your bank and credit card accounts, Facebook—you need to use a unique, strong password that you do not use for any other account. You should update the passwords of your most important accounts every few months, at least. If you recognize any suspicious account activity in your account, change your password immediately.

Make sure your system software and Internet security are updated
Updated system and Internet Security can’t stop you from making security mistakes or being the victim of social engineering. But it can prevent most of the common attacks out there. Our free Health Check will tell you if your PC is protected. Once you are updated, be sure to update your most important software including your OS, browser, media players and PDF reader on a regular basis either through our Health Check or the software developers’ sites.

Watch where you click and watch where you land
Always check the URL in your browser to make sure you’re on Facebook when you enter your private information. And if you ever have any doubt about something that has been posted in your newsfeed, follow the Golden Rule of Social Media Security and don’t click. More on the art of clicking in #6 of this guide.

Always log out
You’re not keeping hackers out by staying logged in. They still can get in and you’re leaving your account open for a snarky co-worker or invasive family member to pry. And once someone is inside your account, they can change your password to keep you out.

If you use Facebook’s mobile app, always lock your smartphone
Your phone can give an intruder access to your and your friends’ private information. An intruder could also post status updates and photos as you. This could simply embarrass your or cause actual harm to your career or private life. I also recommend using a remote lock software like our Free Anti-Theft for Mobile on your smartphone if you lose it.

How To Make Sure You Can Get Your Account Back If It Is Hacked

If you start using a new email account, update Facebook settings
If your account is hacked, you need access to the email account you have in your settings. If you can’t get into that email because it’s closed, you’ve just greatly limited your chance of recovering your account.

Consider doing what Facebook recommends

Facebook now rates how secure your account is. It’s a powerful feature, as long as you take it seriously. If your account “Overall Protection” is rated “low”, Facebook will prompt you to add some information. I suggest you do this though it will require adjusting your notifications so you won’t get messages from Facebook that you do not want to see.

Add a secondary email
Facebook asks for a secondary email. This helps Facebook because now it will be able to connect you with more friends. And it helps you if you ever lose access to your primary email, or if your primary email gets hacked. So only add a secure email account with a unique password.

You can add your secondary email by going to “Account” > “Account Settings”> Find “Email” and click on “change”.

Add your mobile number
Adding your cell phone number gives you a secondary way to claim your hacked account. It also gives you the ability to get one-time passwords, which I’ll explain later. To change or add your mobile number, go here. On that same page, be sure to edit your notifications or Facebook will be texting you nonstop. Only activate your phone for this purpose if you keep it locked when it is not in use.

Add a strong security question
Make sure you choose a question that only you can answer. The last five digits of your driver’s license are probably better answer than the name of your first pet—since your friends and family may know that. The worst answer, of course, would be one that a stranger could figure out by looking at your profile.

For Extra Protection

Activate Account Protection
Want to be notified when a new computer logs into your account? Activate Account Protection. If someone gets into your account on a device you don’t recognize, you can login to Facebook and “end activity” on that login. Then you can, hopefully, change your password before the intruder does. Once you activate this feature, you’ll have to name every device you login from. It’s slightly annoying, but it gives you the kind of control of your account that will keep your account safe.

To activate Account Protection and “end activity” on any Facebook sessions you didn’t initiate, go to “Account” > “Account Settings”> Find “Account Protection” and click on “Save”.

Use Login Approval
You can prevent someone from logging into your account with Facebook’s new Login Approvals, as long as the attempted hacker doesn’t have access access to the mobile you have connected to your Facebook account. Login approval requires a new security code sent via SMS when you attempt to use your Facebook account from a new device. This requires a one-to-two minute setup on each device you use.

To activate Login Approvals, go to “Account” > “Account Settings”> Under “Login Approvals”, click the box for “Require me to enter a security code sent to my phone” then click “Save”.

Use One-Time Passwords on public computers
If you use Facebook on public computers, such as at school or the library, you should use Facebook’s One-Time password feature. On a public computer, you have no idea what kinds of programs are running that could be used to log your account information. By using a unique password each time, you remove the risk that your credentials will be stolen.

To do this you need to set up and verify your SMS number. Go here and add in your mobile number. You’ll then need to verify the number by entering a code that will be sent to you. Once this is done, you can send a text message to 32665 with the message “otp” when you’re about to login on a public computer. Your One-Time Password will work for 20 minutes after you receive it.

The 8 Most Important Ways to Protect Your Identity and Privacy on Facebook

Unless you have a good reason not to, use the “Friends Only” privacy setting.
Turn on Secure Browsing.
Secure your account.
Take a look at what others see when they see you and decide if you want search engines to find your profile.
Turn off Instant Personalization and audit your apps.
Watch where you click.
Decide if you want your name and image to appear in Facebook ads.
Start using Facebook lists.

Even Geniuses Get Bad Software?

May 26, 2011
By Sandra

Some say that there are two types of people in the world: people who are worried about getting malware and Mac users.

While malicious software has aggravated PC users for more than 25 years, Apple devotees have generally avoided troubles with malware. This magical-feeling of immunity helped many Mac users develop a religious-like faith in their computers. But this faith has been shaken in recent weeks for some fans by a threat many PC users have become familiar with the hard way: scareware.

Apple has downplayed the impact of the attacks by the Mac Defender rogue antivirus family, but anecdotal evidence from Apple Store Geniuses suggests the problem is widespread. On May 24th, Apple acknowledged the problem and issued guidance to help users avoid and remove Mac Defender. An update that protects users from these attacks is expected from Apple by the beginning of June.

If you use the Safari browser on your Mac, you should immediately disable automatic file opening. You can do this by going to Preferences -> General then uncheck “Open ‘safe’ files after downloading”. Mac users also need to develop a healthy suspicion of any program that attempts to install itself, as many PC users have.

In some ways, facing undeniable security threats is a compliment to Apple. In 2008, an academic paper predicted that Macs were likely to become a focus for online criminals around the time they hit 16% market share. Macs now make up 15.36% of the PC market in the US. But, as F-Secure Labs explains, one data point isn’t enough to explain why many Mac users are thinking about security for the first time.

Apple products aren’t likely to face the flurry of attacks that now target Windows XP in the near future, and Mac users can take action to protect themselves. F-Secure has offered Mac Anti-Virus through our operator partners for a while. We recently decided to offer it directly to consumers, and recent events prove that our timing couldn’t be better. You can try our Mac Anti-Virus for free now using the promo code AVMAGL.

I imagine that some Mac loyalists would disagree that Macs need AV. Why use an umbrella when it’s not raining? they might ask. We would argue that skies are starting to get a little gray. As F-Secure’s Chief Research Officer Mikko Hypponen recently tweeted, “Slowly but surely, Apple will be targeted by more and more malware. Apple should realize this and stop trying to hush it up.”

Cheers,

Sandra

CC image Rolon2000

What Credit Card Fraud Taught Me

CC image by Andres Rueda

May 24, 2011
By Sandra

I love online shopping, and I have the shoes to prove it.

In addition to my shopping habit, I also travel abroad frequently and use my credit card for business. So protecting my credentials is crucial. I secure my PC, stick to reputable retailers and monitor my credit card account. And this generally has kept me safe, until just recently…

Just after Easter, I got the alert on my Outlook calendar that reminds me to review my credit card accounts—both for fraud and my own personal overspending. I checked my account and found that my card was used to purchase about €700 worth of goods in the Manchester, England. Here’s the problem: I haven’t been in the United Kingdom for more than a year and a half.

Immediately I called my bank. A representative connected me to a special fraud line. I identified all the suspicious charges and received a letter in which I had to verify under oath that I had not made these charges. In two weeks, all of the fraudulent charges were off my account. Nice.

However, the mystery lingers. How was my card compromised?

This is where I should mention that in addition to being an avid shoe buyer, I am also a gamer. I’ve been a member of the Sony PlayStation Network for a while. You probably know that PSN was hacked right before Easter time affecting up to 100 million people. However, I don’t believe I was one of those people as I wasn’t contacted by Sony.

I can’t think of the number of times I’ve handed my card to a waiter or salesperson for them to charge me—in addition to all of online stores and services that have had access to my credentials.

So here’s what I’ve decided to do to make sure I’m not a victim again: I’ve set my Outlook alert to remind me to check my account weekly instead of twice a month. I no longer let online retailers store my account information—and I’m looking into getting an extra online shopping credit card with a very low limit. When I’m abroad, I will be very selective where I use my card and cash will be king – again.

One unexpected consequence of this little drama is that my bank is now closely monitoring my account. Twice they’ve called me about suspicious purchases and both times I’ve had to say, “Yes, Big Brother. I did pay that much for those shoes.”

Have you ever had a similar experience? Do you have any hints that might help me figure out where I went wrong?

Cheers,
Sandra

16 Comments

Protecting your online information with e-mails, security questions and passwords

May 23, 2011
By Sarah

By now, I’ve lost track of how many accounts I had created online. Some are essentials like online banking and tax filing, while others are less so (e.g., movie reservation). With each account created, records of my credential are becoming more ubiquitous on the internet.

As account registration for consuming content and services becomes a widespread requirement, we’ll start giving away our e-mail addresses without thinking twice. And that’s an unsafe practice. Security breach happens (see this and this), which leads to users’ data and credentials being stolen. There is a possibility that some accounts might be linked to the same e-mail address or even share the same password, so when one account is compromised, others could be in danger too.

With that in mind, let’s take a look at some tips that could help to protect our online security using three components that we might take for granted before: e-mails, security questions and passwords.

E-Mails

Secure the access to your e-mail

In a way, e-mail is like a portal for accessing those accounts you’ve created online. Remember the last time you forgot the password to that photo printing website? In a matter of seconds, a link was sent to your e-mail. You reset the password and all is well again. That’s how easy it could be for a person in possession of your e-mail access to gain access to all your other accounts.

Be more careful when giving out your e-mail address. It may appear harmless, like signing up for a free account in order to access some content. Just because something is free, doesn’t mean you have nothing to lose from it. Take a moment to consider if you really need to create that account. Besides saving you inbox from influx of spam, selectively revealing your e-mail address could protect your online accounts from potential unauthorized access.

Furthermore, make it a habit to log off your e-mail account when you leave the computer on while leaving for work, or when you let someone else uses the computer. Pick a strong password that is hard to guess. And, don’t tick that little checkbox stating “Remember me” or “Stay signed in,” especially if other people are using the same computer.

Use multiple accounts for various purposes

While keeping one e-mail account is convenient, it’s not a wise idea to provide the same e-mail address for filing tax and for joining that small boutique’s mailing list. Some countries lack the law that prohibits your contact details from being passed around by one business to another. Before you know it, there’s an increase in spam and phishing attempt arriving in your inbox.

To help screen out unwanted e-mails, sign up for a couple of e-mail accounts and assign each of them a category. For example, reserve one account for high-importance matter such as tax filing, financial management site or online banking. Keep this address private; don’t advertise it on your Facebook page. Next, keep another account for the usual stuff and sites you frequented. This could be for Facebook sign-in or commenting on your favorite blog. Finally, keep one account that functions as a spam-trapper. This could be a throwaway account which you use when reluctantly signing up for something.

Security questions

Provide your own questions

The usual security questions that sites use to verify your identity is the flimsiest line of defense. For instance, it’s not hard to find out the answers to where were you born or which high school did you attend. This information is displayed on your Facebook page. Even if you keep this information undisclosed, one of your friends might probably dish out the answers when taking that “How well do you know this person?” quizzes.

Therefore, avoid security questions which answers are somewhat of public knowledge. Some sites would let you come up with your own security questions. If you are presented with this option, take advantage of it. Perhaps have a little fun along the way. Create the most ridiculous question that no one but you knows the answer.

Make up your answers

Unfortunately, most of the time you are stuck with preselected security question. Just go ahead and pick “What’s your mother’s maiden name?” or any question of your choice. However, instead of being honest and blurting out the truth, let’s make up the answers. Just make sure you remember the answer of your choice in case that you forgot the password and need to verify yourself.

Passwords

Use strong passwords

This has been mentioned plenty of times before but is still worth reiterating—use strong passwords. Here’s a refresher for the tips on creating and remembering a password. And once you’ve come up with a password, check out its strength here.

After creating all those online accounts (whether for using cloud storage or accessing trivial apps on my phone), trying to come up with a new, unique password is becoming more difficult. I still use Annika’s tips to come up with a good master password, but for the rest, I’d rather rely on my password manager. I would specify how many characters I want it to be and whether symbols should be included, and then a list of password that fits that specification would be generated.

I’m currently using 1password on my phone, which stores all my passwords locally. Other options to consider are LastPass and KeePass, which are available for free.

Change your password after a certain period of time

It is not necessary to change your password every other month, but that doesn’t make it okay for you to survive on the same password for half a decade. Think of it this way, no password is entirely hack-proof. When you choose a difficult password, you are giving it a higher chance to survive an endurance test, where it might be subjected to brute force attacks until it finally cracks. In a short word, the longer you wait, the more time you are buying the hackers to crack your code.

Do not repeat the same password

Don’t use the same password for every accounts you’ve created. When one is compromised, others are put at risk too. The comic explains it quite well. Full version is available for your reading pleasure here. Enjoy

Image by xkcd (http://xkcd.com/792/).

Mikko Hypponen Talks Spam With the BBC

May 19, 2011
By Sandra

F-Secure’s Chief Research Officer and — according to information leaked by Wikileaks — infosec rock star, Mikko Hypponen appeared on BBC’s Newshour today to discuss the new “spam choking” initiative.

Mikko told the BBC, “One of the reasons spammers are moving to the web is that email filtering is getting better and better. Spam is being sent more than ever in history. Yet people see less of it.”

It’s three minutes and three seconds and manages to include a little Monty Python and lots of surprising information. You can listen to it now: Click here, you’ll be linked to a MP3 of the segment.

CC image by pandemia

The 8 Most Important Ways to Protect Your Identity and Privacy on Facebook: #2

May 18, 2011
By Jason

2. Turn on Secure Browsing

Facebook’s Secure Browsing encrypts your Facebook activity, protecting your account from being accessed without your permission. Facebook compares NOT using Secure Browsing to leaving your car in a parking lot with the doors unlocked. You’ve probably gotten used to seeing the “s” in “https” in your browser bar when you log your bank or any important account online, and this feature gives you that level of protection for your Facebook activity.

There are several benefits to turning on Facebook’s Secure Browsing and the only reported downside is that it may slow your Facebook session slightly.

To turn Secure Browsing on, Go to Account.

Account Settings.

Next to Account Security, click “change”.

Below, Secure Browsing (https), check the box for “Browse Facebook on a secure connection whenever possible”.

While you’re there, you may to turn on Login Notifications and Login Approvals. With Notifications, you’ll be informed by email any time anyone logs into your account on a new device. If any logs into your account from a device you do not recognize, you’ll have a chance to get into your account and change the password before the intruder does. With Approvals, you have to approve an unauthorized user on a new device with a security code that gets sent to your smartphone. If you turn on Approvals, you should have a remote lock program such as Free Anti-Theft for Mobile on your phone.

Click save.

Now you should bookmark https://facebook.com and login to Facebook from that page exclusively.

2 things you need to know about secure browsing:

Most apps—including games—do not support https. When you use an app you’ll leave Secure Browsing and Facebook should then switch you back to https (or at least prompt you to do so) when you are done with app.
Mobile browsing is not secure. This means if you are login to your Facebook account on a free open Wi-Fi network, you could be vulnerable to a possible account intrusion.

The 8 Most Important Ways to Protect Your Identity and Privacy on Facebook

Unless you have a good reason not to, use the “Friends Only” privacy setting
Turn on Secure Browsing
Secure your account
Take a look at what others see when they see you and decide if you want search engines to find your profile.
Turn off Instant Personalization and audit your apps
Watch where you click
Decide if you want your name and image to appear in Facebook ads.
Start using Facebook lists.

8 Comments

The 8 Most Important Ways to Protect Your Identity and Privacy on Facebook: #1

May 11, 2011
By Jason

Facebook is literally all fun and games—until it gets you fired, or embarrassed, or hacked.

For the second year in a row, an F-Secure survey has found that nearly 3 out of 4 Facebook members are not “friends” with their boss on the site. A steady feed of news about people losing jobs over comments or images they’ve posted on Facebook has made many of us worried about who we friend and what we post.

An US court recently ruled that you should expect anything you post on a social could go viral—no matter what your privacy settings are. Even if the courts where you live aren’t as skeptical of social networking privacy, the fact remains: if you post something on Facebook, you never know who might see it. So even if you never post about your job or ever worry about having to find a new job, you know there are risks of sharing your private life on Facebook.

Social networking has only become a mainstream phenomenon in the past decade. Most of us are still learning the etiquette and risks of social media. That doesn’t mean social networking is any more dangerous than any online communication. For most people, the dangers of social networking are roughly as perilous as those of email. You could send the wrong thing to the wrong person, open a bad file and infect your PC or give criminals access to your account or private information.

For this guide, I’m assuming you know the basics of PC security. You have a strong password and your PC is patched and protected. I figure you lock your computer or smartphone, and you would never leave yourself logged in to Facebook on a computer you aren’t using. If you’re doing all that, you’re avoiding most of the serious threats you’ll find online. Now you’re ready to get into advanced strategies for staying safe on Facebook.

1. Unless you have a good reason not to, use the “Friends Only” privacy setting.
Have you noticed that people you don’t know appear in your Facebook feed? Those are friends of your friends. They’re showing up because they either commented on something a friend of yours posted or vice versa. And you may be appearing in strangers’ feeds in the same exact way—if your privacy settings are at “Friends of Friends.”

One reason Facebook is so popular is because it replicates the social context of our lives. We feel as if we are in the presence of friends and family—some of whom we haven’t seen in person since before there was a Facebook. That makes us comfortable. Maybe even a little too comfortable.

By going to Account> Privacy Settings> and selecting “Friends Only”, you are only sharing with the people you’ve approved as friends. You can still change specific settings to make them more or less public. But you’ve created a boundary you can imagine in your head.

(If you’re on Facebook to market yourself or a product, you should definitely start a Facebook page or switch your profile to a page.)

On Facebook, the one thing you can always control is what you post. You can’t control your friends’ comments on what you post, and you can’t—in any immediate way—stop other people from taking your information or media and resharing them. This is why some people prefer Twitter where your information is either private or public. If someone comments on or repeats your posts, they do it on their own profile. On Facebook, strangers can comment on everything you do—unless you change your privacy settings to limit access to “Friends Only.”

Some people are so comfortable on Facebook they may not even realize they are sharing private details that can be used to crack passwords or security questions. The average Facebook user has 130 friends. If you’re simply opening your life to all of your friends, you’re opening your life to 16,900 people. That’s great if you’re actively seeking new friends. But it is a lot or one brain to process. And you can always visit your friends’ walls and click on their friends if you’re looking for new people

“Friends only” not only is a good move to protect your privacy and identity, you may find that it also helps your Facebook experience by freeing you up to give more attention to the people you care about most.

The 8 Most Important Ways to Protect Your Identity and Privacy on Facebook

Unless you have a good reason not to, use the “Friends Only” privacy setting.
Turn on Secure Browsing
Secure your account
Take a look at what others see when they see you and decide if you want search engines to find your profile.
Turn off Instant Personalization and audit your apps
Watch where you click
Decide if you want your name and image to appear in Facebook ads.
Start using Facebook lists.

This guide is in progress, so let us know what you think. What are the best ways to protect your identity and privacy on Facebook?

Cheers,
Jason

10 Comments

Has Your Mom Ever Given You Tech Support?

May 5, 2011
By Sandra

As a somewhat geeky mom, I cherish this brief period in my daughter’s life when I know more about technology than my daughter does. For now, she mostly pretends to use my cell phone. But I imagine by the time she hits ten or eleven, I’ll be asking her which app is best for sharing photos. And before long, those of us who grew up with the Internet will be just another generation in awe of the digital technology of the future.

Offering mom tech support is one way to thank her all she did and does for us. And helping mom on the PC is almost as popular as sending her flowers for Mother’s Day.

71% of those surveyed in a recent F-Secure poll of 142 Internet users conducted tech support for their moms. 25% of those who offer mom support do it often.

And moms do need help. 43.5% have experienced some security issues on their PCs. Meanwhile, 62% percent worry about their moms’ online security. Either children are more aware of security threats than their parents or they worry about their parents even more than necessary.

The many moms at F-Secure appreciate the irreplaceable relationships that our products help protect. And we hope you and your mom are aware of the free tools we offer to help keep PCs healthy and moms worry-free.

Health Check makes sure that a PC is patched and protected with the latest software updates. Microsoft, Apple and Adobe are always releasing fresh security fixes for their software. Keeping up with each update is a challenge. Health Check makes it easy.

If your Mom’s computer is acting strangely and she’s experience lots of pop-ups and system slowdown, have her try our Online Scanner. It can help her get rid of the viruses and spyware causing the problems.

And here’s an article I found very useful: Shop savvy: 7 practices to shop safely online.

Best to you and your mother as you enjoy another safe year together.

Cheers,

Sandra

3 Reasons That Online Backup Use Is Up 380%

CC image by Peter Kaminski

May 4, 2011
By Jason

Here’s some good news: More people are backing up their irreplaceable data and media.

In 2009, an F-Secure survey revealed that 44% of Internet users failed to do any sort of backup whatsoever. But times have changed. A new F-Secure poll of 609 Internet users finds that only 14% of users do not make regular backups—a 68% decrease in less than two years.

New methods of backup are catching on—especially online backup. (Full disclosure: Hopefully, you know that F-Secure offers a Online Backup solution.) In 2009, only 5% of those surveyed were using online backup. That number is now 24%—a 380% increase.

Why are so many people choosing to backing up their files in the “cloud”? Here are the three reasons why I’m one of the 19% who switched to online backup.

1. Online backup is easy and automatic.
Once installed and running, Online Backup doesn’t require the discipline that tape/disk/CD/DVD backups do. The backup occurs without interruption as you work. Most importantly, it doesn’t require me to remember to do it.

2. I can’t step on it, spill anything on it or leave it out in the sun.
Any backup system that works for you is better than no backup at all. But having backup disks and drives around always made me nervous. My concern wasn’t that external drives and discs can fail. That’s a fact of life. My problem is that these drives and discs were always potential victims of my lack of organization and/or clumsiness. Online backup saves my files in a location that’s not on my computer and not anywhere in my office where I can mess it up. It also organizes my files in a way that makes sense—my important files, Office files, pictures and videos, music and E-mail are automatically saved in my own little corner of the cloud using the same file system as on my laptop.

3. New online threats require constant backups.
Have you heard of ransomware? It’s malware that encrypts your files and holds them hostage unless you pay a ransom for their release. If you’re hit by this obnoxious threat, you only hope is that you have your files backed up somewhere not on your computer recently. Online backup greatly increases my chances of having a current version of my files safe and sound if the worst case scenario becomes a reality.

Why do you think online backup is becoming so popular? Which method do you prefer?

Cheers,

Jason

7 Comments

How to Prevent Online Credit Card Theft

April 28, 2011
By Jason

As the news broke that a hack of the PlayStation Network may have exposed the credit card details of up to 77 million people, F-Secure’s Mikko Hypponen reminded us that the problem of online credit card theft was solved a decade ago. He linked his Twitter followers to an article called “Home Office: Wily Tricks to Thwart E-Thieves” from November 20, 2001. It’s worth a look, even if a few of the links are broken.

The advice offered in 2001 still applies. Here’s a quick review of the key things you know to protect your credit card accounts online.

1. Follow your bills closely.
Credit cards are, in general, better for online purchases than alternatives. Try to limit your purchases to one card and check that one account’s bills closely. Report any questionable purchase(s) to your card holder immediately. If you live in the United States and believe you have been a victim of identity theft, you should contact the Identity Theft Resource Center for help. Otherwise contact local law enforcement.

2. Only shop on secure sites.
Even if your PC is completely patched and protected, you still need to use caution when shopping online. Stick to online retailers you trust or have researched. Make sure that when it’s time to submit your credit card details, you’re on a secured site with a URL that begins with https. If you’re ever in doubt, stop the transaction and contact the retailer by phone.

3. For worry-free shopping, use one-time credit card numbers for online purchases.
The best way to avoid online credit card fraud is with temporary card numbers. Bank of America, Citibank and Discover all offer some version of a temporary credit cards for their customers. If you had used one of these numbers to pay for your PlayStation Network account, for instance, you wouldn’t be worrying about anyone going on a spending spree in your name.

Are you comfortable using your credit card online? What else do you do to prevent credit card theft?

Cheers,

Jason

CC image by JD Hancock

How to Avoid Scams and Malware During the Royal Wedding

April 22, 2011
By Sandra

“It is a truth universally acknowledged, that a single man in possession of a good fortune, must be in want of a wife.” – Jane Austen

There are few non-sporting events that draw as much attention from all over the world as the wedding of an heir to the British monarchy. When Prince Charles married Diana, television told the story. For the marriage of Prince William and Catherine, the Internet will not only broadcast the images it will also allow us to engage in a global conversation in real-time.

Until the ceremony takes place on April 29 and for a few days after, you’ll probably see the word “wedding” more often than an avid reader of Jane Austen does. One report says that the wedding is being mentioned every 10 seconds online, and the guests haven’t arrived yet. Most of the headlines and links featuring “the wedding” will lead to legitimate sites—but some will invariably lead to a variety of scams and malware. This is true when celebrities die, when disaster strikes and you can expect the same when Catherine says “I do” to William.

If you’re actively avoiding the wedding, you’ll avoid most of the risks. But for you royal watchers out there, here are a few tips for avoiding digital wedding crashers.

1. Follow the official site, Twitter, Facebook, Flickr and YouTube pages.

These official sources are going your safest sources of information. Of course, users can post links in the comments. So avoid links users post unless you trust the domain being linked or check the link with a resource like our free Browsing Protection.

2. Search for Royal Wedding news using Google and Bing’s News Filters.
Google has recently changed its algorithm to deliver safer, higher quality results. However, during breaking news rogue sites use the dark arts of search engine optimization to zoom up search results. This doesn’t happen, however, in Google and Bing’s news sites. Why? The news sites listed there have all been vetted and verified. Click on news, if it is available in your area, and click without worry.

3. Make sure your PC is patched and protected.
Every month, at least, Microsoft, Apple, Adobe and the world’s biggest software makers release updates to their products that plug security holes. These updates are often crucial for your online safety. However, checking for updates for every program on your PC can be time-consuming and confusing. Our Health Check makes the process easy. Give it a try to protect yourself from those bad clicks we all occasionally make.

Cheers,
Sandra

CC image by humberpike

5 ways to Prevent Mobile Phishing

CC image by Asim Bijarani

April 19, 2011
By Jason

If you’re reading a blog post about mobile phishing, there’s a pretty good chance you’ll never be phished.

If you’re aware that online criminals are always trying to get you to give away your passwords, security data and credit card numbers, you’re probably already careful about where you enter your private information on the Internet. And you check out articles like this to find out if criminals have any new tricks up their sleeves.

And do online criminals have new tricks up their sleeves? The answer to that question, unfortunately, is almost always yes. There’s always a new way to scam you out of your data. Most importantly, you need to realize phishing scams are no longer restricted to your PC. In our mobile, connected world, you need to check twice or thrice when you enter your private information—whether you are on your PC, an ATM or your phone.

F-Secure Labs reports that users are increasingly likely to be phished using methods that involve their phones. The odd rendering of mobile web pages and the use of SMS to send one-time passwords are powerful new lures for the phishers of the world. So even if you are savvy enough to avoid phishing attacks on your PC, you need to be as aware when you are on your phone.

Here’s what you need to know to keep your data to yourself.

1. Always check the URL of the site you are on before you click submit
You should always check the URL of any web page you are on whether you are browsing on your phone or your PC. It’s easy to replicate the look of a site. Copying the site’s URL is more complicated. You’re looking for two things in the URL. First of all, are you really on the site you intend to be on? Forget all the stuff that comes after “.com”, you’re just making sure that you are really on Facebook.com or Amazon.com. Second, you want to make sure you see the “s” in “https”. This is especially important when you are using your phone (or PC) on an unsecured wireless network.

2. If you ever think, “Why are they asking for that?” close your browser.
F-Secure Labs recently analyzed an man-in-the-mobile (mitmo) trojan attack that created a fake bank login page. The page asked for the customer’s mobile number so that one-time passwords could be sent through SMS as a security precaution. The page also asked for the phone’s international mobile equipment identity (IMEI), which was then used by the trojan to forge a security certificate and infect your phone. The user gave the criminals critical information and made life easier for the scammers. Anytime you’re filling out a form and wonder, “Why do they need that?” stop the transaction and contact the institution directly.

3. Use only one credit card for all of your online purchases
In some countries, using a credit card limits your fraud liability, making credit cards a safer choice than ATM cards. Regardless if this is true for you, a smart strategy is to use the same credit card for all your online purchases and check that account weekly. The sooner you spot a fraud, the less damage you are likely to incur.

4. If you’re going to make transactions on your phone, make sure it’s protected.
Our handheld mobile devices are as powerful as PCs, and they need to be protected like PCs. That means you need to keep your system and applications updated. F-Secure Mobile Security‘s Browsing Protection protects users against phishing scam. Your phone has access to your email and other crucial accounts, so it’s smart to secure it the way you secure your PC.

5. When in doubt, go in the bank.
The clock is always ticking. You’re late; you want to save some time. That’s when your mobile phone makes life easier. However, for your most crucial interactions, such as large transfers, you best choice is to go into the branch itself. That way you don’t have to worry about phishing or mobile trojans. You may have to wait in line, but a little wait in line is nothing compared to being phished.

Cheers,

Jason

Phone Check Sweepstakes: Win an HTC Desire with F-Secure Mobile Security

CC image by Francesco Pappalardo

April 12, 2011
By Sandra

UPDATE: This sweepstakes is now closed. For our latest activities follow our Facebook page.

We’re getting ready to launch an update to our Mobile Security suite, which has protected mobiles for more than a decade now.

What we’re wondering is what kind of phone do you use?

By answering this question in the comments of this page, you’ll be entered to win an HTC Desire A8181 and F-Secure Mobile Security. So just read the rules and let us know what device you use to stay in touch when you’re on the go.

Thanks for your time,

Sandra

Comments closed

98% of teenagers will have arthritis in their thumbs by age 30, WOH warns

April 1, 2011
By Sandra

The opposable thumb may have made human civilization possible. But experts at the World Organization of Health are giving the thumbs down to non-stop mobile communication.

“The average teen sends more than 3339 texts a month. Multiply that by emails, Facebook, You Tube comments and your thumb muscles are being flexed and strained for up to fifteen hours a day,” says Dr. Wilson James, Director of WOH’s Department of Workplace Health. “Twentieth-century innovations like the forty-hour work week may have lessened the strain on the body, but I’m seeing eleven year olds with thumb arthritis worse than anything experienced by my great-grandmother.”

Millions of young adults already suffer from nerve damage related to technology-related repetitive motion, according to a recent WOH study. Within the next eleven to nineteen years, WOH expects as nearly 100% of teenagers with access to their own mobile phone to experience some phone of repetitive motion strain or arthritis.

“First we called it Asteroid Thumb then Mario Thumb and, I guess, today you’d call it Angry Bird Thumb,” says Dr. James. “But with the explosion of texting plus the introduction of game systems that engage the whole hand and body, we have no idea what to expect. How does 80 plus hours of week of Just Dance for several years affect an adolescent? We simply don’t know.”

Even more disturbing to researchers is the emergence of widespread sleep thumbing. “REM sleep engages muscle memory. We believe this is body’s way of releasing tension,” Dr. James explains. “However, we’re seeing many mobile phone users reporting frequent episodes off waking up while their thumbs are attempting to text a message on an invisible device.”

The average sleep thumber may send as many as 34 texts a night in his or her sleep.

The question is how do you convince teenagers to cut down on what Dr. James calls “thumb time” now before their thumbs become permanently tweaked.

The advice the WOH gives as a part of its International Thumbs Down campaign may surprise you.

“Encourage your children to speak to their friends through devices like the phone, Skype or iChat—if possible. No matter how fast their thumbs go, you can communicate a lot more information through your spoken words. In fact, if you’re using video chat, you can even skip the emoticons. .”

CC image by Steve Winton.

Malware Madness 2011

March 29, 2011
By Jason

Every year Americans celebrate the end of winter with a ritual called “March Madness”. 64 of the top college basketball teams from around country compete in a tournament to decide who will be the National Champion. It’s a smorgasbord for hoops fans and—for a little while—the games get in the way of work, school and, occasionally, breathing.

You have to admire the fairness of the system. Anyone in the tournament can win and no one can predict what’s going to happen.

Internet security has the unpredictability of March Madness without any of the fairness or fun. There’s just no simple way to look at all the threats out there to see which you should worry about most… until now. That’s why we’ve put together our own Sinister 16. But don’t expect any good sportsmanship here. It’s just 16 of the most ruthless online threats facing off to decide which one is the master of digital chaos.

Fill out your bracket and check back in a few days to see the winner.

Can Facebook use my name and profile picture in ads?

March 23, 2011
By Jason

If you are a Facebook member and like a Facebook page and/or mention a Facecbook page in a wall update, Facebook can use your name and possibly your picture in ads that are shown to your friends.

In fact, your name might be appearing in Facebeook ad now saying that you like a certain brand. Facebook opts everyone into Facebook Ads. And you probably know that because you’ve read Facebook’s Statement of Rights and Responsibilities so carefully

You can opt-out of letting Facebook use your name or profile picture in ads served to your friends by going to Account.

Then Account Settings.

Click Facebook Ads.

Scroll all the way to the bottom and for “Show my social actions in Facebook Ads to”, select “No one”.

What do these ads look like?

Usually they look like this:

Your name and picture can also appear in Sponsored Stories.

According to Facebook, “Sponsored Stories are stories that your friends published into your News Feed. These show up on the right hand side of pages on Facebook. The types of stories that can be surfaced include: Page Likes, App interactions, Place check-ins and Page posts.”

TL;DR? You’ll only appear in a Sponsored Story if you mention a Facebook page using Facebook’s mention tool (which works like a Twitter mention: you type @username.)

You probably haven’t seen too many Sponsored Stories because the mention took isn’t used all that often. And when it is, it might be used sarcastically to make a point. Like: @Starbucks parking lot is full again. I may have to go back to @No-Doz. You can only mention a page or profile you like using this method, which is good because that means you’ve, in a way, opted in twice to any brand that can use your image in Sponsored Stories.

Background

Facebook has used users’ names in ads for a while. Sponsored Stories launched in early 2011. This seemed to rekindle a Facebook meme where Facebook users complain to each other about how Facebook uses our name and image in ads.

We recently shared a link that stirred some controversy: “How to Stop Facebook from Using Your Name and Profile Photo in Facebook Ads.” From the reaction we saw, it seemed that many people needed a reminder about Facebook’s ad policies. However, one user suggested that we were being alarmist and participating in a meme that could be use to drive spam or even spam apps.

To be clear: Facebook isn’t allowing third-parties to use your name and picture in your ad.

But they may soon, which is why this setting already exists.

To change that setting now, go to

Account.

Then Account Settings.

Click Facebook Ads.

At the top of the page in the section “Ads shown by third-party applications” where is says “Allow ads on platform pages to show my information to” select “No one”.

Now if Facebook starts letting third-parties use our names and images in ads, your name and image will not be used.

Why should I turn Facebook Ads off?

In a sense, Facebook is already allowing third-parties access to your life and identity. You pick who you advertise–the pages you like—and to whom—your friends. But you can’t exclude certain pages or friends. Nor do you share in any of the ad revenue.

A good and bad thing is that only your friends will ever see you in ads. But do you want your boss to see you endorsing an alcohol product in the middle of a work day? Do you want your mother-in-law to know you ‘liked’ Justin Bieber as a joke? It could happen if you don’t opt out.

Why should I leave Facebook ads on?

Do you love Facebook and want to support their revenue growth?

Or maybe you love the pages you interact with and appreciate a subtle way to spread the word. You could enjoy being exposed what your friends like and see this as a new way to interact. Or do you just not care very much about what your Facebook activity says about you?

Leave it on!

The fact is Tivo and ad-blockers have given us a way to avoid many of the advertisements that subsidize free content and services. Yet millions of us like brands on Facebook or follow them on Twitter. It seems many people don’t mind getting information from a brand, they just want control over what they see and how their identity can be used to market a product.

It doesn’t matter if you opt in or Facebook ads, what matters is that you make a conscious choice.

And when it comes to your image being used to endorse products to your friends, Facebook has made that choice for you. Is this another feature that one should have to opt-in to? I think so. Is it annoying enough to make me quit Facebook? I think Facebook is well aware that the answer to that question is “No.”

Cheers,

Jason

12 Comments

Computer Invaders: The 25 Most Infamous PC Viruses of All Time

March 21, 2011
By Sandra

From the first amateur hackers in the 80s till 2011 when international cyber sabotage is a reality, viruses have illustrated the frightening potential of human ingenuity. Here’s a brief look back how computer viruses have evolved through the most important outbreaks of the last 25 years.

The first PC virus

1. Brain, 1986
More than a decade before anyone had ever heard of Napster, the first PC virus was designed to fight piracy. The author who came up with the word “cyber,” William Gibson called Brain “basically a wheel-clamp for PCs.”

Basit and Amjad Alvi created and marketed medical software in Lahore, Pakistan. They were interested in two things. First, they wanted to check the multi-tasking functionality in the new DOS operating system (so-called “TSR” systems). Secondly, they wanted to see if there are security vulnerabilities in DOS compared to other operating systems such as Unix.

When they realized that DOS was quite vulnerable, they had the idea to write a snippet of software that would monitor how the software and the floppy disks move around. Brain spread virally via 3 1/4-inch disks, and within weeks, the Alvi’s had to change their phone numbers.

25 years after the creation of first PC virus, in early 2011, F-Secure’s Mikko Hypponen went to Lahore, Pakistan to visit the address in the code. He found the Alvi brothers still there, running a successful business. The following video includes the first video interview Amjad and Farooq have given about Brain ever.

Some early fun

Most of the early viruses were variations of the same theme: “Gotcha!” Users knew they’d been infected because that was exactly the point. Like a digital pie in the face.

2. Stoned, 1987
Created by a high school student in New Zealand, Stoned was supposed to be harmless. It simply displayed the message “Your PC is now Stoned!” on your screen. However, as the first virus that infected a PC’s boot sector, Stoned established that viruses could control a computer’s function from the moment it turned on. Bob Dylan should be proud.

3. Form, 1990
Form became one of the most widespread viruses ever. On the 18^th of each month, it produced a clicking sound from the PC’s speaker whenever a key was pressed. Annoying, but harmless.

Other variations on this early innocent sort of “gotcha” virus included V-Sign, which displayed a V on your screen. The Walker virus showed an elderly man walking across your screen. Elvira scrolled text in the “A long time ago, in a galaxy far, far away” style a la Star Wars. And then there was Joshi. Every year, on the Joshi’s birthday, this eponymous virus displayed a birthday message. The machine refused to boot up until the user typed “Happy Birthday Joshi.”

4. Michelangelo, 1992
Michelangelo would override everything on a hard drive on specified dates. A variation of Stoned with much crueler intentions, Michelangelo was probably the first computer virus that made international news.

5. VCL, 1992
Virus Creation Laboratory made it easy to whip up a malicious little program by automating virus creation using a simple graphical interface.

Getting Destructive

Early MS-DOS and PC-DOS viruses did some damage to PCs, usually intentionally, but virus writers soon began to actively seek to wreak havoc by actively disabling computers.

6. Happy99, 1999
Happy99 was the first email virus. It greeted you with “Happy New Year 1999” and emailed itself to all contacts in your address book. Like the very first PC viruses, Happy99 did not cause any real damage, though it did spread to millions of PCs around the world.

7. Monkey, 1993
A distant relative of Stoned, Monkey secretly integrated itself into data files and spread seamlessly. It was the early ancestor of a rootkit, a self-concealing program, and it prevented booting from a floppy disk. When it was removed improperly, Monkey prevented any sort of booting at all.

Upgrading to Windows

In the early 90s, viruses became macro viruses and took on Microsoft’s new OS, Windows. Written in the same languages as applications like Microsoft Word, macro viruses appeared in late 1995. In just three months, they became the most common virus type in the world.

8. Concept, 1995
The first virus that infected Microsoft Word files, Concept became one of the most common viruses in the world because it could infect any OS that could run Word. Share the file, share the virus.

9. Melissa, 1999
Allegedly named after a female exotic dancer familiar to the virus writer, Melissa combined a virus and an email virus. It infected a Word file then emailed itself to all contacts in the user’s address book and became the first virus to span the globe in only hours. Melissa combined the jokey motivations of the early virus writers with the destructiveness of the era. This virus inserted comments from “The Simpsons” into users’ documents. Not so bad. But Melissa could also send out confidential information without the users’ notice. D’oh!

Not long after Melissa, Microsoft virtually eliminated macro viruses by changing how its Visual Basic macro language works within Office applications.

Crashing the network

Before firewalls, computer worms generated huge amounts of network traffic, disrupting systems by pure volume. These worms generally did not affect individual users but they could rock the infrastructure of both private businesses and governments.

10. Code Red, 2001
The first worm that spread without requiring any user interaction at all and thus spread around the world in minutes, Code Red hid from detection and carried out various functions on a cycle. On Days 1-19, it spread itself. From the 20^th to the 27^th, it launched Denial of Service attacks on various addresses including the White House. And from the 28^th day till the end of the month, it rested.

10. Loveletter, 2000
The computer worm that broke millions of hearts, Loveletter is still one of the biggest outbreaks of all time. It spread via email attachment and overwrote many of the crucial files on the PCs it infected. This outbreak was an incredible successful attempt at social engineering. Using the promise of love, it convinced millions to open the attachment, causing an estimated $5.5 billion in damage worldwide. Guess there are a lot of people out there looking for a little love.

12. Slammer, 2003
Network worms require just a few lines of code and vulnerability to spark real world trouble. Slammer took down Bank of America’s ATM network and 911 services in Seattle. Even the air traffic control system was not immune.

13. Sobig, 2003
Sobig was a quick improvement on Fizzer (see below). Some versions waited for a couple of days after infecting a machine before turning affected machines into e-mail proxy servers. The result? Massive spam. AOL alone reported stopping more than 20 million infected messages on one day.

14. Mydoom, 2004
Mydoom spread over email and the Kazaa Peer-to-Peer (P2P) network. It set new records but was old school in the sense that the motive wasn’t monetary. Mydoom executed Distributed Denial-of-Service attack on one particular website and opened a backdoor on infected computers, which left the machine open to remote access.

15. Sasser, 2004
Sasser came in through a vulnerable network ports and slowed or crashed networks from Australia to Hong Kong to the UK.

Money. Money. Money.

In the last decade, the motive for virus writing has become obvious: Money. The technology still tends to be variations on a theme, but modern virus writers utilize advanced user psychology and social engineering to draw users into traps that they’d probably been warned about several times.

16. Fizzer, 2003
Fizzer was the first virus designed to make money. It arrived as an infected attachment. Once opened, it took over infected computers and forced them to send spam.

Ever-evolving threats

As the real-world impact of viruses was felt in the early 90s, business, government, software makers and the Internet security industry put fires out and collaborated to minimize threats. Virus writers, too, evolved to avoid detection, creating advanced malware that could even be programmed to be patient.

17. Cabir, 2003
The first mobile phone virus in history, Cabir targeted Nokia smartphones running the Symbian operating system. It was spread via Bluetooth and proved that whatever shape PCs evolve into, they will be targeted.

18. SDBot, 2003
SDBot was a Trojan horse that bypassed normal security to secretly control a computer. It created a backdoor that allowed the user to do several things including sniff for passwords and the reg codes of games like Half-Life and Need for Speed 2.

19. Haxdoor, 2005
Haxdoor was another Trojan horse that sniffed for passwords and other private data. Later variants had rootkit capabilities. Even Brain used techniques to cloak itself, but Haxdoor employed far more sophisticated methods. A modern rootkit can turn a computer into a zombie computer that can be controlled without the user’s knowledge, sometimes for years.

20. Sony BMI, 2005
In 2005, one of the biggest record companies in the world had the same idea that the Alvi brothers had in 1986: Use a virus to prevent piracy. On its audio CDs, it included a music player program and a rootkit that controlled how the owner could access the audio tracks. The result was a media firestorm and a class-action lawsuit that ended with Sony offering users money and free downloads.

Cyber Sabotage

Computer viruses have had real world effects for decades, but in 2010 a computer virus may have changed the course of history.

In November of 2010, Iranian President Mahmoud Ahmadinejad confirmed that a cyber attack had indeed caused problems with their nuclear centrifuges. And in January of 2011, Russia’s ambassador to NATO said that Stuxnet could cause a “new Chernobyl.”

21. Stuxnet, 2010
An unusually large Windows worm—about a 1000% larger than the typical computer worm, Stuxnet most likely spread through USB device. It infects a system, hides itself with a rootkit and sees if the infected computer is connected to a Siemens Simatic factory system. If the worm finds a connection, it then changes the commands sent from the Windows computer to the PLC Programmable Logic Controllers, i.e., the boxes that actually control the machinery. Once running on the PLC, it looks for a specific factory environment. If this is not found, it does nothing.

F-Secure Labs estimates that it would take more than 10 man-years of work to complete Stuxnet. This complexity and the fact that it could be used to impair the ability of a centrifuge to enrich uranium while providing no monetary gain suggest that Stuxnet was probably developed by a government—though which government is unclear.

22. Storm Worm, 2007
Machiavelli said it’s better to be feared than loved. Seven years after Loveletter, Storm Worm capitalized on our collective fear of bad weather and first spread generally via an email message with the subject line “230 dead as storm batters Europe.” Once the attachment was open, a Trojan backdoor and a rootkit forced the PC to join a botnet. Botnets are armies of zombie computers that can be used to, among other thing, send out tons of spam. And this one sucked in ten million computers.

23. Mebroot, 2008
Mebroot was a rootkit built to hide from the rootkit detectors that quickly became part of many Internet security suites. It is so advanced that if it crashes a PC, Mebroot will send a diagnostic report to the virus writer.

24. Conficker, 2008
Conficker quickly took millions of computers all over the globe. It exploits both flaws along with Windows and weak passwords along with several advanced techniques. Once a system is infected, further malware can be installed and the user is even prevented from visiting the website of most Internet security vendors. More than two years after it was first spotted, more computers are infected by the worm every day. F-Secure’s Chief Research Office Mikko Hypponen has said that in many ways Conficker is still “a great mystery.”

25. 3D Anti Terrorist
This trojanized “game” targets Windows Mobile phones and was spread via freeware sites. Once installed, it starts making calls to expensive numbers leaving you with large charges. This strategy of hijacking a mobile app or cloaking a malicious app is still new, but it’s likely to one of the main ways the virus writers will attack mobile devices.

Where are we 25 years after Brain?

In 2011, a PC running an updated version of Windows 7 is quite secure, especially when running updated security software. Now that we know more about viruses, we know how to fight them, and ideally prevent them. So, hopefully, in 25 years viruses will have gone the way of macro viruses and we won’t have to make a new list.

Cheers,

Sandra

9 Comments

Why and how to secure your Facebook and Twitter browsing

March 17, 2011
By Jason

In October in 2010, Firesheep made it easy for anyone on the same unsecured wireless network as you to take over your Twitter or Facebook session. This was possible because neither Twitter nor Facebook had a default secure browsing (SSL) setting.

Twitter users complained that you actually had to type “s” in your browser bar (like this: https://twitter.com) to secure your session. While Facebook offered no secured browsing setting at all. So Facebook rushed out an https solution in early 2011.

Then Ashton Kutcher—who has replaced Tom from MySpace as everyone’s friend on the Internet—had his Twitter hacked at a TED conference, allegedly. I say allegedly because the tweets—one of which said “Dude, where’s my SSL?” –are still online and Kutcher clearly has control of the account. A little over a month later, Twitter added the default https option.

Sidejacking—while likely illegal and definitely unethical—offers hackers more potential for mischief than financial gain.

If you use unsecured wireless without a VPN, which isn’t a great idea, using URLs that begin with https is the only way to protect your account from a trouble maker. You’ll notice your bank and most login pages automatically send you to a secured page.

If you are a Facebook or Twitter user who ever uses unsecured networks, you should activate secured browsing now. Once you use secured browsing in Facebook and Twitter, not only will your session activity be secured but you’ll also automatically get a secured page when you log in via any browser you’ve used since you secured your account.

(Default secure browsing is only reliable when using Facebook and Twitter through a web browser. From what I see, Facebook mobile apps do not use SSL. Official Twitter apps will use SSL by default if you select the option, but you have to check if your third-party apps offers this feature.)

How to turn on secure browsing in Facebook

(Warning: This feature may slow your Facebook browsing experience. So you may not want to use it if you are in a secured network or use a VPN. )

Go to Account.

Account Settings.

By Account Security click “Change”.

Under “Secure Browsing (https)”, click the box that says “Browse Facebook on a secure connection (https) whenever possible”.

Now, if you ever use an app, you’ll see this message.

WARNING: If you click continue, you are no longer in secured browsing. Whoops.

As soon as you finish with the app, go back and repeat this process. You need to reactivate the page before you log out to a secured login page the next time you want to use your Facebook account.

How to turn on secure browsing in Twitter

While logged in to Twitter via a web browser, go to settings.

Next to “HTTPS Only ” click the box that says “Always use HTTPS. ”

Click “Save”.

Dude, there’s your SSL.

Cheers,

Jason

8 Comments

5 things that may surprise you about the first PC virus

March 10, 2011
By Sandra

In early 2011, 25 years after the creation of the first PC virus, F-Secure’s Chief Research Officer and legendary code warrior Mikko Hypponen went on a journey to find the creators of the first virus.

Here are a few intriguing facts about the first PC virus:

The gentlemen who wrote the virus—Amjad Farooq Alvi and Basit Farooq Alvi—included their name, address and phone number in the code. Before long, of course, they had to change that phone number.
The name of the virus—Brain—is also the name of a successful telecommunication business that the brothers still run in Lahore, Pakistan.
The virus could only be spread via 5 ¼-inch floppy disks and still managed to be reach around the globe in a matter of weeks.
The first PC virus was also the first rootkit, a program designed to conceal itself.
The brothers designed Brain to test the multi-tasking functionality in the new DOS operating system.

What was the most interesting thing you learned from Mikko’s trip to Pakistan? Let us know in the comments.

The 5 dumbest things you can do online

March 7, 2011
By Jason

When you spend as much as one third of your life online, it’s easy to make a dumb mistake. The wrong click can trigger an unnecessary chain of events that will cost you time, money and focus.

Here are the 5 dumbest things you can do online. There’s so dumb that you’re probably not doing any them. But you might want to check just to make sure.

Believing it can’t happen to you
I’ll admit it. I’ve fallen for quite a few of the scams that are out there. I’ve clicked on a bad attachment, once. I clicked a bad link in an email, in an IM, on a MySpace page, once. I got phished on Twitter, once. If I didn’t have Internet security software and some good luck, I would have suffered some lasting consequences or embarrassment for those mistakes. Fortunately, the only harm was being reminded how scammers and spammers will find a way to user any new communication technology. That’s a lesson I learn whenever I get cocky online and forget to think before I click.
Use the same key for every door
61% of targeted attacks in 2010 relied on malicious PDF documents. Almost every PC user with a credit has a PDF reader on their PC, so cyber criminals are looking for was to make PDF’s profitable. So why use the most popular PDF Reader in the world if will suffer the brunt of the attacks? Why use the most popular anything? Seek out alternatives, especially when it comes to creating passwords and security questions. Make sure your password isn’t the world’s most popular password, which is “password”. Make the passwords for all of your most important accounts unique and strong. And make sure the answers to your security questions cannot be guessed by Googling you or looking at your Facebook profile.
Ignore your browser bar
Do you check your browser bar to see what URL you are really on before you login to your Facebook, Twitter or bank accounts? Criminals can fake the look of almost website in the world. But they can’t fake the URL. Whenever you’re entering login information or buying anything, give that browser bar a check to make sure you haven’t landed on a site you don’t know or trust.
Confuse links with your friends
Social spam exploits the trust we have for our online friends. I’m not likely to open a spam email from a stranger. But whatever my mom or wife send me catches my eye. Thus, I’m more likely to click a bad link in an email from my wife and continue the outbreak. Spam is contagious. Click the wrong link on Facebook and you could end up spamming all of your friends and you may continue spamming them until you remove the spam app from your account. Most of your friends are probably on Facebook and they all are making the same mistakes at least once. New studies show that bad links on social sites are as common as they are on porn sites. So never forget, links are not your friend. Pause before you click on a link in you Facebook News Feed. If you see a link that includes OMG! or LOL or something inappropriately sexual or shocking, copy it and check it with our free Browsing Protection.
Expect free to be “free”
In Silicon Valley, there’s a saying: If you aren’t paying for a product, you are the product. That means Facebook’s product isn’t a set of tools that makes it easier for friends to connect. Facebook’s product is the 650 million people it can market to using the trust we all have for our friends. Gmail scans your email to deliver ads based on your intimate communication. That’s the cost of using the site. Sites that share free movies and music may also be sharing free malware. On the Internet, “free” is just another word for “Watch out!” Facebook definitely has some privacy problems. It will continually push you to share more and more without ever telling you what not to share. Sharing is their business; encouraging shyness isn’t. So always remember the mantra: never expect anyone else to protect your privacy.

Being savvy doesn’t mean being paranoid. Just know that criminals will use anything—including the trust you have for your friends and your favorite Internet companies—to trick you. So you think before you click. If you don’t have time to think, wait to click.

And just in case, make sure that your system is secure and your software is patched and protected. Our free Health Check makes that easy.

Cheers,

Jason

10 Internet security tips that John would never follow

February 27, 2011
By Sandra

First of all, if you haven’t done it yet, please take this quick quiz to find out if you’re smarter than the guy in the video below. (After you complete the quiz, you can enter to win an Xbox 360 and a Kinect.)

Now that took the quiz know how much smarter you are than John, here’s a quick review of why you shouldn’t do anything John does online.

1. Use unique, strong passwords for all of your important accounts.
John uses the same password for every account. That means if a hacker gets a hold of John’s Twitter password, that hacker would have access to every account John uses at work or at home. Creating and remembering unique, strong passwords is a must for your most important accounts. This system for creating and remembering strong passwords makes it easy.

2. Keep your computer’s software patched and protected.
You probably know which operating system you’re running. John doesn’t. He thinks it’s the one with the “windows.” A PC or a Mac running the latest versions of Windows 7 or OS X is probably as safe as any PC since the birth of the virus. However, if your OS and your applications aren’t patched you may be vulnerable to the kind of attacks John has to deal with on a daily if not hourly basis. Checking all of your applications for updates on a regular basis can be time-consuming. Our free Health Check makes it easy.

3. Realize that you’re vulnerable when you’re on an open Wi-Fi network.
When you use an open Wi-Fi network, the data you enter is only encrypted on secure pages, which start with https. Banks and credit card companies encrypt their sites however not all web email is encrypted. If you’ve ever emailed passwords or personal information, it could be accessible to a hacker. On an unsecured Wi-Fi network, you could get sidejacked by someone using a tool like Firesheep. Using the tracking data in your browser, a hacker can easily pretend she or he is you.

If you have to check your email or get on a social network and you only have open Wi-Fi, make sure you are using a secured session.

How to Secure Sessions

VPN
A virtual personal network is the best way to defend yourself from any snoopers. Most large companies insist on their employees using a VPN while doing any business over a wireless network. That’s a strategy John would never follow, but you should, especially if you make purchases or work with confidential information while on public Wi-Fi. Here are some strong VPN options for you to consider.

HTTPS Everywhere

If you use Firefox, you can use HTTPS Everywhere by The Tor Project and the Electronic Frontier Foundation, which will encrypt your communications on several major websites.

Twitter
You can secure any Twitter session by typing in an “s” after the http in the browser bar. If you click here, you’ll go to https://twitter.com and session will remain secure until you log out.

Facebook
This feature is still being rolled out to some users. And it is not entirely secure.

You can activate secured browsing by logging in. Then go to Account> Account Settings> Under “Account Security”, check the box for “Browse Facebook on a secure connection (https) whenever possible”.

PLEASE NOTE: If you use an app, any Facebook app, you’ll get this warning:

PLEASE NOTE: If you use an app, any Facebook app, you’ll get a warning that you are now entering unsecured browsing.

If you continue on to unsecured browsing, your session is not unsecured and you are now vulnerable to a sidejacking attack. You will have to return to the same setting when you are done with the app to enable secured browsing again.

John was recently sidejacked by a friend who posted a hilarious Photoshop of John in the bathtub. Too bad it happened on a day when the HR department of a company that was about to hire John checked out his profile.

Gmail
Login and go to the “Options” wheel in the uppermost right corner.

Select “Mail settings”.

Under “Browser connection”, select “Always use https”.

Hotmail

Go to https://account.live.com/ManageSSL and login if you have to.

Select “Use HTTPS automatically (please see the note above)”. And check out the note for the exceptions, of course.

4. Check to make sure a site is legitimate and secure before you make a purchase.
John will buy anything from any site. He bought his Snuggie from a website that had more pop-ups than the old AOL. Don’t be like John. Stick to online stores with good reputations. When you try out a new retailer, do a quick search for customer feedback. If you are still unsure, save yourself the trouble and money. Even if you trust a site, always check the URL of the page for two things before submitting your credit card number: 1) Is it a secured https page that will encrypt your information? 2) Am I really on the site I meant to be on? Try to use one credit card for all your online shopping and check the activity on that account often. Check out these safe shopping tips.

5. Don’t be afraid to reject or ignore a Facebook friend request.
On Facebook, wrong click and you could end up spamming your friends with something that will definitely waste their time and possibly your money. The best way to avoid becoming a victim or perpetrator of spam is to eliminate spam from your news feed. This requires you only friending people who are careful where they click. John, of course, lets spammers go on spamming as he adds more and more friends. You, however, should be careful who you add. If a friend shares some spam, inform them in a friendly way that they may have made a mistake. If it keeps happening, unfriend her or him.

Something else to remember: If you wouldn’t tell someone in person that you’re going to be out of town, don’t use Facebook to do so. If your Privacy Settings are set to “Friends of Friends”, you could be sharing your travel plans with thousands of people when you post them on Facebook. Before you post anything, ask yourself, “Would I be okay if all the friends of my friends’ friends knew this?” If your friends are anything like the average Facebook user, you could be thinking about more than a million people. (The average Facebook user has 120 friends. 120 X 120 X 120 = 1,728,000 friends you could be sharing with.)

6. Never use a password that is in the dictionary or could be guessed by a friend.
We’re back to passwords again because they can tend to be a weak link in many users’ security. And this weak link can be easily strengthened. The number of people who use “password” or their first name to secure their accounts is mind-blowing. Even John wouldn’t be that silly. It’s just as silly to use any word in the dictionary. Why? Because when a hacker uses a program to figure out your password, what do you think it tries first? Your passwords have to be unique and complex. They should also not be anything that could be guessed by a friend. If someone you know can guess your password, a stranger might be able to do the same thing by studying your Facebook profile.

7. Keep an eye out for Phishing Scams, even when you’re on your phone.
A Phishing Scam is a sneaky attempt to get you to turn over your financial data to criminals. That’s right crooks have found that Internet users, like John, will occasionally just hand over the account information needed to commit credit card fraud. All they do have to do is pretend to be a trustworthy site with official looking graphics and people fill in the forms and click submit. The best way to avoid Phishing scams is to check the URL of the webpage you are on to make certain it is on the domain of the bank or institution you think it is. Also, be skeptical of any email that contacts you asking you to change your password. If you’re ever in doubt, contact the institution directly. All of your accounts have values to a scammer, so keep in mind that you can even be phished for your Facebook account—and even when you’re on your phone. That’s why our Mobile Security blocks such scams.

8. Password protect your Wi-Fi network.
There’s plenty of good reasons to secure your home Wi-Fi network. You don’t want your neighbors to have access to private info. You don’t want strangers to slow down the connection you’re paying for. You don’t want people to use your connection to take part in illegal activities. The only reason to leave it open is if you want to give someone like John access to your digital life. Here’s how to set up a security key for your wireless network.

9. Don’t open strange email attachments (without scanning them).
The first computer security rule you probably learned was “Don’t open email attachments from strangers.” This is still true—even though John forgot it long ago. In fact, targeted attacks that use social engineering and profile their victims are becoming more advanced all the time. You should still refuse to open any attachment that you were not expecting. If you feel you must open an attachment, download it to you PC and scan it with your Internet security software first. Here’s more on how to deal with email attachments.

10. Don’t expect anyone else to protect your privacy.
Do you blame your telephone when you use it to tell someone something you shouldn’t? Then you can’t only blame Facebook when you post information that may cause you trouble. Even when you use the privacy settings correctly and keep your account under control, your information is only as secure as the people you share it with. If you need to share any information that could cause you trouble at work or could be used to answer your security questions, use private messages, email or even that old-fashion marvel the telephone. And never, under any circumstances, shout your password in public through a megaphone. John still hasn’t learned that one yet.

Which of these tips is most important? Which is John least likely to follow? Let us know in the comments.

Cheers,

Sandra

F-Secure Mobile Security in action

February 21, 2011
By aliafs

Installing an infected program

Zimry, a Malware Analyst in F-Secure’s Kuala Lumpur Labs, was recently doing some analysis on malware designed to infect Android phones. During the analysis, he ran some malicious samples on a smartphone installed with F-Secure Mobile Security to make sure the phone would be protected.

Since Safe and Savvy has writing about mobile security, we thought we’d use this sample to show you our Mobile Security in action.

The test samples used were related to the new Android trojan, which seems to be targeted towards users in mainland China and are being distributed on free file-sharing networks there. The samples were trojanized programs – that is, an attacker took legitimate programs, inserted their own malicious code and recompiled the program to create malware. The samples we’ve seen so far came from a third-party application provider in China. Most of the programs are advertised as offering wallpaper for phones.

At right (above) is an example of an infected program being installed on the test phone. During the installation process, the file is scanned by Mobile Security – and it is detected as infected.

Scanning results

Some users don’t have Mobile Security set to automatically scan files at installation. In which case, the infection is only discovered when the phone is manually scanned. After a manual scan, the user would see a notification like the one at left, informing them that the programs are infected.

As you can see, Mobile Security detects the infected files as two trojans, from two separate families:

Trojan:Android/Adrd.A
Trojan:Android/Geinimi.A

Adrd trojans behave as straight-forward (but still nasty) Trojan-Clickers, whereas trojans from the Geinimi family, are more sophisticated, almost powerful enough to be classed as Backdoor programs.

Another feature Zimry tested was Browsing Protection. He tried browsing a website known to be a phishing site. On an unprotected mobile browser (i.e., no antivirus installed), he managed to get to the actual phishing screen with no warning:

Phishing site

On the test phone however, since he had Browsing Protection enabled, what he saw was this:

Warning

Since harmful sites like this may also be hosting trojans, Browsing Protection would also be a good precautionary measure against unintentionally coming across and downloading such malware.

So it’s nice to know Mobile Security works at three key points – potential download, during installation and on scanning.

Are you using our Mobile Security? You can still try out it out for free. We’d appreaciate your feedback. All pertinent comments/suggestions/constructive criticisms will be passed to the development team to improve our protection.

Thanks,

Alia

7 Comments

Take control of your Facebook News Feed

February 18, 2011
By Jason

You may be missing updates from friends and pages you care about due to a change Facebook has made in its news feed. As a default, Facebook is only feeding news from the people and places you interact with most. So an old friend, for instance, may have announced a marriage engagement you may have missed. (Of course, you may have also been spared hundreds of Farmville requests.)

To ensure you’re seeing everything in your feed, just login to Facebook. At the top of your news feed, click “Most Recent”. Then click the arrow next to most recent.

Then under “Show Posts From:” select “All friends and pages.”

Done.

Notice the difference? As our friend on Facebook Amber who alerted us to this issue last week said, “I just can’t believe how much feed I’ve been missing for the last couple of months!”

Why did Facebook do this?

We know the average Facebook user follows more than two hundred friends, pages, groups and events. That makes a Facebook feed flow fast and furiously.

Facebook knows that the more likely you are to engage with your feed, the longer you’ll stay on the site. And who are you most likely to interact with? Someone you’ve interacted with before.

About five years ago, before Facebook became Facebook. I was working at a big digital media company trying to build a social network to compete with MySpace. Industry research was saying that most people didn’t know what to do once they logged into a social network and the solution to this problem was the news feed. For industry research, this was a pretty good prediction. In some way it predicted the appeal of Twitter.

But it wasn’t until Facebook opened its API to third-party developers that the news feed became the lifeblood of the hugest social network phenomenon of the digital age. Facebook will do anything it can to keep your feed vital and addictive—even if it means dropping some of your friends out of your news feed.

Why should I change it back?

We admit it. We’re prejudiced. We want you to follow us on Facebook and see the Internet security tips and news we share. But we also want to keep in contact with the people and things you care about most, even if it isn’t F-Secure.

By taking people out of your feed, Facebook is enabling over-friending and following. This can become a security or spam problem if you’re following the wrong people. But you shouldn’t be following the wrong people. By keeping a realistic view of who you’re actually following, you’ll know when you need to audit your account.

Isn’t this good? It’ll prevent spam.

Maybe it will suppress spam. But the best thing we all can do to stop spam is to warn our friends that they’re sharing questionable or spammy apps. And if the spam continues, unfriend them.

Cheers,

Jason

Are you sharing your location without knowing it?

ICanStalkYou.com explains how to shut geotagging off now. And Lifehacker offers instruction on how to remove the information from the photos you’ve already taken.

February 16, 2011
By Jason

We have different definitions of privacy. You may not want anyone but your Facebook friends to know what you did last night. I may blog about my hourly wage and tweet my first kiss and share every credit card purchase I make.

The key element of privacy is choice. You don’t want to share your location, for instance, with strangers so you don’t do it.

Or do you?

A picture used to be worth a thousand words. But that was before metadata. Now, in some ways, a picture can read your mind— or at least find you on a Google Map. When the digital camera on most smartphones takes a picture, an EXIF (Exchangable Image File) is automatically created. EXIF files include a lot of data that can be very useful to analyze and track photos. It may also include the exact location where a photo was taken.

That means that if share your photo on Twitter on Facebook, you could be sharing your location—possibly with the whole world. Go to ICanStalkYou.com and you’ll see thousands examples of people sharing their location, often without even realizing it.

If you aren’t a celebrity or living in a region where kidnapping is prevalent or being stalked by an ex, you might fine with people knowing where you are. But the key to privacy is choice. Do you want to strangers to know where you are? If the answer is no, you need to turn off geotagging on your phone.

If you take control of your location privacy, you won’t have to think twice next time someone says, “See you around.”

For more on this subject, check out: “Can I Stalk You? An Intro to Location-Based Service Security“

Cheers,
Jason

CC image created by daniellehelm

http://safeandsavvy.f-secure.com/2010/08/31/location-based-services/

The 1 Facebook privacy feature you need to master

February 11, 2011
By Jason

Last week, a poll said that as many as 70% of Facebook users expressed concerned about privacy. In response, several sites published worthwhile lists about Facebook’s privacy settings.

Mashable offered “Facebook Privacy: 10 Settings Every User Needs to Know”. All Facebook answered with “The 10 Facebook Privacy Settings You Need To Know”. Then NetworkWorld focused on “Facebook Privacy: 4 Valuable Yet Hard to Find Settings”.

All of these posts are quite useful. They all focus on Facebook Places, Instant Personalization and the secure browsing setting Facebook recently enabled. Some of these features are only available to people in the US and the UK. Yet of these features are far less important if you become a master of Facebook’s most crucial privacy feature.

What is this one feature that you can use properly and make all the other privacy settings irrelevant?

You guessed it: the “Share” button.

That’s right, if you don’t share things you that might embarrass or harm you if the wrong people see them, you won’t have to worry about your privacy on Facebook.

No matter what your settings are, you cannot stop someone from sharing something you’ve posted. A judge in the US recently ruled that once a photo gets posted, it’s free to be shared no matter what your privacy settings are.

Of course, you can master the privacy settings. You can limit your friends list to those you truly trust. You can even decide on a case by case basis who you want to see your posts.

But you still have to recognize the public nature of sharing on Facebook. That’s why I stick to emailing the information and media I don’t want to share with the world.

Facebook’s privacy features are complex and—when it comes to apps,Instant Personalization and photo tagging in particular—questionable. But Mark Zuckerberg and his 650 million friends can’t force you publish anything you don’t want to publish.

So if you truly want to protect your privacy, use that “Share” button very carefully.

Cheers,

Jason

25 Years Into the Future Sweepstakes: Win a HP Pavilion Laptop

February 8, 2011
By Sandra

This sweepstakes is now closed. ‘Like’ us on Facebook
for more giveaways and Internet security tips.

February 8^th is Safer Internet Day. This annual event promotes safer and more responsible use of online technology and mobile phones, especially amongst children and young people across the world. Internet safety is not a game. Do you know how to talk to your kids about online safety?

What’s special to us about this Safer Internet Day is that it comes almost exactly 25 years since the first computer virus emerged into the wild. From 1986 to 2011, the digital world–and the threats we face–have evolved with the speed of Moore’s law.

Think about the way the technology evolved since 1986 when a virus could only be spread by physically putting a 5.25-inch floppy disk into a PC that weighed as much a very healthy turkey. Today, the tiny computer/ smartphone you carry in your pocket is exponentially more powerful than those first PCs. Remember crossing your fingers as you tried to connect to the Internet through a modem? Today we go online wirelessly from almost anywhere, even at 30,000 feet in the air.

So, what do you think the next 25 years will bring? How will we use the Internet in 2036?

We’re inviting you to share your predictions for a chance to win an HP Pavilion dm1z series laptop protected by F-Secure Internet Security, AV-Comparatives Product of the Year for 2010. And you can enter to win up to three times.

Entry #1: In the comments of this post, answer the question: What do you think Internet will be like in 25 years? You can focus on the hardware or security or gaming or video any aspect of digital life in the future that interests you.

Entry #2: Make a video of your answer to the question “What do you think Internet will be like in 25 years?” Post the video on YouTube or any video sharing site then link to your video in an ADDITIONAL comment on this post. (We’ll be featuring some of these videos. If we use yours, we’ll give you a 1-year license to F-Secure Internet Security.)

Entry #3: Change your Facebook or Twitter profile image to a picture from 1986 (or as close as you can get) to commemorate Internet Safety and the anniversary of Brain. If you’re younger than 25, you can use a picture of your parents from 1986. Then let us know you did posting an ADDITIONAL comment on this post. You can link your profile or just post the words “Changed my profile picture.”

Read the rules and enter up to three times now. We can’t wait to hear what you have to say.

Cheers,

Sandra

Comments closed

What does it mean to be AV-Comparatives Product of the Year?

February 2, 2011
By Sandra

Hopefully you’ve heard by now that the F-Secure Internet Security was named Product of the Year for 2010 by AV-Comparatives—the prestigious Austrian non-profit that provides independent Anti-Virus software tests free to the public.

Here’s Andreas Clementi, CEO of AV-Comparatives, presenting the award to Mika Stahlberg, VP F-Secure Labs.

You might wonder: what does AV-Comparatives look for when naming its product of the year?

“To be rated ‘Product of the Year’ by AV-Comparatives, an anti-virus program must have very high detection rates of malware, high proactive detection, produce very few false positives, scan fast and reliably with low system impact, protect the system against malware/websites with malicious software without relying significantly on user decisions/interactions, cause no crashes or hangs, and have no annoying bugs.”

Basically, the Product of the Year needs to protect you and your PC nearly flawlessly without bothering you. That has always been our goal, and it’s simply awesome to see that AV-Comparatives recognizes that we’re achieving it.

This incredible honor tops off a great 2010 for F-Secure that included seven Advanced+ scores – the highest possible scores in AV-Comparatives’ tests that measure the protection and performance of the major antivirus products on the market. F-Secure Internet Security 2011 also won the Gold Awards for the Whole-Product Dynamic Protection and the lowest rate of false positives overall.

And just last week we found out that F-Secure Internet Security received the highest score AV-Test.org’s latest test of the major AV products running on Windows Vista.

We’ve been humbled by these honors but we will not rest on them. In 2011, we look forward to improving our products even more. Because when it comes to protecting your irreplaceable content, information and relationships, excellence is the only option.

Thank you for your continuing support.

Cheers,

Sandra

4 security predictions for 2011

February 1, 2011
By Sandra

History is happening fast. 25 years after the first PC virus, computer security and social media are playing a starring role in breaking news all over the globe. Recently F-Secure Labs took a look back at the year 2010 in security. They also came up with a few predictions for the rest of this year.

Don’t worry. Skynet and its slave army of computers will be taking over in the next eleven months. Computer security is constantly improving and evolving to face new threats. We share these predictions in hopes of avoiding the worst. By keeping up with the evolving threats, you’ll know what you need to do to secure your digital life.

1. More attacks on older versions of Windows
With a PC that’s running an updated version of Windows 7 and Mac OSX, your computer security is pretty strong. “However that’s not what the world is running,” says Mikko Hypponen, Chief Research Officer at F-Secure.

“The most common OS used by computers anywhere in the world right now is Windows XP. And the security level of Windows XP isn’t very good at all.” Updated software with patched vulnerabilities is crucial for security. In fact, the oil spill in the Gulf of Mexico could have been caused in part by the failure of computers that were still using Windows NT 4 from 1996.

You can make sure your PC is patched and protected with our free Health Check.

2. Copycat attacks based on Stuxnet
Stuxnet may be the most significant malware development of the last decade. Just last week a Russian official said that he thought that Stuxnet is so dangerous that it could cause a new Chernobyl. “Stuxnet can attack factory systems and alter automation processes, therefore making cyber sabotage a reality by causing actual real-world damage,” says Mikko Hypponen.

Now that the proverbial cat is out of the bag, similar attacks can be engineered with less effort. “Unfortunately, it’s likely that we will see Stuxnet copycats in the future,” says Hyponnen. For more information on Stuxnet, visit the F-Secure Labs Blog.

3. More mobile malware targeting the Android platform and jailbroken iPhones.
Android apps do not go through an approval process like those required by the iPhone App Store or the Signed by Symbian programs.

In 2010, we saw Android apps that posed as games while spying on users, apps posed as banking apps with no official connection to the banks and apps that attempted to steal users banking credentials. In 2011, the assault on Android phones by individuals with an excellent understanding of mobile applications and social engineering will only get worse.

Jailbroken iPhones also present a unique opportunity for malware writers.

F-Secure does not recommend jailbreaking any device for any reason. The only iPhone worms we’ve seen so far only infected jailbroken devices and we expect that trend to continue or get worse in 2011.

“If a worm infect your iPhone, it could do anything you can do on your phone, and more. So it could destroy or steal all of your data. Track your location. Spam your friends. Listen to your phone calls. Dial the presidents of every country in the world. Anything. And you would pay for all the charges it would create, too,” says Hypponen.

4. Facebook spam goes global
Amidst news that global email spam levels have fallen suddenly, there has been explosion of spam on social networks. Spam has become so prevalent that many Facebook users in United States and the United Kingdom have begun to ignore it.

“What do you do when English speakers are increasing desensitized towards Facebook spam? Language localization,” says Hypponen.

F-Secure Labs has already seen Facebook spam runs localized into Finnish along with runs that were popular in Sweden and Malaysia. As Facebook increases its anti-spam efforts, expect to see the spammers change their tactics and targets.

Cheers,

Sandra

CC image by Kenny Louie

6 ways to secure your mobile phone

January 31, 2011
By Jason

It’s 2011 and there are now more phones in the world than computers. Every day, more of these phones become smartphones AKA portable computers. Unfortunately, if your phone can browse the web and check email, you will be targeted by some of the same malicious attacks and scams that go after your PC.

Here are a few basic tips from the F-Secure Labs on how to secure your mobile phone.

Keep your system updated
An updated mobile operating system allows you to enjoy the latest and greatest features and while protecting your information. Get rid of security holes or vulnerabilities by maintaining updated software on both your PC and your smartphone.
Install a security application
As your mobile device functions more like a mini computer, it becomes a more attractive target for hackers or thieves. A reliable security app safeguards your data, protect against threats and locate your lost or stolen phone. Here’s a quick video about our F-Secure Mobile Security, in case you’re interested.
Watch where you click and land
The mobile threats you’re most likely to face are scams and phishing attacks that will attempt to steal credit card information. Social engineering methods would be used to lure you into clicking on malicious links. Always check to see if a website starts with “https” before you enter sensitive information.
Avoid shopping or banking on a public network
Keep in mind that the public Wi-Fi that your phone is connected to might not be secure. Limit your activity to browsing and avoid committing any transaction that involves your account information.
Get applications from trusted source
Part of the fun in having a smartphone is having an app for everything. There are plenty of applications out there, and some are offered through independent, unmonitored channels. Stick to app stores when you can. If you’re downloading an app from a third party, do a little research to make sure the app is reputable.
Make it a habit to check each app’s data access on your phone
Some applications may have access to your data or personal information. Be wary of the access that is outside of the scope or purpose of the applications. A game application doesn’t need access to SMS (read, write and send), calling, phonebook entries and system files. If game wants all the access, get a little suspicious. If you have any doubt about an application, do not install it.

Mobile security is a new concept for many people. So let us know what you want to know about the topic in the comments of this post.

Cheers,

Jason

CC image by Jacob Bøtter

10 Comments

How to protect your data privacy on social networks

CC image by Sudhamshu Hebbar

January 27, 2011
By Jason

Studies have said public speaking makes as many as 3 out of 4 people anxious. But that was before Facebook.

The 650 million people on Facebook suggest that most of us are getting over—or want to get over—that fear of communicating (or at least sharing pictures) in public. In just a few years, Twitter, YouTube and Facebook have given billions of people the chance to connect to an audience they would never had access to before.

But now that you’re becoming comfortable in public, you may begin to wonder: Am I revealing too much? In a world with the NSA, TMZ and Wikileaks, do I have any privacy? Is it possible to be a public person and still protect my information from being misused?

Friday January 28 is Data Privacy Day 2011, an international celebration of the dignity of the individual represented through personal information. Protecting your irreplaceable data is our mission and we take this mission very seriously. (Here is F-Secure’s Privacy Policy.)

The risks

The more visible, attractive or rich you are, the more you’re a target for the haters, the stalkers and online criminals of the 21st century. Heck, if you have a credit card, you’re a target for both the online criminals and unscrupulous marketers of the world.

Sharing personal information in an age where data can travel faster than lightning requires a 21st century view of data privacy. Some think it’s vain to worry about privacy. But don’t think about your ego, think about social engineering.

Wiktionary describes social engineering as “The practice of tricking a user into giving, or giving access to, sensitive information, thereby bypassing most or all protection.” Criminals have discovered that human error is the easiest vulnerability to exploit. If you’re not careful, your private data (or even public data) can be used to fool you into making mistakes that even your award-winning Internet Security can’t prevent.

Ignorance may be bliss, but it’s not an excuse. Once your private data is stolen, you’ll have to deal with the consequences. The good news is that you can do a lot to make your data more secure

My nephew once told me, “Facebook is so easy that even old people can use it.” And by old people, he meant me.

I agree with my nephew. Most people who use social media don’t suffer significant negative consequences for doing so—or there wouldn’t be millions of new people trying it every day. Stories of people being fired or arrested for what they’ve done on Facebook are rare. But they get lots of attention because Facebook is the superstar everyone knows.

Only a small percentage of those on social media fall victim to the worst of identity theft, malware or scams. And that’s still too many people suffering needlessly—especially because most of these scourges are avoidable.

The lessons

If you learned to manage the benefits and risks of email, you can do the same for social media. Here a few things you can do to help keep your private data private.

1. Decide why you’re social networking.
For some, social networking is an extension of your private life. You mostly interact with people you know or would like to know in the real world. The main topics of conversation are personal. Even when you delve into entertainment or politics or sports, it’s about sharing opinions to have fun and connect. Intimacy is the goal so private things are often shared nonchalantly. For instance, you might reveal what you did on a day when you played hooky from school or work.

For others, social networking is like interacting at a conference. You’re seeking out people in your industry or whom you admire. Conversation is like a cocktail party—being interesting and on-topic matters. When you talk about entertainment or politics or sports, it’s a way to network and establish trust. You want people to feel like they know you, but getting too personal too fast raises red flags. For instance, you may reveal what you did on your vacation but only in a way that you wouldn’t mind your boss reading.

For a growing number of people, social network is a chance to build a little fame or fortune. You’re looking for an audience who trusts and enjoys you to the point you might even sell them things. You converse with fellow influencers and friends but you also broadcast for a targeted or general audience. When you talk about entertainment or politics or sports, you’re entertaining or engaging an audience while establishing expertise. You may share extremely private details or never talk about your personal life. Either way, you’re establishing a persona that’s relatable to the audience you’re trying to attract. For instance, you may reveal a joke a well-known person shared with you.

By the time you’re out of college for a few years, most people have tried out some variation of each of these approaches to social media. And your approach definitely affects your data security.

The rule is: the bigger the audience you seek, the more you have to think about the information you share.

All of us have to protect our ID, account and phone numbers, our address and our Mother’s maiden name. But if you’re an aspiring Disney star or class president, you have to think about which pictures you take—since you know they’ll all be posted eventually. And George Clooney probably shouldn’t use Foursquare to share his location unless he wants to spend his day shaking hands or filing restraining orders.

We all need to be cautious about sharing details that can be used to scam us. If you achieve, or accidentally achieve, fame, your privacy will become even more precious. So if you want to be internet famous, you need to be savvy about which information you share online—or you’ll have to hire people who are.

2. Secure your systems
Don’t use the default password for your voicemail or anything. Use strong, unique passwords for all your accounts. Don’t use work email addresses or passwords for social accounts. Put security software on your PC and your mobile device, if possible. Password protect your Wi-Fi networks. Turn on secure browsing on Facebook. Put a remote lock on your mobile phone. Always lock your PC and mobile devices when you aren’t using them. Keep your system and application software updated. (Our free Health Check makes that easy.) Turn off GPS on your phone and pictures if you don’t want strangers to know your location.

3. Choose services you trust
Any store, service or site that has your data, should have a privacy policy. A key feature of a good privacy policy is that your data will not be shared or sold. By 2011, most reputable online businesses have privacy policies that make that basic promise. But in addition to privacy also have to trust that any organization you trust with your data had security that won’t be compromised. Quality can have a price. If privacy is more important to you than cost, you can buy dedicated email services that won’t serve you ads. Regardless if they charge or not, you should only use reputable online services you trust. Before you enter any data into any website, think, “Do I trust this organization?” If there’s any doubt, ask others what they think.

4. On a social network, your information could be shared with everyone– no matter what your privacy settings are.
Twitter is simple. There are two privacy settings: everyone or “Protect my tweets”. But even if you go with the protected option, your approved followers can still retweet your information to everyone. Facebook’s privacy settings are much more complex. They’re so complex that it almost feels like you should get college credits for really using them. Going with “Friends Only” is a good start, then you have to decide if you want your page on Google (if you don’t want your Facebook page to show up on Google, go to Account > Privacy Settings > Apps and Websites: Edit your settings > Public Search: Edit Settings > Uncheck Enable public search) and if you want to automatically share your information with other websites.

The safest rule is: get your settings right and still assume that what you post could go public so only share information you wouldn’t mind a future boss (or fan) seeing. NEVER share information that could be used to crack your passwords. Also keep in mind that the information you’re sharing that could be used by identity thieves and social engineers.

5. Be available or don’t
There is a difference between following and friending people. You can follow a lot of people but our brains can only handle around 130 friends. Rejecting or ignoring friend requests can be emotionally difficult, but your privacy is more important than others’ feelings. I say follow anyone on Twitter but on Facebook I’d recommend only befriending people you know or trust. And realize that the person is your friend, not their links. If anyone begins to spam you, let them know the problem. If they keep spamming, unfriend them. If anyone harasses you at all, block their communication. If you’re threatened, contact law enforcement.

You have the right to keep your private data secure while living your digital life to the fullest. All you have to do is respect your own data privacy and do your best to make sure that the people and businesses you interact with do the same.

Cheers,
Jason

Join Mikko on a Brain Adventure

January 25, 2011
By Sandra

Do you remember these things?

They’re 5.25-inch floppy disks. And if you’re under twenty-five years old, you’ve probably never used one as anything other than a coaster for a drink.

But back in the 1980s, these beauties were the state of the art. The forerunner of 3.5-inch disks and CD-ROMS, floppy disks usually held less than one megabyte of data, which meant you could get carpal tunnel taking disks in and out. In fact, if you were going to install Windows 7 using 5.25 inch disks, you’d need 2,084 of them.

In January of 1986—exactly 25 years ago—the first ever PC virus ended up on one of these disks. The virus was called Brain and it was created by “Basit and Amjad” in Lahore, Pakistan. Of course in 1986, there was no public Internet, writing viruses was legal and only science fiction writers and IT experts were worried about the threat of self-replicating computer programs.

Did Basit and Amjad have any idea what kind of phenomenon they were sparking?

F-Secure’s Chief Research Officer Mikko Hypponen has decided to travel to Pakistan to interview the creators of Brain. He’ll find out what they’re doing now and how they feel about the development of computer viruses over the last 25 years. And he’ll be documenting his trip on film and through his Twitter account.

We’d love for you to participate in this adventure. Do you have a question you’d like to ask the creators of Brain? Post it here. Mikko will be taking the best ones with him.

You can also expect lots more information about Brain and 25 years of PC viruses over the next month. We’ll be looking back on the digital world that Brain helped created and forward to a more secure future. And we hope you’ll join us.

Cheers,

Sandra

How to protect yourself from malware

January 20, 2011
By Jason

Hackers or crackers or online criminals—whatever you call them—are working every minute of every day creating new malware that scam users more effectively. But most of these threats are new arrangements of old tunes. So with the right protection and a little savvy, you can avoid just about every digital threat you face.

(Note: This article is for busy Internet users who are looking for information on how to protect their PCs and their families from malware. For more about the technical side of malware, read Alia’s excellent series “A quick & dirty guide to malware”.)

What is the threat?

The first malware typically vandalized PCs and destroyed files. But since the early 2000s, the primary motive for malware creation has been profit. Online criminals are after your banking information or your credit card numbers or your computer’s processing power. In the worst case scenario, they may even be after private information that could be used to extort you or harm your business. And these sorts of attacks generally have both financial and psychological costs.

The true costs of malware can include your data, your content, your time, your effort and your heartache.

Want a few examples of malware mayhem? Spyware tracks you for advertising purposes and slows down your computer doing so. Keyloggers monitors your every keystroke in an effort to steal your credit card information. Scareware imitates anti-virus software in an attempt to extort a quick payment from you. Ransomware takes your files and demand a ransom in return. Rootkits can turn you PC into a zombie computer and use it to send out email spam or to host illegal materials or to join in attacks on websites. There’s even a malware that exists just to create a fake login page for your bank’s website to steal your account information.

How does malware end up on your PC?

Generally you end up with malware because you installed it. And whether you installed it or not, malware can only work if the program runs without being shut down or deleted.

Malware works like most scams — it requires some conscious or unconscious help from its victims. Thus online criminals have to know more than computer coding. They have to know what mistakes users are likely to make so they trick people who have probably NEVER fallen for a scam in their real lives. And the best criminals can convince even cautious users to make one wrong click.

How do you end up downloading and installing malware? Sometimes malware gets packaged in with more legitimate software. Sometimes simply clicking on a fake error message can trigger a drive-by malware download. And you’re certainly aware of the classic method of disguising malware in an email attachment.

You put yourself at risk when you’re downloading from a disreputable source or a peer-to-peer network of strangers. Seeking out “free” stuff on the Internet can cost you time and money. And this is especially true if you’re browsing and downloading without proper protection.

How to protect yourself from malware

1. Make sure your PC is updated and secure
I hope you’re reading this sitting down because I have quite shocking news for you: the software on your PC isn’t perfect. It may contain exploits or security holes that make it possible for your machine to be infected easily. Software companies know their programs are not perfect. That’s why they release updates. Microsoft, Apple and Adobe all release dozens of updates every year. You need to make sure you have these updates on your applications running or you’re increasing your risk of infection. Our free Health Check software is a quick and easy way to make sure your PC is protected.

Of course, we also recommend always running updated Internet security that includes anti-virus, spyware and firewall. Browsing Protection is another layer of security that can keep you from clicking on the wrong links. If you don’t have Browsing Protection, you can use ours. Check any link for free.

2. Be very skeptical of random pop-up windows, error messages and attachments
Modern browsers have reduced the burden of pop-up windows. But they do still exist. Most pop-ups are far more annoying than harmful. But you might think of pop-ups like broken windows into a neighborhood you were walking through at night. It’s a sign that you should be on guard.

Avoid clicking on any pop-ups that imitate your Windows error messages or error messages that come up when you try to close out of a page. (Force quit out of the program, if necessary.) If any software begins to install itself, close out immediately and run a scan of your Internet security software. You can also use our Online Scanner for free.

Avoid opening attachments at all unless you were expecting them and they come from a source you trust. If you can’t verify the source or feel anxious about a particular attachment yet have to open it, you can download it to your hard drive and have your updated Internet security scan the file before you open it.

3. Remove spam from your life
If you get a piece of spam, let your mail software know. Identify it as spam. You could also unsubscribe but unsubscribe link have been used on rare occasions to trigger a malware attack. Better to let your software handle it. If you have a friend on Facebook who spreads spam or bad apps, let them know. And if they continue spreading spam, unfriend them. You are responsible for your social network. Refuse to associate with those people who are not responsible for theirs.

4. Think thrice before installing any new software
Installing software should never be an impulse decision. Some people say think twice before downloading any software from a source you do not trust 100%. I say think three time.

At the very least, Google the name of a product you want to install. If you’re at all uncertain about whether to click download, consult with a tech savvier friend or your company’s IT guy.

When you install software, you could invite in a nasty predator that won’t leave until it’s done some serious damage. So think about installing software with a bit of the same sort of caution you use when deciding to let someone into your home.

5. Behave online as you would in real life
There’s an old saying in my family: “Don’t go licking the floors of a hospital.” What it means is: “Use your common sense.” You have a natural sensor in your brain that tells you when something feels dicey or unsafe. Trust your gut.

With the right software running and a willingness to step back when you feel uncertainty, you keep your PC and your life malware free.

Cheers,
Jason

CC image by Anonymous9000

“How Long?” Sweepstakes: Win a Canon PowerShot SX130 IS

January 18, 2011
By Sandra

This sweepstakes is closed. Please follow us on Facebook for more giveaways in the future.

I recently laid out my Digital Resolutions for 2011. But I didn’t mention our resolution for this blog and our Twitter and Facebook pages.

F-Secure is all about the freedom to feel safe so that you can do what you need to do online. Most importantly, we want to help protect the irreplaceable time, effort and money you’ve invested in your digital content. That’s why our New Year’s Resolution is to be more useful to you.

And to help you protect what matters to you most, we need your input. That’s the why we’re inviting you to enter our “How Long?” Sweepstakes.

For your chance to win a Canon PowerShot SX130 IS, all you need to do is to read the rules and post your answer to the following question in the comments of this post: How long have you been following F-Secure?

You could have found about us through F-Secure through the work of Mikko and the Labs. Or maybe you found us on Facebook or Twitter or through this blog. Or this could be your first interaction with us — if so, welcome! We’d just like to know how long you’ve been following F-Secure.

Thank you for following us and thank you for your time.

Cheers,

Sandra

CC image by sporst

F-Secure Internet Security 2011
HOW LONG? SWEEPSTAKES – COMPETITION RULES AND PRIZES

By entering the Get Real promotion you accept the Official Competition Rules and the Privacy Policy (http://www.f-secure.com/en_US/privacy.html).

If you do not accept these rules, please do not enter this promotion.

1. The sponsor of this promotion is F-Secure Corporation, located at Tammasaarenkatu 7, Po. Box 24, 00181 Helsinki, Finland (“Sponsor”).
2. The promotion will begin at 8:15 AM PDT on January 18, 2011 and end at 12:00 PM PDT February 1, 2011.
3. This promotion is void where prohibited or restricted by law. No purchase is necessary to enter.
4. 2 prizes — 1 Canon PowerShot SX130 IS with a retail value of $249.99 and 1 F-Secure Internet Security license with a retail value of $59.99 — will be given as prizes in this promotion at the close of the competition.
5. Only two one (2) entries per person per Sweepstakes will be accepted. Each comment posted constitutes an entry. Further attempts made by the same person and entries generated by a script, computer programs, macro, programmed, robotic or other automated means will be disqualified.
6. The winner will be chosen randomly from the people who participated in the competition by commenting on the “How Long? Sweepstakes”. Sponsor will notify the winner via email. If the winner does not respond within seven (7) days, he or she will forfeit the prize and another winner will be randomly chosen. This prize is shipped to the winner within 45 days of the making successful contact with the winner.
7. The winners are responsible for any taxes associated with receipt of the prizes. Sponsor reserves the right to substitute the prizes with other prizes of equal or greater value if the prize is not available for any reason.
8. Odds of winning the prizes depend upon the total number of eligible entries received.
9. No purchase or software download is necessary to enter or win. Purchase or software download will not increase your chances of winning.
10. To enter, visit http://safeandsavvy.f-secure.com/2011/01/18/how-long-sweepstakes/ and comment on the post once or twice. To comment you must provide your email address, which will not be made public. Entries are the property of Sponsor and will not be acknowledged or returned. Comments made be edited by F-Secure without explanation.
11. Any entrant who attempts to cheat or tamper with the Get Real Sweepstakes shall be disqualified by the Sponsor’s sole discretion.
12. The name of the winner will be announced via the F-Secure Twitter channel http://twitter.com/FSecure, F-Secure Facebook page http://www.facebook.com/FSecure and F-Secure’s Safe and Savvy blog http://safeandsavvy.f-secure.com/ once the winner has been contacted. By entering, the entrant agrees that his/her name, country and/or picture can be published at F-Secure’s aforementioned channels if he/she wins.
13. By entering, entrants agree to release and hold harmless Sponsor and all of its representatives from and against any and all costs, expenses, claims, demands, proceedings, suits, actions and/or liabilities for any injuries, death, loss or damage of any kind arising from or in connection with i) the distribution of any prize, ii) entrants’ participation in and/or entry into the campaign, acceptance or use of any prize or unavailability of any prize. Prizes are provided “AS IS” without warranty of any kind from the sponsor.
14. Employees of Sponsor and family members of such employees are not eligible to enter.

sporst

Comments closed

Why in the world would anyone believe that Facebook is shutting down?

No. Facebook isn’t going to shut down on March 15, 2011.

January 11, 2011
By Jason

No! Facebook isn’t going to charge. Ever.

NO! There’s no way to see who has visited your profile!

Some Facebook rumors take fire and spread. Often the rumors make no sense. Take the insane idea that Facebook would turn off the billion dollar cash hose it has connected to your lives. How about the delusion that Facebook would ever commit suicide by suddenly charging you for the right to turn your life into an ultra-compelling way to sell ad space?

At least the idea that Facebook would let you see who clicked on your profile makes some sense. And it appeals to our most profound voyeuristic/narcissistic instincts. Yet it has been debunked so many times that it has become a zombie lie that will not die.

It’s shocking when you see some of the lame crap that goes viral on the world’s largest social network.

You probably have the same thought I do every time I see a new Facebook spam run: Who is clicking on this crap? And the answer is: enough people to make it worthwhile for the spammers. With Facebook’s 550 million plus active users, spammers just need to glance a fraction of a percent to score big.

Facebook is all about connecting, all about other people’s business, all about finding the most sensational things fast. In some ways, Facebook is a machine built to spread rumors. The question then is: why isn’t also built to crush silly rumors.

Part of it may be brain science. Some scientists say that if we’re told not to think of an elephant, we immediately think of an elephant. So negating rumors sometimes has the opposite effect it seeks. However, we can all be antibodies used to fight the infections of nonsense that we come across daily.

Here are four reasons why I believe rumors spread so quickly on Facebook.

1. The MySpace mentality
MySpace taught most of Facebook’s first users how to use a social network. And at times, MySpace seemed like a game to gather as many “friends” as possible. Heck, people got famous on MySpace for having a lot of friends. (Many people believe this despite the fact that almost all the MySpace break out stars—Dane Cook, My Chemical Romance, Tilla Tequilla—made fantastic use of TV and radio to supplement their Internet fame.) Not everyone was trying to get famous, yet MySpace taught users to make friends with anyone. And these loose binds still exist for many Facebook users. And when you’re trying to think of something to talk about with a stranger, rumors are perfect. However, MySpace may have taught us that communities with these kinds of loose binds do not last.

2. Facebook is a superstar
Facebook is the superstar everyone knows. It’s beyond a phenomenon. Its growth requires epidemiologists to understand and the way it’s ingratiated its way into our lives so quickly and drastically is unprecedented. It’s like Justin Bieber multiplied by Google squared by the iPhone. They even made a movie about it…him…whatever. And the way rumors spread about celebrities, they spread about Facebook on Facebook.

3. Facebook requires users to be spam filters
People are the best spam filters. By harnessing people power, we’re able to prevent lots of spam email from ever getting you. And Facebook is actively fighting spam with new functionalities and by pursuing the worst offenders. But when the numbers are huge as they are on Facebook, you have to trust a lot of people to filter out the nonsense. And if your friends pass on spam runs and you don’t alert them or unfollow them, the problem keeps getting worse.

4. The spammers are smart
They follow the news. One day you hear millions of people Facebook from bed, the next day there’s a run about insomnia cures. Who doesn’t want free gift cards or shocking videos of what that kid found her doing? Some spammers are tapped into our deepest desires and on Facebook they’ve found a new way to make that ability pay.

If you still use Facebook knowing all these things, you can definitely enjoy the incredible tools the site offers while filtering out the bad stuff. But if you’re going to close your account, please do it properly.

Cheers,

Jason

11 Digital New Year’s Resolutions for 2011

CC image by Tsutomu Takasu

January 5, 2011
By Sandra

It’s already January 5, so many of us have already broken our New Year’s resolutions. But in a digital world, you can always hit the delete button start again.

Of course, we all all want to do more healthy stuff, quit smoking, go to bed earlier, avoid stress, bike more and drive less. But what about your digital life? We spend so much time in front of our computers, that we have to be smart about it.

So here are my digital resolutions to make 2011 safer, savvier and a little more fun. Feel free to borrow any or all of them.

Use and remember strong passwords.
Wondering why the Manolo Blahniks are that so cheap on that website? It could be a scam. Look twice before buying something online. Is the shop trustworthy? Has the shop gotten good ratings? Is the site secure?
Clean up your online friends. Only be friends with people you know and unfriend anyone who constantly sends you Farmville requests.
Log out from any online accounts when not using them–and always lock your screen (and your phone). Don’t make it easy to accidentally send an email about your hangover to the whole company.
Don’t do any online banking on public Internet terminals—even if the landlord is waiting for your rent.
Let your credit card company know if you’re traveling abroad.
Don’t fall immediately in love with every new device Apple launches in 2011. It’s not necessary to have a complete collection of every iPod or iPhone generation…
Don’t write text messages or read emails while driving – not even at red lights.
Ski jumping on the Wii is for wimps. Do some real-world sports.
Watch some local news on TV – in real-time and not on the Internet or a DVR .
Start a social media diet: Limit the time you spend on social networks and meet up with friends in the real world more often – because it’s healthier

Cheers,

Sandra

How to protect your Facebook account from hackers, spammers and clowns

December 28, 2010
By Jason

If you’re like the average Facebook user, you have 130 Facebook friends. Those friends may include your mom, your best friend from 5^th grade, your boss. (If your friends list includes people you don’t know, you should audit your account right now. )

Now, what happens if your Facebook account is taken over by a spammer or a scammer? Or maybe a disgruntled ex gets control of your profile and starts posting shameful things on your friends’ walls. Could you brush it off and tell yourself, “It’s just the Internet. Who cares?” Probably not.

Hackers are out there—helping each other to take advantage of lax security. So here’s what you need to know to keep strangers out of your account. If you’re in a hurry, the most important information is on top.

The Basics

Use a strong password and don’t let your browser remember it
Your password is the key to your Facebook castle. If it isn’t strong, if it includes things that your friends and exes can guess, you’re leaving your drawbridge wide open. Creating and remembering strong passwords isn’t easy. That’s why we recommend this simple system.

And tell Firefox, or whatever browser you use, that you don’t want it remembering your passwords. Don’t make life easier for hackers. (To clear your passwords in Firefox, go to “Tools” then “Clear Private Data” the close and reopen Firefox.)

Use unique passwords for all of your important accounts (and update them whenever you go the dentist)
For any account that really matters—your email, your bank and credit card accounts, Facebook—you need to use a unique, strong password that you do not use for any other account. Whenever a site is hacked, you see that this creates a security crisis across the Web. Why? People reuse passwords. Don’t be one of those people.

And yes, you should update the passwords of your most important accounts. How often? Some say every month. Some say every few months. How about whenever you’ve just gotten home from the dentist? You’ll be in the mood for a little pain. And if you’re the kind of a person who sees a dentist more than twice a year, you should be as careful with your passwords as you are with your teeth.

Of course, if you recognize any suspicious account activity in your account, change your password immediately.

Make sure your system software and Internet security are updated
All the security in the world won’t help you if your PC is infected with a keylogger that can track every letter you type. Updated system and Internet Security can’t stop you from making security mistakes. But it can prevent most of the common attacks out there. Our free Health Check will tell you if your PC is protected.

Watch where you click and watch where you land
Cybercriminals have mastered a devious method of stealing passwords: they ask you for them. This method is called Phishing and it works because it’s easy to make any webpage in the world look official and reputable. A page that looks just like a Facebook profile can be replicated in minutes. That’s why you always need to check the URL in your browser to make sure you’re on Facebook whenever you enter your private information. And if you ever have any doubt about something that has been posted in your newsfeed, follow the Golden Rule of Social Media Security and don’t click.

How To Make Sure You Can Get Your Account Back If It Is Hacked

Do what Facebook recommends
Facebook now rates how secure your account is. It’s a powerful feature, as long as you take it seriously. If your account “Overall Protection” is rated “low”, Facebook will prompt you to add some information. Do this!

You can add your secondary email by going to “Account” > “Account Settings”> Find “Email” and click on “change”.

Keep in mind that your Facebook account security now depends on your mobile security, so I recommend that you have some way to lock or wipe your phone if you lose it. Our Free Anti-Theft for Mobile does just that.

For Extra Protection

Activate Account Protection
Want to be notified whenever a new computer logs into your account? Activate Account Protection.

Why would you want to do this? Because if someone gets into your account on a device you don’t recognize, you can login to Facebook and “end activity” on that login. Then you can, hopefully, change your password before the intruder does.

Once you activate this feature, you’ll have to identify ever device you login from. It’s slightly annoying, but it gives you the kind of control of your account that will keep your account safe.

To activate Account Protection and “end activity” on any Facebook sessions you didn’t initiate, go to “Account” > “Account Settings”> Find “Account Protection” and click on “change”.

To do this you need to set up and verify your SMS number. Go here and add in your mobile number. You’ll then need to verify the number by entering a code that will be sent to you. Once this is done, you can send a text message to 32665 with the message “otp” whenever you’re about to login on a public computer. Your One-Time Password will work for 20 minutes after you receive it.

Are there any special methods you use to keep your account safe? Post them in the comments.

Best,

Jason

Why free Anti-Theft for Mobile should be the first app you put on your new phone

December 23, 2010
By Sandra

Winter Solstice has passed. Now the days are getting longer again and Christmas is almost here. Hopefully your holiday will be filled with love, joy and a nice gift or two.

If you find an Android, Symbian or Windows Mobile phone under your tree, we have a gift for you: free Anti-Theft for Mobile.

This app protects your information locates your lost phone. Some have called it a “must have” application and over a million people have already downloaded it from Nokia’s Ovi store.

Right now, for a very limited time, you can get our Mobile Security suite for free. It includes Anti-Theft and is our special Christmas gift to 5,000 of our fans and followers.

There’s no reason not to install Anti-Theft right away. In fact, here are several reasons why you should install it right away:

It will help you find your phone under that wrapping paper
You can locate your kid, who secretly took your brand-new phone to play around with it
Anti-Theft will help you easily locate your mobile if you lose it during New Year’s Eve party – and you might be surprised where you have been
If your grandma gets a hold of your phone and starts going through your messages, you can lock it with one text
You can tell the mountain rescue service exactly where to find it if you get lost while skiing

We think everyone should have Anti-Theft—especially Santa. How else will he know which chimney he lost his phone in?

Of course, Anti-Theft is the kind of gift we hope you never have to use. But we hope it brings you a some peace of mind as you celebrate with the ones you love.

And if you have any other reasons why Anti-Theft should be the first app you put on your phone, please post them in the comments.

Cheers,

Sandra

F-Secure Wins AV-Comparatives Whole Product Test

December 17, 2010
By Sandra

It’s always nice to end the year with a little good news. And we just got some great news.

F-Secure has won the Whole Product Test from AV-Comparatives while achieving another Advanced+ award — our seventh this year! That makes us the security vendor with most awards from AV-Comparatives in 2010.

The Whole Product Dynamic Test is conducted by AV-Comparatives and the University of Innsbruck. It looks at all the features in a security product that contribute to protection.

We’re proud that in this test F-Secure blocked more malware than any vendor. It shows that we’re living up to our commitment to protecting the irreplaceable on your PC. If you are not yet protected by F-Secure, we invite you to try out our award-winning protection for free.

Cheers,

Sandra

New Facebook Profiles: What You Need to Know

December 14, 2010
By Jason

Facebook’s new profile is now being rolled out to all users. The new design has already given some an artistic new way to express themselves. But to the millions of us who rely on Facebook even more than email for digital communication, any change on Facebook leaves us wondering: What’s the catch?

The new profile doesn’t create any NEW privacy problems. However, it does take one existing privacy problem and make it more annoying.

Here’s what you need to know now:

1. Your privacy settings haven’t changed. But you should check out how your new profile looks.
The same people can see the same things. However, certain information—your birthday, education and professional experience—and the pictures you’re tagged in will be much more prominent in your new profile.

You can quickly hide these photos and information, or, with a little effort, adjust your settings so only you can see them. But once you have the new profile, you should go to Account > Privacy Settings> Under “Connecting on Facebook” click “View settings”> Click on “Preview My Profile” to see how most people see you.

2. Facebook’s photo and video tagging is annoying. And now that is more obvious.
The only way to stop a Facebook friend from tagging you in a photo is to unfriend that friend. With the old profile, you probably didn’t notice or care about this feature. You’d get an alert that you’ve been tagged in a photo and that a photo you were tagged-in had received a comment. Some users tag their friends in an image they are not in just to get them to look at and comment on said image. Some users tag friends in silly or gross images as a joke. Basically it’s an unsecured feature that is easily hacked for fun/mockery.

And the potential annoyance of this tagging tool wasn’t a big deal until Facebook put tagged photos at the top of your profile. Now, one funny or chemically imbalanced friend can decorate your profile with ridiculous images.

So now you have three choices:
a. BEST CHOICE: Only friend those whom you really trust.

b. Customize your privacy settings for “Photos and videos I’m tagged in” to “Only Me”.
To do this go to Account > Privacy Settings> Click on “Customize Settings”> Under “Things other share” and “Photos and videos I’m tagged in”, click “Edit Settings”> Under “Who can see photos and videos I’m tagged in” select “Customize” then “Only Me”. You can also exclude certain friends. But if you do that, you may end up having to find this stupid setting again.

c. Use Facebook Groups. But this is complex and not foolproof.

Allowing users to tag their friends is a unique feature that has helped Facebook become the world’s largest photo sharing site. This feature will probably never be eliminated. However, Facebook could make opting out of it much simpler. A good model would be what Facebook did with Facebook Places. The first time a friend tagged you in a Place, Facebook asked if you wanted to allow friends to tag you. (Another method would be to allow users to block certain friends from tagging them in photos or videos. But this is again complex and not foolproof.)

3. Your birthday is now more obvious, so please do not use it as a password ever for anything.
Facebook has taken one of our prime identifying pieces of personal information and made it a minor holiday. Even if you don’t allow anyone but friends to see your birthday on Facebook, your birthday messages may show up on your profile and in friends of friends’ Top News—especially if you and your friends broadcast your activity.

So, fine. People know when you’re born. That would be fine, if there weren’t potentially millions of people using their birthdays as PIN numbers for their ATM cards. Here’s a simple system for creating and remembering strong passwords.

4. You may want to hide your work and education experience.

Your “experience” is now at the top of your profile. If for any reason you would like to keep this professional information from being so prominent in your online life, you need to change your sharing settings to “Friends Only” in general go to Account > Privacy Settings> Under “Connecting on Facebook” click “View settings”> Under “See your education and work” you select “Customize” then “Only Me”.

5. Facebook is taking on LinkedIn (and possibly another new Google social network.)
You don’t have to be THE social media guru to figure out Facebook’s master plan. Not only do they want to integrate Facebook into every aspect of the web, they want your Facebook profile to be your ONE profile on the web.

To make your profile central to your web identity, Facebook has stay ahead of potential competitors like Google (the search engine giant is rumored to be launching some sort of direct Facebook competitor and 2011) and to replace (or absorb) any existing sites that might offer an alternative to Facebook.

Now that MySpace lost, it seems Facebook’s next target is LinkedIn. LinkedIn is a virtual resume/business networking tool for about 50 million people around the globe. Facebook’s new profile seeks to make your profile into more of a business card—not quite a résumé, yet. But it’s clear that Mark Zuckerberg and his crew recognize the value of making Facebook valuable to your professional needs, and Facebook’s audience is getting a little older (and more professional) every day.

Facebook’s new profile emphasizes Facebook’s dominating strength— photos—while revealing its strategy for the future. If you’re going to keep using Facebook, as a half a billion “friends” do, it’s always worth spending a little time thinking about how Facebook sees you.

Look out for those tagged photos,

Jason

7 Comments

Get Real Sweepstakes: Grand Finale – Win a Nokia N8, Mobile Security and Internet Security 2011

CC image created by bfick.

December 6, 2010
By Sandra

UPDATE: This sweepstakes is now closed. The winner will be contacted and then announced. LIKE our Facebook page for more giveaways and online safety tips.

This time of year, people all over the world are getting together to celebrate the people they love. And we’d like to use the grand finale of the Get Real Sweepstakes to thank you for letting us help protect your irreplaceable content, relationships and time.

Throughout this year, we’ve shared a lot of the best tips we have for protecting yourself online:

And this leads us to the last Get Real question: What is the best online security tip you’ve heard this year?

Choose from one of our tips or from another source you trust (which we can’t vouch for, of course). Read the rules and post your answer in the comments below for your chance to win a Nokia N8, and F-Secure Mobile Security and F-Secure Internet Security 2011.

Here’s a little peak out how our Mobile Security will protect the winner’s phone:

You have until January 1, 2011 to enter. So best of luck and here’s to a wonderful holiday season for you and yours and a very happy 2011.

Cheers,

Sandra

5 Things to Remember Whenever You Open a Web Browser

Comments closed

How to Audit Your Facebook Account: 3 Ways to Make Your Friends Safer

December 1, 2010
By Jason

Did you see any spam in your Facebook feed today?

Has it gotten so that every day you see some strange application shooting random posting random updates in between updates from The Onion and your brother’s best friend?

Maybe you just haven’t turned off Farmville, yet?

Or perhaps you’re one of the three out of four Facebook users who are bothered by social networking spam. If that’s true, there’s a good chance you agree with the nearly 50% of Facebook users we surveyed who deal with spam frequently.

With the help of you and the readers of this blog, we’ve just completed a study about Facebook safety.

What we found is that spam is getting pretty pervasive on Facebook. However, users still generally still feel safe on the site, which is crucial to Facebook’s growth. Despite the spam, people continue to spend more and more time social networking. Even the major security concerns—account being hacked and identity theft—suggest that users closely identify with their Facebook profiles. And we feel safe because we trust our friends. Yet crooks and spammers and frauds are looking to take advantage of our trust.

Here are three quick ways to keep your and your friends worst Facebook security fears from coming true.

1. Audit your friends list
We found that around half of Facebook users say that they know most of their friends.15% know only a few or none of their so-called friends.

‘Know’ could be an old fashion way to look at it. Many people have Internet relationships that have lasted more than a decade without meeting in person. Trust is more important. Do you trust this person enough to share your life with him or her? Is there any reason not to? You can always choose what you share. But you can’t choose what ends up in your news feed for you to accidentally click.

To audit your friends, go your Profile, scroll to Friends and click See All. Ask yourself, if you know and trust this person. If you aren’t sure, go to his or her profile. If they post lots of updates that you’re not interested in or worry you, scroll down the left hand till you get to “Remove from friends”. Click.

As you audit your list, if you see a single woman with a revealing profile photo who has no friends in common with you, chances are you’re friends with a spam profile.

2. Audit your applications
Got a minute? Do yourself a favor and log into Facebook. Go to Account > Privacy Settings. Under Applications and Websites, click Edit your settings. Take a deep breath. Now you can either Turn off all platform applications or Remove unwanted or spammy applications. Do one or the other.

If you turn the platform off, you’ll be free of most Facebook spam, but you won’t be able to use any applications at all. So if you choose to use applications, you need to go through and remove any app you do not use or trust. You can also block spamming apps as they come up. And once a spammy application is removed, you make your network a little safer. If you come across a spamming app, please report it.

(Bonus tip: The single best way I improved my Facebook experience was to hide the notifications from Facebook games. Here’s how to do it. I’m not a gamer, so it was an easy choice for me. And you can always block games as they appear in your feed.

3. Remember: Links are not your friends.
Your friends are your friends. They post links. Those links are probably safe. But your friend may have activated a spam application or accidentally posted something he or she hasn’t checked. Use your intuition. If your aunt suddenly uses OMG or LOL for the first time, she may have been click jacked. If something in your feed alerts you to something particular scandalous—like a girl caught on a webcam or the ability to see who has viewed your profile or any profile—it may end up leading to a scam or malware. And if you click on it, you’ll spread that nasty little deal to your network. You can check any link it with our free Browsing Protection. It’s another layer of protection, but the best protection will always be your intuition. So always check your gut before you click.

Conclusion

One of most interesting things to me about Facebook is how clearly it demonstrates the social nature of online threats. When anyone in our network gets infected, you’re more likely to get infected. By helping to keep your network safe, you keep yourself safe. So there are selfish reasons to be safe on Facebook.

But I don’t believe people on Facebook are especially selfish or narcissistic. Research says we actually tend to be more social than those who abstain from Facebook.

Sean Sullivan of the F-Secure Labs has compared the members of social networks to antibodies that can be used to prevent infections quickly. On Facebook, you create your network. There is no one and nothing in your news feed that doesn’t come from someone of something you ‘liked’. If the entire Facebook experience is based on’ like’, we should like each enough protect each other.

Cheers,

Jason

tarikgore1

Why removing rootkits is such a pain

November 30, 2010
By aliafs

Someone once made the comment, “Most people, I think, don’t even know what a rootkit is, so why should they care about it?”

That was in in 2005, when rootkits were an unknown menace for most users. Nowadays, that isn’t quite the case any more, as the number of rootkit infections have exploded in the last few years and lead to more media coverage. In any case, you know a malware has reached evil superstar status when it warrants its own ‘For Dummies’ book.

In the beginning (as in the late 1980s), rootkits were standalone toolkits that allowed hackers to gain root, or administrative access to a computer system (hence the name). Today, the term is usually used to mean programs, codes or techniques that are used to hide malware on an computer.

I’m not going to dwell much on their history or workings (though if you’re interested, Alisa Shevchenko over on Securelist has an excellent article on rootkit history). Instead, I’m going to focus on one particular aspect of rootkits that’s been irritating the daylights out of our Support and Analyst folks recently – why are they so difficult to remove?

Why worry?

Media reports tend to hype ‘rootkits’ as the next big evil in computing, but it’s a bit more complicated than that. For one thing, rootkit tools, coding or techniques aren’t strictly illegal, or even undesirable – perfectly legitimate commercial applications use them to the benefit of users. It also doesn’t help that security vendors don’t have a uniform approach to rootkits; some consider all rootkits as a type of malware, while others shade their evaluations depending on whether the rootkit-like behavior is in a commercial software (in which case, the program may just be potentially unwanted).

Personally, I find it more useful to think of rootkits as operating system controllers. Their entire purpose is to burrow deep into the operating system’s files and subroutines, latching onto and modifying specific processes to gain control over the system. The processes targeted will vary depending on the system and the rootkit in question, but the end result is the same – the rootkit is now in a position to direct the system’s actions for its own ends; it’s become the puppeteer to the computer’s marrionette.

Rootkits have been around a long time, but they only really became a major concern for most users when malware authors found ways to incorporate rootkits into their malicious programs. And for most security professionals, rootkits are considered one of the most troublesome threats to deal with.

How does the rootkit gain so much control?

A rootkit’s defining characteristic is that it has administrative access – its commands are accepted by the operating system as though they were its own. How this access is gained is another story – a separate trojan may exploit a vulnerability to gain access to a administrator account, or a worm might steal the necessary passwords, any number of things. However the access is gained, the end result is that the rootkit is installed with admin rights, and from there proceeds to do its dirty work.

Rootkits use their privileged access to control the operating system itself, mainly by intercepting and modifying the commands it sends to other programs and basic system activities. Slightly more technically, rootkits usually manipulate various application programming interfaces (APIs), or the subroutines used by the operating system to direct operations (at least, in Windows).

An important point to remember is that these APIs are a built-in features of the operating system. They may be undocumented, or rarely used – but commands made through them are perfectly legitimate, and recognized and treated as such. These APIs can involve and affect every activity performed on the computer, from the mundane (e.g., displaying a folder) to the most fundamental (e.g., booting up).

There are various types of rootkits based on how deeply they can penetrate the operating system to control its most basic processes (if you want to get more technical, Joanna Rutkowska has a good article), but in every case, the key idea is the same – commands sent by the operating system can be viewed and countermanded by the rootkit, if necessary; likewise, requests coming from other programs or system processes are checked and filtered by the rootkit before they reach the operating system.

Not like other malware

To illustrate why a rootkit’s manipulation of APIs is significant, let’s compare it to other malwares. When a trojan or virus infects a computer, its interactions with the operating system will usually fall into one of two strategies:

Strategy 1: Uses the operating system’s standard procedures to run it
Strategy 2: Exploits a vulnerability (a flaw or loophole) to execute malicious code

Note that strategy 1 involves the malware functioning just like any other program – its processes and files are visible, the instructions between operating system and program are ‘standard’, and so on. Strategy 2 usually involves some novel technique that forces the system to behave in an unintended manner – ‘breaking the system’, if you like.

Rootkits on the other hand, doesn’t do either. Unlike trojans or viruses, the rootkit doesn’t behave like a separate program being run on top of the operating system; instead, the rootkit acts more like a driver, or one of the operating system’s own components, giving directions on how other programs should be handled. The rootkit also doesn’t exploit any vulnerabilities – it simply uses the operating system’s own features for its own ends.

The thing is, malwares that use Strategies 1 & 2 can be defeated with fairly standard countermeasures: for example, software vendors can release patches to close vulnerabilities, and users can uninstall malicious programs. Rootkits however don’t suffer either problem: there’s no vulnerability that can be patched, and because a rootkit’s first action is usually to hide itself, the rootkit can effectively prevent the user or the operating system from detecting its presence at all, let alone uninstalling it.

Why are rootkits so difficult to remove?

The highly technical reason for this is: you can’t remove a file you can’t find. Remember, the rootkit is in control. If the user starts looking through system folders for suspicious files, or starts an antivirus scan, a sophisticated rootkit can display a clean ‘image’ of the infected folder rather than the actual infected one, or move the infected file to another location for the duration of the scan; it can stop the antivirus from running, or force it to report false scan results; anything, really, to prevent detection.

Malware authors really want their creations stay installed and active on your computer, and they can use the rootkit to perform any number of actions to prevent their malwares – or the rootkit itself – from being detected. Some of the tricks they can use to get their way include:

Renaming their files to match a legitimate system file
Burying their processes and files deep within the driver and kernel
Installing in such a way that they reinstall again if the computer is rebooted
Actively altering its behavior while antiviruses are running to prevent detection
Actively changing its own code to make it appear to be a new, unknown program
Prevent AV/spyware removal programs from opening at all

Heck, about the only thing they don’t do is say they love you and will still respect you in the morning.

How does an AV detect and remove rootkits, then?

Antivirus programs have historically had a difficult time dealing with rootkits, precisely because of how they operate: by using the operating system itself to evade detection and prevent removal. In the case of simpler rootkits, it was possible to look for telltale signs – odd changes, missing or alter folders, etc, to determine a rootkit was present. With more sophisticated threats though, detection meant deactivating the rootkit entirely before it could start active evasion; because once it was active, detection and removal became well nigh impossible.

That status quo has changed somewhat in the last few years, as more antivirus vendors have developed the necessary tools to combat the threat. As rootkits themselves vary in complexity, detecting and removing them requires a multi-layered approach:

First Line of Defense: Heuristic Scanning
This preliminary defense can deal with the more obvious rootkits, those that make easy-to-spot changes or ham-fistedly modify normally untouched components. Most antivirus products nowadays include heuristic or behavior-based scanning, which examines each program to evaluate how potentially damaging its actions may be. If the rootkit (or the malware it’s hiding) is found, the AV may be able to find and remove them as usual.
Second Line of Defense: Specific Malware Removal
Even with heuristic scanning, standard scanning engines may not detect more sophisticated or devious rootkits. At this point human ingenuity enters the picture, in the form of Malware Analysts, who analyse the threat and create specific removal scripts designed to find and remove a particular rootkit. These scripts are also called on to scan the computer, looking for specific threats to complement the more general, automated checks.
Third Line of Defense: Offline Scanning
Sometimes, a rootkit can compromise a computer so thoroughly that any detection program running on the infected system is hopelessly outfoxed by the wily rootkit. In that event, the safest bet is to perform offline scanning – shutting down the computer so that the rootkit can’t actively hide itself, then scanning the system using an antivirus program or rootkit detection tool that runs off a CD or USB drive.
Fourth Line of Defense: Manual Removal
As a last resort, some antivirus vendors will recommend specific manual removal procedures, which only apply for particular rootkits. Generally, this type of removal is considered quite advanced for an average user, and is best left to an IT technician or at least to someone more experienced. Some vendors also develop and publish removal utility programs, either for general or specific rootkit removal.

These detection and removal methods will probably catch most of the rootkits out there, but none of them are 100% certain. In some cases, the fastest, easiest and cheapest possible solution is to simply format and reinstall the entire operating system (assuming of course you have backups of your important files). Determining whether that applies in your case really depends on your personal evaluation of the costs and benefits though, so it’s hard to state any hard and fast rule about this.

Unfortunately, malware authors are ingenious at finding ways to get where they’re not wanted, and the highly complex, multi-layered nature of computing tilts the odds in their favour more than it does to ensuring computer security. Then again, to be fair, humans have lived in houses for thousands of years, and we still haven’t figured out how to totally prevent burglars from invading our homes, so you could probably also credit a natural human genius for finding ways to inconvenience their fellows.

If you’re still interested, here are few other articles with more details (some technical, others less so) about rootkits:

R00tkit Analysis: What Is A Rootkit at OmniNerd
Kernel Rootkits by Dino Dai Zovi from SANS Institute InfoSec Reading Room
Rootkits vs. Stealth by Design Malware (PDF) by Joanna Rutkowska, presented at the 2006 BlackHat Conference Europe

Also partially available in Google Books:

Rootkits for Dummies By Larry Stevenson, Nancy Altholz
The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System By Bill Blunden
Rootkits: Subverting the Windows Kernel By Greg Hoglund, James Butler

Get Real Sweepstakes: Week 11 — Win an iPod Touch and Internet Security

November 29, 2010
By Sandra

UPDATE: This sweepstakes is now closed. The winner will be contacted and then announced. LIKE our Facebook page for more giveaways and online safety tips.

Cyber Monday sparks the beginning of the holiday online shopping season. Since 2005, the Monday after Black Friday in the United States has become recognized as the day when the most people shop online. And this is no secret to cybercriminals who continue to target overeager shoppers.

Every year the most desired gifts become lures criminals use to trick us into scams and malware. That’s why a couple of weeks ago we asked you which gifts you believe will be most popular this year.

Here are the gifts you said will be most popular/dangerous this year:

Kinect for Xbox 360
Apple iPad and iPod
PlayStation 3

Be extra careful when searching for these extra hot gifts. Here are 7 other online safety tips that you should read before you start any online shopping spree.

One reason we are more vulnerable to online scams during the holidays is because we’re in such a hurry. In fact, that’s why Cyber Monday is so huge—millions of people sneak their shopping in while at work. And many of us are stressed because we’re shopping for so many people.

This week’s question is: How many people are you shopping for this year?

Read the rules and post your answer in the comments below for your chance to an iPod touch and F-Secure Internet Security 2011.

BONUS ENTRY: You’re eligible for an extra entry. Complete this quick survey about online shopping and then post “Survey completed” in an ADDITIONAL comment for another chance to win. If you completed the shopping survey already, you’re still eligible for an extra entry this week if you post the additional comment.

Cheers,
Sandra

CC image created by Don Hankins.

F-Secure Internet Security 2011
GET REAL SWEEPSTAKES WEEK #11- COMPETITION RULES AND PRIZES

By entering the Get Real promotion you accept the Official Competition Rules and the Privacy Policy (http://www.f-secure.com/en_US/privacy.html).

If you do not accept these rules, please do not enter this promotion.

1. The sponsor of this promotion is F-Secure Corporation, located at Tammasaarenkatu 7, Po. Box 24, 00181 Helsinki, Finland (“Sponsor”).
2. The promotion will begin at 12:00 PM PDT on November 29, 2010 and end at 12:00 PM PDT December 6, 2010.
3. This promotion is void where prohibited or restricted by law. No purchase is necessary to enter.
4. 2 prizes, iPod touch 8 GB with a retail value of $229.99 and 1 F-Secure Internet Security license with a retail value of $59.99 will be given as prizes in this promotion at the close of the competition.
5. Only two (2) entries, per person per Sweepstakes will be accepted. Each comment posted constitutes an entry. Further attempts made by the same person and entries generated by a script, computer programs, macro, programmed, robotic or other automated means will be disqualified.
6. The winner will be chosen randomly from the people who participated in the competition by commenting on the “Get Real Sweepstakes: Week #11“. Sponsor will notify the winner via email. If the winner does not respond within seven (7) days, he or she will forfeit the prize and another winner will be randomly chosen. This prize is shipped to the winner within 45 days of the promotion closing date.
7. The winners are responsible for any taxes associated with receipt of the prizes. Sponsor reserves the right to substitute the prizes with other prizes of equal or greater value if the prize is not available for any reason.
8. Odds of winning the prizes depend upon the total number of eligible entries received.
9. No purchase or software download is necessary to enter or win. Purchase or software download will not increase your chances of winning.
10. To enter, visit http://safeandsavvy.f-secure.com/2010/11/29/get-real-sweepstakes-week-11/ and comment on the post once or twice. To comment you must provide your email address, which will not be made public. Entries are the property of Sponsor and will not be acknowledged or returned. Comments made be edited by F-Secure without explanation.
11. Any entrant who attempts to cheat or tamper with the Get Real Sweepstakes shall be disqualified by the Sponsor’s sole discretion.
12. The name of the winner will be announced via the F-Secure Twitter channel http://twitter.com/FSecure, F-Secure Facebook page http://www.facebook.com/FSecure and F-Secure’s Safe and Savvy blog http://safeandsavvy.f-secure.com/ once the winner has been contacted. By entering, the entrant agrees that his/her name, country and/or picture can be published at F-Secure’s aforementioned channels if he/she wins.
13. By entering, entrants agree to release and hold harmless Sponsor and all of its representatives from and against any and all costs, expenses, claims, demands, proceedings, suits, actions and/or liabilities for any injuries, death, loss or damage of any kind arising from or in connection with i) the distribution of any prize, ii) entrants’ participation in and/or entry into the campaign, acceptance or use of any prize or unavailability of any prize. Prizes are provided “AS IS” without warranty of any kind from the sponsor.
14. Employees of Sponsor and family members of such employees are not eligible to enter.

Comments closed

Quiz : Are you smarter than John?

November 23, 2010
By Sandra

We’ll be testing you every Friday for a chance to win the F-Secure’s latest Internet Security 2011 package, so stay tuned!

We’ve seen evidence of John’s careless ways, doesn’t seem very smart does it?

However the truth of the matter is that you don’t have to be an imbecile to find you have been the victim of cyber theft. John is not alone – people put themselves at risk everyday.

Over the next couple of weeks we’ll be sharing top tips on how to increase your internet security through our Twitter account using the hashtag ‘#NotSmartJohn’.

These will include methods to avoid getting your Facebook account hacked, your credit card details stolen or your email account accessed. We’ll be testing your knowledge every Friday, and selecting winners at random. All you need to do is answer the question on Facebook or Twitter with the hashtag ‘#NotSmartJohn’.

All you need to do to enter is submit your answers in the comments section of our Be Smarter than John Facebook tab or Tweet the answers when we announce the weekly quiz on Twitter every Friday.

In the meantime, to get an idea of how the F-Secure internet security 2011 package might benefit you, we’ve made a free 30 day trial available for download today

Tell us about your experience! If you do test it out we would love to hear your thoughts on the product and/or on cyber-security. Share your opinions with us in the comments section below, or should you chose to review on your own site, let us know and we’ll share with the F-Secure community.

Hoping that your still smarter than John,

Sandra

Get Real Sweepstakes: Week 10 — Win an iPod Touch and Internet Security

CC image created by Jing.

November 22, 2010
By Sandra

UPDATE: This sweepstakes is now closed. The winner will be contacted and then announced. LIKE our Facebook page for more giveaways and online safety tips.

Have you ever searched for own name using Google Images?

You may be surprised what you find.

If you are on Facebook (and haven’t opted out of public search; see #6 here), Last.fm or other web communities, your profile pictures may appear in the Images search results.

And there will probably be other pictures you’ve forgotten, or would like to forget. Maybe your name appeared in a newspaper once, or on the website of your sports club, or you used to play in a band that you’d very much like to forget… The photos might still be there just waiting to be seen by everyone who knows your name.

Some call searching your own name “egosurfing”. But in a world where employers often check your online presence before making hiring decisions (except in Finland where Googling job applicants or employees is illegal), knowing what Google thinks about you is important. You can’t do much to influence these search results, but there are a few things you can do to get Google out of your life—including un-Googling yourself.

That leads to this week’s question:
What’s the most horrible picture of yourself you ever found online? You don’t have to link it here, of course . But describe in which situation it was taken.

Read the rules and post your answer in the comments below for your chance to an iPod touch and F-Secure Internet Security 2011.

BONUS ENTRY: You’re eligible for an extra entry. Complete this quick survey about online shopping Safety and then post “Survey completed” in an ADDITIONAL comment for another chance to win. If you completed the shopping survey last, you’re still eligible for an extra entry this week.

Cheers,
Sandra

F-Secure Internet Security 2011
GET REAL SWEEPSTAKES WEEK #10- COMPETITION RULES AND PRIZES

By entering the Get Real promotion you accept the Official Competition Rules and the Privacy Policy (http://www.f-secure.com/en_US/privacy.html).

If you do not accept these rules, please do not enter this promotion.

1. The sponsor of this promotion is F-Secure Corporation, located at Tammasaarenkatu 7, Po. Box 24, 00181 Helsinki, Finland (“Sponsor”).
2. The promotion will begin at 12:00 PM PDT on November 22, 2010 and end at 12:00 PM PDT November 29, 2010.
3. This promotion is void where prohibited or restricted by law. No purchase is necessary to enter.
4. 2 prizes, iPod touch 8 GB with a retail value of $229.99 and 1 F-Secure Internet Security license with a retail value of $59.99 will be given as prizes in this promotion at the close of the competition.
5. Only two (2) entries, per person per Sweepstakes will be accepted. Each comment posted constitutes an entry. Further attempts made by the same person and entries generated by a script, computer programs, macro, programmed, robotic or other automated means will be disqualified.
6. The winner will be chosen randomly from the people who participated in the competition by commenting on the “Get Real Sweepstakes: Week #10“. Sponsor will notify the winner via email. If the winner does not respond within seven (7) days, he or she will forfeit the prize and another winner will be randomly chosen. This prize is shipped to the winner within 45 days of the promotion closing date.
7. The winners are responsible for any taxes associated with receipt of the prizes. Sponsor reserves the right to substitute the prizes with other prizes of equal or greater value if the prize is not available for any reason.
8. Odds of winning the prizes depend upon the total number of eligible entries received.
9. No purchase or software download is necessary to enter or win. Purchase or software download will not increase your chances of winning.
10. To enter, visit http://safeandsavvy.f-secure.com/2010/11/22/get-real-sweepstakes-week-10/ and comment on the post once To comment you must provide your email address, which will not be made public. Entries are the property of Sponsor and will not be acknowledged or returned. Comments made be edited by F-Secure without explanation.
11. Any entrant who attempts to cheat or tamper with the Get Real Sweepstakes shall be disqualified by the Sponsor’s sole discretion.
12. The name of the winner will be announced via the F-Secure Twitter channel http://twitter.com/FSecure, F-Secure Facebook page http://www.facebook.com/FSecure and F-Secure’s Safe and Savvy blog http://safeandsavvy.f-secure.com/ once the winner has been contacted. By entering, the entrant agrees that his/her name, country and/or picture can be published at F-Secure’s aforementioned channels if he/she wins.
13. By entering, entrants agree to release and hold harmless Sponsor and all of its representatives from and against any and all costs, expenses, claims, demands, proceedings, suits, actions and/or liabilities for any injuries, death, loss or damage of any kind arising from or in connection with i) the distribution of any prize, ii) entrants’ participation in and/or entry into the campaign, acceptance or use of any prize or unavailability of any prize. Prizes are provided “AS IS” without warranty of any kind from the sponsor.
14. Employees of Sponsor and family members of such employees are not eligible to enter.

Comments closed

A quick & dirty guide to malware (part 3: worms)

November 18, 2010
By aliafs

Worm:SymbOS/Commwarrior asking permission for installation

This is the last posting in a three-part series covering common threats a user may encounter.

This series serves as a rough and ready guide, highlighting key features and trends relevant to most users.

In my previous posts, I covered Trojans and Viruses, two ‘big-name’ threats most users are familiar with. Last but not least, we’ll take a look at Worms - a malware type that’s becoming especially prominent as more businesses and users become connected, both to the Internet and to other businesses around the world.

All things worm-y

Worms are, thankfully, one of the more straightforward malware types. According to this description, this time kindly provided by Wikipedia, a computer worm is:

“…a self-replicating computer program. It uses a computer network to send copies of itself to other nodes (computers on the network) and it may do so without any user intervention.“

The description highlights a peculiar characteristic of a worm – they are surprisingly independent creations, usually designed to handle their own functions without much, or even any, human interaction. Slightly more technically, worms have two abilities that set them apart from trojans and viruses: they can self-replicate and self-distribute.

No humans necessary…almost

Unlike trojans that use social engineering to convince a user to run them, or viruses that piggyback on other programs, worms need neither a host nor the user to make copies of themselves. Once it’s arrived on a computer, a worm can happily churn out multiple copies of itself without any help.

To be fair, many worms still need a human user to to allow it access to the machine (e.g., click on an infectious e-mail attachment or accept a Bluetooth transmission) before it can start replicating. Nowadays though, we’res eeing sophisticated worms avoiding human contact entirely by exploiting vulnerabilities in the computer or an installed program, allowing them to arrive, replicate and leave without the user ever realizing they were there.

Copies for everyone, don’t be shy!

Worms also actively find new victims themselves, by sending their copies to any vulnerable machine accessible over a network. Theoretically, worms can spread over any kind of network; as long as one computer has a data connection to another, a sufficiently clever hacker could probably find a way to sneak a program from one machine to the next.

Most antivirus vendors logically and straightforwardly categorize worms based on the type of network they primarily use to spread (email-worm, SMS-worm, bluetooth-worm, etc). Of course, some worms are also designed to spread over multiple networks, just to make life more interesting and network administrators more annoyed.

Networks are a worm’s best friends

Most of the recent media-reported worm outbreaks have taken place over the Internet, which users often forget is really just a gigantic network of computers. They can also spread on specialized ‘sub-networks’ layered on the Internet backbone – e-mail networks, Internet Messaging, Peer-to-Peer and Internet Relay Chat networks, and so on.

The Mikeey Twitter worm

Then there are social networking sites, which you could think of as hubs hosting multiple, overlapping networks of contacts. Particularly popular sites like Twitter and Facebook have suffered site-specific outbreaks in the last few years, though the vigorous vigilance of the site admins and alert, community-minded users have helped mitigate the threats.

Off the Internet, there are telecommunications networks, which suffer SMS, MMS and Bluetooth based worms. Even isolated intranets or standalone terminals are vulnerable if a user accidentally transfers a worm into the restricted space, though it does require a worm that can infect the ‘bridging medium’, which is almost always removable media. (*cough* thumb drives *cough*).

The Point Is…

If you’ve been following this series, you’ll already know that knowing what type of malware is present gives a good indicator of what kind of damage you need to watch out for. Whereas trojans lead to loss of user data and computer control and viruses deal damage to software integrity, with worms users have to worry about disruption of network stability.

Unlike viruses, a worm replicating on your computer isn’t particularly troublesome, as the copies themselves don’t do damage; it’s when it tries to send out its copies to new victims that the trouble starts. A worm distributing copies of itself over a network can potentially generate overwhelming amounts of traffic, effectively preventing other users from using the connection until the worm stops broadcasting. Given how dependent most businesses today are on stable internal office networks and a working Internet connection, any disruption to either is a serious matter.

Worm infections can have significant financial costs for businesses, in terms of lost productivity and disrupted business transactions. Financial costs aren’t limited to computer users either; infections on mobile devices can also generate unexpected bills, since the worms generally spread by sending out (usually chargeable) SMS or MMS messages.

Worm infections: a good way to annoy other users

The range of fallout from a worm infection is also different. Trojans and viruses tends to limit their destructive attentions to the infected machine; they may affect your programs and data, but other computers on the network aren’t likely to be affected. Worms on the other hand are egalitarian by nature; they love to share the misery, indiscriminately infecting any machines they can reach.

That also makes removal a miserable business, since administrators generally have to shut down the entire network and clean each computer before restarting services, to ensure one overlooked computer doesn’t enthusiastically share its infection with the entire network again.

Uninfected users can also be seriously inconvenienced, as local networks, e-mail services or social networking sites are temporarily shut down to clear out an infection. In major outbreaks, even the Internet infrastructure of entire countries can be slowed by too many infected computers connecting and trying to find new victims. That’s from personal experience, as I’ve had to listen to a voice recording from my ISP telling me they’re very sorry, but Internet connectivity for the whole of Malaysia is currently being affected by the Conficker worm outbreak.

Other effects

Worm:iPhoneOS/iKee's dastardly payload

In addition to the effects of its replicating behavior, a worm bring extra headaches to the party if it includes a malicious payload. Like trojans and viruses, a worm’s payload can involve compromise of the user’s information, take over control of the computer or damage to files. A small sample of payloads we’ve seen delivered by worms are: disabling programs (Email-Worm:W32/Nyxem), infecting files with a virus (Worm:W32/Klez) and installing a backdoor program (Email-Worm:W32/Bagle). Or just setting Rick Astley as your wallpaper (Worm:iPhoneOS/iKee).

And finally, an often overlooked but still significant side effect of a worm infection is the ensuing social awkwardness if it gets out that your computer or phone was the one sending out all those infectious e-mails or SMS messages. Noone likes being pointed to as the computing equivalent of Typhoid Mary.

Worms in the future

Unlike viruses, worms – as a malware type – are still going strong, rivaling trojans as the most common type of malware users encounter today, though the specific type of worm involved seems to have undergone a sea change.

Previous major outbreaks (Bagle, Mydoom and Sobig, among others) involved email-worms, which affected businesses globally as their e-mail systems were overwhelmed and effectively ‘DOS’ed by the worms. Nowadays, probably because of the extra security around e-mail applications, email-worm outbreaks seem to have died down. More recent worm activities have been Internet-based, as net-worms targeting specific vulnerabilities (such as Conficker) infect Internet-connected computers by the millions.

On mobile networks, Bluetooth-transmitted worms have been vying neck in neck with trojans for the title of most common mobile malware nuisance. So far, most worms on mobile networks have been designed to infect devices running Symbian operating systems, for the practical reason that Symbian has, at least until very recently, held the lion’s share of the smartphone OS market (reported here as 44.6% as of 10 Nov 2010). That may change though as other mobile operating systems rapidly gain greater market share. 2011 looks to be an interesting year for mobile malware; we’ll just have to wait and see…

If you’re still interested

So while we wait to see if worms make more news, here’s some links to other, more in-depth resources on them:

Internet Worms Walking on Unstable Ground by SANS
NISCC Technical Note 07/03: Internet Worm (PDF) by National Infrastructure Security Co-ordination Centre, UK

Also partially available on Google Books:

Elements of Computer Security By David Salomon
Network Intrusion Detection and Prevention: Concepts and Techniques by Ali A. Ghorbani

Be smarter than John: How to protect yourself against Credit Card fraud

November 18, 2010
By Sandra

Over the last few weeks we’ve been sharing our concerns regarding our friend John’s carelessness. He may as well have just given his credit card away – which in fact in Stockholm and Helsinki, is exactly what he did. (Maybe you were one of the lucky ones to spot John and receive a voucher? If so these can be redeemed over on our Facebook page.)

In addition to updated internet security, there are a number of simple methods you can use to protect yourself from credit card fraud, and avoid others using your details for their own benefit. Keep your card in a secure place, don’t forget it at every bar you go to, don’t shout out your number while waiting for a subway. Basically, think of everything John does, and do the opposite.

Here are three credit card safety tips that John would definitely ignore.

Only make online purchases when you’re on a protected PC in a secure network. And only enter your credit card info at reputable, secured websites. (Look for the “s” in the https://.)
Ask your card provider or bank if they offer one-time use credit card numbers for online purchases.
Review your credit card monthly statements and check your account online sporadically. Contact your provider immediately if you notice any purchases you did not make.

To help protect your credit history and your peace of mind, you can try F-Secure Internet Security 2011 for free today.

Tell us about your experience! How do you prevent your precious card information getting into the wrong hands?

Get Real Sweepstakes: Week 9 — Win an iPod Touch and Internet Security

November 15, 2010
By Sandra

UPDATE: This sweepstakes is now closed. The winner will be contacted and then announced. LIKE our Facebook page for more giveaways and online safety tips.

Online shopping sets a new record every year, and 2010 will be no exception. For millions of people, holiday shopping begins by going to their favorite search engine and typing in the name of the first gift on their list.

Unfortunately, the more popular a gift is, the more likely it is to lead to asearch engine optimization (SEO) attack. At a quick glance, these poisoned results look like every other search result. They promise to deliver you the gift you need at the price you want. But instead they lead you to malicious web pages that can easily infect an unprotected PC.

You can help prevent a cyber criminal from spoiling your holidays before the fun even begins by following these quick tips:

go to a retailer’s site directly if possible;
use Internet security software that features Browsing Protection (or check links with F-Secure’s free Browsing Protection);
an always check a sites URL before making any purchase (looking to make sure you’re at the correct online store and that the page URL begins with https://, which means it’s secure).

You should also be especially careful when searching for the most popular gifts of the season, which leads to this week’s question: Which gift do you think will be the most popular (thus the most dangerous) this holiday season?

Read the rules and post your answer in the comments below for your chance to an iPod touch and F-Secure Internet Security 2011.

Good luck and safe shopping to all,

Sandra

CC image #1 created by istolethetv.
CC image #2 created by digitpedia.

F-Secure Internet Security 2011
GET REAL SWEEPSTAKES WEEK #9- COMPETITION RULES AND PRIZES

By entering the Get Real promotion you accept the Official Competition Rules and the Privacy Policy (http://www.f-secure.com/en_US/privacy.html).

If you do not accept these rules, please do not enter this promotion.

1. The sponsor of this promotion is F-Secure Corporation, located at Tammasaarenkatu 7, Po. Box 24, 00181 Helsinki, Finland (“Sponsor”).
2. The promotion will begin at 12:00 PM PDT on November 15, 2010 and end at 12:00 PM PDT November 22, 2010.
3. This promotion is void where prohibited or restricted by law. No purchase is necessary to enter.
4. 2 prizes, iPod touch 8 GB with a retail value of $229.99 and 1 F-Secure Internet Security license with a retail value of $59.99 will be given as prizes in this promotion at the close of the competition.
5. Only two (2) entries, per person per Sweepstakes will be accepted. Each comment posted constitutes an entry. Further attempts made by the same person and entries generated by a script, computer programs, macro, programmed, robotic or other automated means will be disqualified.
6. The winner will be chosen randomly from the people who participated in the competition by commenting on the “Get Real Sweepstakes: Week #9“. Sponsor will notify the winner via email. If the winner does not respond within seven (7) days, he or she will forfeit the prize and another winner will be randomly chosen. This prize is shipped to the winner within 30 days of the promotion closing date.
7. The winners are responsible for any taxes associated with receipt of the prizes. Sponsor reserves the right to substitute the prizes with other prizes of equal or greater value if the prize is not available for any reason.
8. Odds of winning the prizes depend upon the total number of eligible entries received.
9. No purchase or software download is necessary to enter or win. Purchase or software download will not increase your chances of winning.
10. To enter, visit http://safeandsavvy.f-secure.com/2010/11/12/get-real-sweepstakes-week-9/ and comment on the post once To comment you must provide your email address, which will not be made public. Entries are the property of Sponsor and will not be acknowledged or returned. Comments made be edited by F-Secure without explanation.
11. Any entrant who attempts to cheat or tamper with the Get Real Sweepstakes shall be disqualified by the Sponsor’s sole discretion.
12. The name of the winner will be announced via the F-Secure Twitter channel http://twitter.com/FSecure, F-Secure Facebook page http://www.facebook.com/FSecure and F-Secure’s Safe and Savvy blog http://safeandsavvy.f-secure.com/ once the winner has been contacted. By entering, the entrant agrees that his/her name, country and/or picture can be published at F-Secure’s aforementioned channels if he/she wins.
13. By entering, entrants agree to release and hold harmless Sponsor and all of its representatives from and against any and all costs, expenses, claims, demands, proceedings, suits, actions and/or liabilities for any injuries, death, loss or damage of any kind arising from or in connection with i) the distribution of any prize, ii) entrants’ participation in and/or entry into the campaign, acceptance or use of any prize or unavailability of any prize. Prizes are provided “AS IS” without warranty of any kind from the sponsor.
14. Employees of Sponsor and family members of such employees are not eligible to enter.

Comments closed

A quick & dirty guide to malware (part 2: viruses)

November 12, 2010
By aliafs

A dialogue screen shown by Virus:W32/Duts.A

This is the second posting in a three-part series covering common threats a user may encounter.

This series serves as a rough and ready guide, highlighting key features and trends relevant to most users.

The One That Left

Last week I spoke of Trojans, Viruses and Worms as The Big Three. I lied a bit, though. Viruses – as a distinct malware type – probably shouldn’t be on that list any more.

Viruses have always loomed large in users’ minds as the poster child of malicious programs – heck, we even call it the anti-virus industry. In the last 10 years or so however, the number of virus infections has nosedived; our Labs, which once dealt with viruses routinely, now sees a proper virus infection about once or twice a month. Today when people talk of ‘viruses’, more often than not what they’re describing is technically a trojan or a worm, and they’re using the term in a general, ‘any malware will do’ kind of way.

That’s not to say viruses are extinct; we still receive a small, if persistent, number of queries about viruses. This may be because many businesses, households and users (both in developed countries and in recently connected developing ones) still use old, out-dated, unpatched machines or programs, or haven’t yet developed a security-conscious habits.

Whatever the case, virus infections will probably still cling on to life for a weary day after, so let’s take a look at them.

Highlights of a virus

Definition of a virus given by Merriam-Webster online dictionary

The Merriam-Webster online dictionary’s bare-bones definition of a computer virus touches on important elements most users should know, so I’ll just elaborate a bit more on some key concepts:

“usually hidden within another seemingly innocuous program”

Last week I compared a virus to a parasite, because not only does it ‘hide’ in another program, but also depends on its host to function. For the virus to run, the unsuspecting user must actively launch the infected program, which in turn launches the virus.

For this reason, virus writers usually create viruses that infect executable files (especially popular programs such as word processors or media files), which have a higher chance of being run; programs with files that get passed around a lot are extra attractive, since they can affect even more potential victims.

A good example is the Microsoft Office suite which, with their huge community of business and personal users, used to be a popular target for macro viruses. We still see queries related to this virus type, though thankfully far less than previously.

“Produces copies of itself and inserts them into other programs”

If you think of the common cold virus spreading from one person to another, you’ll have a pretty good idea of why this behavior can be so damaging. When a infected file is executed, it searches for and infects new files; if the newly infected files are launched, they find and infect new files in turn, like some evil Multi-Level Marketing operation. At worst, this pattern can lead to every targeted file on the system being infected.

“Usually performs a malicious action”

The damage a virus can do by replicating and infecting new files is bad enough; its payload, a completely separate set of nasty actions, can be worse. The range of actions a virus can take is huge – connecting to a remote site, changing the desktop wallpaper, displaying silly notification messages, deleting data files…it really just depends on the virus author’s imagination and programming skills.

If you’re lucky, they’re not that good and you get failed viruses like Virus:W32/Stardust; if they’re good, then you get really nasty beasts like Virus:W32/Virut or Virus:W32/Sality.AA (one of the few viruses we still find regularly active).

Appending, prepending, cavity…who cares?

A dialogue screen shown by Virus:W32/ZMK

With thousands of unique viruses out in the wild, antivirus companies find it necessary to divide them into sub-types. Unlike trojans though, viruses don’t fall into neat categories reflecting their actions; instead, they naturally fall into groupings based on technical differences in the way they infect a file – which is basically gobbledeegook to a user not interested in detailed analysis.

Gnerally, viruses can be divided into two groups – system infectors and file infectors. The majority of viruses are the latter and infect programs or data files. System infectors on the other hand write their malicious code to specific, critical sections of the hard disk containing the operating system, so that while the OS is running its normal routines, it’s also unintentionally executing the virus code.

Fortunately, for most users a virus’s classification is largely academic. For better or for worse, the sheer variety of possible effects each unique virus can have on a file or system makes it more practical to take each virus on a case by case basis.

Back to what’s important – why should the user care?

So let’s go back to the original question that sparked off this series: do you really need to know if it’s a virus – as opposed to, say, a trojan or worm – infecting your computer?

Well, it helps to know because the two malware types tend affect your data and computer in different ways. As a (very) general rule, trojan infections is more about data theft and loss of control over the computer; virus infections tend to result in software disruptions or damage.

Trojans may copy and steal your data, but they don’t usually destroy the data file itself; they may stop programs from running but they don’t destroy the program. A virus on the other hand, insert its own code into a program or data file, and depending on how it does so, may either leave the host completely unharmed and functional, slightly disrupted, or completely non-functional.

Another difference between trojans and viruses that really affects the user involves disinfection. For one thing, a trojan is usually a single, discrete program – getting rid of it tends to be fairly simple, a matter of removing the malicious file and its residuals (registry keys, processes, icons, etc). Removing the trojan also generally doesn’t affect the integrity of other files on the computer.

Viruses are far more nebulous by design – they can be present in multiple files, in different locations. Identifying a virus-infected file may require scanning the entire computer to be sure every affected file is caught. Removing malicious code from an infected file or – if it can’t be saved, deleting the infected file entirely – can also be problematic if the damaged data is important or the program is a critical system component.

And this doesn’t even take into account the virus’s payload, which can produce a whole other set of worries.

If you’re still interested

Still, there is a ray of hope. If current malware trends persist, we may soon see adware or backdoors promoted to being the newest member of The Big Three, and viruses – as a distinct malware type – can finally be relegated to joining 3½” floppy disks in Computer Hell.

In the meantime, here’s some links to other, more in-depth resources on viruses:

How to tell if a malfunctioning PC has a virus by TechRepublic
Computer viruses: description, prevention, and recovery by Microsoft Support
Trends in Viruses and Wormsby Thomas M. Chen (Cisco)

Or partially available on Google Books:

“Elements of Computer Security” by David Salomon
“Cybercrimes: A Multidisciplinary Analysis” by Sumit Ghosh

Coming soon – Worms!

[Fake] Warning! Your system is infected.

November 10, 2010
By Sarah

Ashley was browsing online for a new pair of shoes when suddenly an alert appeared on her screen.

Warning from Windows Protection Suite! A sample scan of your PC has found 20 potential threats.

“What’s this?” Ashley wondered. “Is this my security software? Do I even have security software?”

She was in a hurry, so she clicked, “Protect Now”. Now, the trouble begins.

This scene is repeated over and over on PCs all over world, thousands of times a day. An official-looking alert pops up. It warns that malware has been detected in the system and in order to remove it, you need to activate an anti-virus program. The alert seems rather convincingly to be coming from the system itself, and Microsoft Windows purportedly recommends this anti-virus program. So, what could go wrong?

Once activated, the anti-virus program seems to remove the malware and proceeds to run a full scan on the system as an extra precaution. Upon further scanning, more malware is detected and the trial version, which is limited in capability, won’t be enough. An upgrade to the full version is recommended at a small price.

Ashley’s PC has been disabled by scareware.

What is scareware?

The above situation describes a typical encounter with a rogue anti-virus or security program, which uses scare tactics to push users into purchasing the product. Often, users end up with an incompetent product that does nothing. Turns out that aside from the rogue itself (and the program that downloaded it), the system is otherwise clean. The rogue is just pretending to perform a scan and removing a nonexistent malware.

However, there are instances where the product being “sold” is legit and is quite capable; only the selling method is shady. Usually carried out by affiliate vendors that collect commission for each copy sold, some extreme tactics include corrupting users’ files and to some level, installing an actual malware on the system, just to push users into making the purchase. If a security product is over sold to you in this manner, contact the maker of the product directly. Honest security vendors work hard every day to help eliminate the menace of their malicious imitators.

How does Rogue AV get on my system?

It is possible that you inadvertently installed the rogue on your system yourself, thinking that you were downloading the free version of a legitimate program. But it is more likely that the rogue is installed by another program such as a trojan-downloader. The trojan-downloader might have infiltrated the system through a drive-by-download method such as hitchhiking with another downloaded program or pretending to be another program that users trusted. For more information about Trojans, check out Alia’s quick and dirty introduction to the malware version of con men.

Removing rogues

Removing a rogue could be challenging; some conventional anti-virus program might not be up to the task, perhaps due to the rogue’s non-malware characteristics or stealth techniques. One option is to use a special tool such as the F-Secure Easy Clean. Tools like Easy Clean can handle complex threats that may have escaped your anti-virus program.

If you’re an advanced user, you may want to perform manual removal. You’ll be required to delve into the system to locate and delete everything (files, directories, registry entries) associated with the rogue. Be careful. It’s a challenge.

Tips for protecting yourself

If an unfamiliar alert suddenly flashes on your screen, do not panic and tuck your credit card away.

Rogues aim to scare you until you submitted to purchasing the product. Stay calm and conduct a Google search on this anti-virus product. If it is a rogue, you’ll find threads from credible sources mentioning about this fact, along with the instruction for removing it from the system.

If you are indeed in the market for a an anti-virus or security product, rely on credible names in the industry. Visit their website to learn more about the vendors and their products. Many vendors including F-Secure provide a free trial of their product or access to free security tools. Take advantage and play around with these resources to figure out which product suits you best.

Get Real Sweepstakes: Week #8 — Win a Flip Ultra HD

November 8, 2010
By Sandra

UPDATE: This sweepstakes is now closed. The winner will be contacted and then announced. Like our Facebook page for more giveaways and online safety tips.

I’m still worried about my friend John. Everywhere he goes, he leaves a little bit of himself for strangers to find and exploit. Take John’s recent trip to Stockholm, for instance.

Why am I so afraid for John? Identity Theft. I’m afraid someone is going to pretend to be John and get him in a lot of trouble. And frankly, John does enough of that himself.

But John won’t listen. Maybe it’s because the term “Identity Theft” is vague. The whole reason you worry about someone damaging your identity is because unless you have surgery or access to incredible forgeries, you will always be you.

When most people talk aboutIdentity Theft, they usually mean simple credit card fraud—someone using your financial details to illegally buy property. But there are many kinds of Identity Theft. Someone can pose as you to commit a crime or to get prescription. Your online identity could be hijacked to harm your personal brand. Loans can be applied for in your name. The possibilities are only limited by a criminal’s imagination.

So, we want to know: What does Identity Theft mean to you? What is the most irreplaceable aspect of your identity?

Read the rules and post your answer on the comments below for your chance to win Flip Ultra HD 8 GBcamera and F-Secure Internet Security 2011, which will help protect your identity.

Cheers,

Sandra

F-Secure Internet Security 2011
GET REAL SWEEPSTAKES WEEK #8- COMPETITION RULES AND PRIZES

By entering the Get Real promotion you accept the Official Competition Rules and the Privacy Policy (http://www.f-secure.com/en_US/privacy.html).

If you do not accept these rules, please do not enter this promotion.

1. The sponsor of this promotion is F-Secure Corporation, located at Tammasaarenkatu 7, Po. Box 24, 00181 Helsinki, Finland (“Sponsor”).
2. The promotion will begin at 6:00 PM PDT on November 7, 2010 and end at 12:00 PM PDT November 15, 2010.
3. This promotion is void where prohibited or restricted by law. No purchase is necessary to enter.
4. 2 prizes, a Flip Ultra HD 8 GB with a retail value of $199.99 and 1 F-Secure Internet Security licenses with a retail value of $59.99 will be given as prizes in this promotion at the close of the competition.
5. Only one (1) entry, per person per Sweepstakes will be accepted. Each comment posted constitutes an entry. Further attempts made by the same person and entries generated by a script, computer programs, macro, programmed, robotic or other automated means will be disqualified.
6. The winner will be chosen randomly from the people who participated in the competition by commenting on the “Get Real Sweepstakes: Week #8“. Sponsor will notify the winner via email. If the winner does not respond within seven (7) days, he or she will forfeit the prize and another winner will be randomly chosen. This prize is shipped to the winner within 30 days of the promotion closing date.
7. The winners are responsible for any taxes associated with receipt of the prizes. Sponsor reserves the right to substitute the prizes with other prizes of equal or greater value if the prize is not available for any reason.
8. Odds of winning the prizes depend upon the total number of eligible entries received.
9. No purchase or software download is necessary to enter or win. Purchase or software download will not increase your chances of winning.
10. To enter, visit http://safeandsavvy.f-secure.com/2010/11/07/get-real-sweepstakes-week-8/ and comment on the post once To comment you must provide your email address, which will not be made public. Entries are the property of Sponsor and will not be acknowledged or returned. Comments made be edited by F-Secure without explanation.
11. Any entrant who attempts to cheat or tamper with the Get Real Sweepstakes shall be disqualified by the Sponsor’s sole discretion.
12. The name of the winner will be announced via the F-Secure Twitter channel http://twitter.com/FSecure, F-Secure Facebook page http://www.facebook.com/FSecure and F-Secure’s Safe and Savvy blog http://safeandsavvy.f-secure.com/ once the winner has been contacted. By entering, the entrant agrees that his/her name, country and/or picture can be published at F-Secure’s aforementioned channels if he/she wins.
13. By entering, entrants agree to release and hold harmless Sponsor and all of its representatives from and against any and all costs, expenses, claims, demands, proceedings, suits, actions and/or liabilities for any injuries, death, loss or damage of any kind arising from or in connection with accidents, terrorism, theft, natural disaster, the promotion of the Get Real Sweepstakes, the distribution of any prize, entrants’ participation in and/or entry into the Get Real Sweepstakes, acceptance or use of any prize or unavailability of any prize. Prizes are provided “AS IS” without warranty of any kind from the sponsor.
14. Employees of Sponsor and family members of such employees are not eligible to enter.

Comments closed

You don’t have to be a parent to use parental control

November 4, 2010
By Melody-Jane

The internet is full information, but how many of us want access to all of it? There are some things online that we can live without seeing. There are also certain categories of website that are used more often by spammers and scammers and sometimes you might find yourself too easily distracted by browsing the web when you should be working.

This is when using parental control on yourself can be useful.

When you have our internet security product with parental control installed you can get a little help with your self-discipline, if you want it, or provide an extra layer between yourself and internet content that you do not want to see.

Parental control has two blocking methods, one of them time-based and the other category based. If there are types of website that you do not wish to see you can set up a category based block for yourself:

If you tend to lose track of the time and browse past your ideal bed time then you can use the time limits in parental control to make a warning page appear if you try to access a new page after, say, 1am:

If you set it up for yourself you still know the password and retain control over your browsing. You can extend the time limit in half hour chunks if you want a little longer. You won’t find yourself blocked from the internet if you don’t really want to be as you can either whitelist specific sites or override the block by entering the password.

It’s a nice way to give yourself a little reminder and to ask yourself the question “Do I really want to surf here?”

A quick & dirty guide to malware (part 1: trojans)

November 3, 2010
By aliafs

Trojan-Downloader:OSX/Jahlev.A: Trojan disguised as a MacAccess Installer

Judging by the comments on my previous post, there are readers out there who want more in-depth postings about malware – worms, trojans, viruses and the like. Pleased to hear it! So, just to bolster the more malware-focused side of Safe and Savvy, this will be the first in a 3-part series in which I’ll take a look at the most common computer threats you may encounter.

As this is meant as a rough and ready guide rather than an in-depth technical scrutiny, I’ll be highlighting general features and patterns to help ‘the average user’ distinguish between different malware types, as well as how each can affect your data or computer. Links to more technical discussions are available below.

The Big Three

In this series, I’ll be covering Trojans, Viruses and Worms. After all, when most users think of malware, they’ll almost always think of these three first. These are the most commonly found computer threats, the ones with the most media attention, the evil shining stars of the malware world – The Big Three. If you only ever learn the difference between three types of malwares, it should be these three.

Now, perhaps you’d ask at this point, “I have an antivirus program on my computer that will tell me what malware it is, and stop it! Why should I bother?” There are a numerous reasons why you still may want to know about how malware works. But for now, I’ll just highlight this one: an antivirus program only handles identifying and disinfecting threats from the computer; the user still has to deal with the real-world repercussions of malware affecting their personal information.

As an example, an AV could identify and clean a trojan-thief infection from your computer – but if you know that trojan-thieves typically steal account credentials and passwords, you’d also know to check your online banking and gaming accounts to make sure they aren’t compromised. Knowing more about the malware gives you a starting point for evaluating the impact the infection had on your data and system, and how to make sure both are secure.

So without further ado, we’re going to take a closer look at today’s Threat Numero Uno, the trojan.

Trojans

Trojans and their more well-known cousins, viruses, aren’t always easy to tell apart.

Merriam-Webster’s definition of a trojan is:

“A seemingly useful computer program that contains concealed instructions which when activated perform an illicit or malicious action (as destroying data files)”.

Meanwhile, their definition for a virus is:

“A computer program that is usually hidden within another seemingly innocuous program and that produces copies of itself and inserts them into other programs and usually performs a malicious action (as destroying data)”.

Both perfectly correct and succinct – but still a bit obscure. How would the average user know the malicious action was done because of ‘concealed instructions’ rather than a ‘hidden program’? Perhaps an easier way to grasp the essence of a trojan, and how it differs from a virus, is to think of the difference between a parasite and a fraud.

Think of a macro virus that infects a Microsoft Word document; the Word document itself is perfectly legitimate, but it’s carrying a parasite. In contrast, a trojan that pretends to be a game but installs a keylogger on the system is a fraud; the program itself is bogus – it appears to work but is really just a front to deliver a nasty payload.

Most trojans are fairly simple and fit this definition neatly enough. Of course, there are particularly sophisticated trojans that blur the boundaries by including virus-like capabilities (or vice versa), just to make life difficult for everyone. Fortunately, at the moment these blended threats are relatively rare birds, and we’ll leave them aside for now.

Getting Infected

Trojan:AndroidOS/Tapsnake: A trojan that appears to be a game

Trojans are particularly easy run to afoul of because they are deliberately designed and distributed in a way that fools you, the unsuspecting user, into downloading, installing and running it. You could think of trojans as the con men of malwares.

Trojans can appear to be almost any type of program – utilities, games, operating system updates, and so on. Malware authors will often steal the names/facade/details of a legitimate program to make the trojan seem authentic or desirable.

On smartphones, particularly Internet-enabled ones, trojans (and worms) have always been the most common type of threat. Trojans targeted to smartphones are almost always disguised as system-related updates or applications (e.g. Trojan:SymbOS/Skulls) or games (e.g., Trojan:WinCE/Terdial) – both program types a user is likely to trust and/or desire.

For computer users, viruses have traditionally been the more high-profile threat, but in recent years trojans have superseded them and become more prevalent. Trojans used to be most commonly encountered as e-mail file attachments (either spammed out, often by botnets, or sent directly to the recipient in a targeted attack). This strategy required that the e-mail be convincing (or tantalizing) enough to draw the user into executing the authentic-looking attachment.

Fortunately, most users wise up to this tactic pretty fast, which is bad news for attackers. Nowadays, instead of depending on spam e-mails or direct attacks, malware authors or distributors (they might not be the same) seem to be moving their game online; users are now more likely to stumble across trojans when they’re surfing the web.

Trojans Online

Trojans have been found:

Hosted on malicious sites (search engine results may be poisoned to direct users to these sites)
Hosted on legitimate sites that have been compromised
Seeded on torrent sites, forums, newsgroups, and other download sites
Offered through hijacked social networking, instant chat messaging (IM) and instant relay chat (IRC) accounts

In the online environment, malware authors/distributors seem to turn their creativity to making the malicious websites that host trojans look really authentic and respectable. Again, there’s that element of deception, though now the trickery is focused more on the website rather than the actual file.

A ‘tried and true’ tactic involves the malicious site offering the trojan as a supposed ‘update for a video player’, or ‘patch for a game’ or similar. Another oft-used trick is for the malicious site to mimic or completely copy a legitimate site to lend authenticity to the offered download (for a particularly complex example, see our Labs Weblog entry ZeuS Variants Targeting Mobile Banking).

A particularly effective tactic has the malicious website itself designed to exploit vulnerabilities in the visitor’s web browser, forcing it to automatically download the trojan to the user’s computer. This sophisticated variation on the classic ‘driveby-download’ attack doesn’t require the user to actively do anything at all on the website.

Trojans – after your data, your computer, or both

Once downloaded and executed, the trojan will perform some unauthorized action. Most trojans will fall into one of two general ‘spheres of action’: dealing with data or stealing control of the computer.

Data-dealers

Trojans that target information will either steal data directly from the user/computer, or monitor the user’s behavior in order to gather data. These trojans are password-stealers and keyloggers, the ones that monitor a user’s web browsing behavior and actions on the computer.

Control-stealers

Trojans designed for control allow, or install programs that allow, a remote attacker to control the infected computer. These are the trojans that download programs to the machine, or turn the user’s computer into a proxy so that an attacker can connect to the Net anonymously. These trojans may also include information-stealing trojans as part of their payload, handily compromising both machine and user data.

What Trojans Do

Conveniently, these distinctive behavior groupings makes trojans easy to categorize. You can see the types (right) F-Secure uses to indicate a specific trojan’s actions; most antivirus vendors will use roughly similar categorization schemes.

Some trojans are rather more sophisticated and can perform more than a single type of action. These uber-trojans are generally just categorized as trojans, for simplicity’s sake.

If you’re still interested….

The above is just a very quick highlight of a trojan’s most notable features. You can find more information about trojans here:

Trojan Horse Attacks by Irchelp
CERT Advisory CA-1999-02 Trojan Horses

Or partially available on Google Books:

“Software forensics: collecting evidence from the scene of a digital crime” by Robert Slade
“IT security survival guide” By TechRepublic

Up next – Viruses!

9 Comments

Get Real Sweepstakes: Week 7 — Win an iPod Touch and Internet Security for You and Your Family

CC image by takomabibelot

November 1, 2010
By Sandra

UPDATE: This sweepstakes is now closed. The winner will be contacted and then announced. Like our Facebook page for more giveaways and online safety tips.

We’re happy to say that Safe and Savvy has been named a winner of a 2010 Top Blog Award.

We’ve been blogging for less than a year. In that time, we’ve talked about quitting Facebook and what to do if you stay. We’ve covered the best methods for backing up your content and how to make sure your web cam isn’t spying on you. And we’ve told you about what happens when you get robbed in the World of Warcraft and how to find out if you have a cyberstalker.

And we always want to hear from you, which leads to…

This week’s question is: What online safety or security question would you like see us blog about? If you can’t think of one, you can just tell us about a Safe and Savvy post that you’ve appreciated.

Just read the rules and post your answer in the comments. This week’s winner will receive an iPod touch 8 GB plus F-Secure Internet Security for your whole family (up to 5 members).

HomeSecuritySystems.net

Cheers,

Sandra

F-Secure Internet Security 2011
GET REAL SWEEPSTAKES WEEK #7- COMPETITION RULES AND PRIZES

By entering the Get Real promotion you accept the Official Competition Rules and the Privacy Policy (http://www.f-secure.com/en_US/privacy.html).

If you do not accept these rules, please do not enter this promotion.

1. The sponsor of this promotion is F-Secure Corporation, located at Tammasaarenkatu 7, Po. Box 24, 00181 Helsinki, Finland (“Sponsor”).
2. The promotion will begin at 6:00 PM PDT on October 31, 2010 and end at 6:00 PM PDT November 7, 2010.
3. This promotion is void where prohibited or restricted by law. No purchase is necessary to enter.
4. 6 prizes a iPod touch with a retail value of $229.99 and 5 F-Secure Internet Security licenses with a retail value of $299.95 will be given as prizes in this promotion at the close of the competition.
5. Only two (2) entries, per person per Sweepstakes will be accepted. Each comment posted constitutes an entry. Further attempts made by the same person and entries generated by a script, computer programs, macro, programmed, robotic or other automated means will be disqualified.
6. The winner will be chosen randomly from the people who participated in the competition by commenting on the “Get Real Sweepstakes: Week #7“. Sponsor will notify the winner via email. If the winner does not respond within seven (7) days, he or she will forfeit the prize and another winner will be randomly chosen. This prize is shipped to the winner within 30 days of the promotion closing date.
7. The winners are responsible for any taxes associated with receipt of the prizes. Sponsor reserves the right to substitute the prizes with other prizes of equal or greater value if the prize is not available for any reason.
8. Odds of winning the prizes depend upon the total number of eligible entries received.
9. No purchase or software download is necessary to enter or win. Purchase or software download will not increase your chances of winning.
10. To enter, visit http://safeandsavvy.f-secure.com/2010/10/23/get-real-sweepstakes-week-7/ and comment on the post once or twice. To comment you must provide your email address, which will not be made public. Entries are the property of Sponsor and will not be acknowledged or returned. Comments made be edited by F-Secure without explanation.
11. Any entrant who attempts to cheat or tamper with the Get Real Sweepstakes shall be disqualified by the Sponsor’s sole discretion.
12. The name of the winner will be announced via the F-Secure Twitter channel http://twitter.com/FSecure, F-Secure Facebook page http://www.facebook.com/FSecure and F-Secure’s Safe and Savvy blog http://safeandsavvy.f-secure.com/ once the winner has been contacted. By entering, the entrant agrees that his/her name, country and/or picture can be published at F-Secure’s aforementioned channels if he/she wins.
13. By entering, entrants agree to release and hold harmless Sponsor and all of its representatives from and against any and all costs, expenses, claims, demands, proceedings, suits, actions and/or liabilities for any injuries, death, loss or damage of any kind arising from or in connection with accidents, terrorism, theft, natural disaster, the promotion of the Get Real Sweepstakes, the distribution of any prize, entrants’ participation in and/or entry into the Get Real Sweepstakes, acceptance or use of any prize or unavailability of any prize. Prizes are provided “AS IS” without warranty of any kind from the sponsor.
14. Employees of Sponsor and family members of such employees are not eligible to enter.

Comments closed

Quick tip: How to hide your Facebook friends list

October 27, 2010
By Jason

Recently Chloe, a commenter on “How to Save Face: 6 Tips for Safer Facebooking“, asked, “How do I hide my friends to everyone?”

To hide your friends list on Facebook, you’ll need to do the following:

1. Go to the “Account” tab and select “Privacy Settings”

2. Under “Basic Directory Information” click “View Settings”

3. In the “See my friends” setting select “Customize”

4.Below “Make this visible to” select “Only Me”

You can also go to your “Profile” and click on the little pencil above your friends. You can select how many friends to show. But you can’t select 0.

To hide your list entirely you have to click “Change Visibility Settings” and end up at step 3 above.

Facebook makes it far too difficult to hide your friends. In the site’s defense, it’s not as hard to find as some of the site’s other opt-in features. And you’re probably not going on a social network to be anti-social. And if you need to hide your friends from even your friends, you’re adding the wrong people as friends.

But still, Facebook, c’mon! Put 0 as an option right on my profile. I may want to be social in different ways than the 550,000,000 other people on your site. Or maybe I want to protect my friends with intriguing politics. Or maybe I’m neurotic about the karma in connecting the wrong people. But give me the choice.

I admit it: I just can’t quit you, Facebook. But if you keep pushing me away, you’re eventually going to succeed. So every once in a while, surprise me! Error on the side of making it easy to control my privacy.

Still your friend,

Jason