15855489588_6c209780a9_b

How “the Cloud” Keeps you Safe

“The cloud” is a big thing nowadays. It’s not exactly a new concept, but tech companies are relying on it more and more. Many online services that people enjoy use the cloud to one extent or another, and this includes security software. Cloud computing offers unique security benefits, and F-Secure recently updated F-Secure SAFE to take better advantage of F-Secure’s Security Cloud. It combines cloud-based scanning with F-Secure’s award-winning device-based security technology, giving you a more comprehensive form of protection. Using the cloud to supplement device-based scanning provides immediate, up-to-date information about threats. Device-based scanning, which is the traditional way of identifying malware, examines files against a database saved on the device to determine whether or not a file is malicious. This is a backbone of online protection, so it’s a vital part of F-Secure SAFE. Cloud-based scanning enhances this functionality by checking files against malware information in both the local database found on devices, and a centralized database saved in the cloud. When a new threat is detected by anyone connected to the cloud, it is immediately identified and becomes "known" within the cloud. This ensures that new threats are identified quickly and everyone has immediate access to the information, eliminating the need to update the database on devices when a new threat is discovered. Plus, cloud-based scanning makes actual apps easier to run. This is particularly important on mobile devices, as heavy anti-virus solutions can drain the battery life and other resources of devices. F-Secure SAFE’s Android app has now been updated with an “Ultralight” anti-virus engine. It uses the cloud to take the workload from the devices, and is optimized to scan apps and files with a greater degree of efficiency. Relying on the cloud gives you more battery life, and keeps you safer. The latest F-Secure SAFE update also brings Network Checker to Windows PC users. Network Checker is a device-based version of F-Secure’s popular Router Checker tool. It checks the Internet configuration your computer uses to connect to the Internet. Checking your configuration, as opposed to just your device, helps protect you from attacks that target home network appliances like routers – a threat not detected by traditional anti-virus products. So the cloud is offering people much more than just extra storage space. You can click here to try F-Secure SAFE for a free 30-day trial if you’re interested in learning how F-Secure is using the cloud to help keep people safe. [Image by Perspecsys Photos | Flickr]

June 30, 2015
BY 
money, burnt, online, internet, scams

The 5 Internet scams your kid or mom is most likely to fall for

There wouldn't be billions people online every moment of every day if everyone was getting scammed all the time. Online security is, in many ways, better than ever, as are the sites designed to attract our attention. But exploits and the crooks that want to exploit us still exist, enjoying advanced malware-as-service models proven to steal our data, time and money. And with the awesome number of people online, scams only need to work a tiny percentage of the time to make the bad guys rich. We're sure you're savvy enough to avoid most trouble. But for everyone else you know, here are 5 common scams to look out for. 1. Ransomware. This scam, which F-Secure Labs has been tracking for over 5 years, prospers because it offers incredible returns -- to the scammer. "It estimated it would cost $5,900 (£3,860) to buy a ransomware kit that could return up to $90,000 in one month of operation," the BBC reports. It works like this. You suddenly get a message saying that your files are being held and you need to pay a ransom to release them. Sometimes the scam pretends to be from a police organization to make them extra scary: Anonymous cyber-currencies like bitcoin have made the scam even more appealing. "That's what really enabled the ransomware problem to explode," our Mikko Hypponen said. "Once the criminals were able to collect their ransom without getting caught, nothing was stopping them." They really do take your files and they generally will give them back. Ironically, their reputation matters since people will stop paying if they hear it won't work. Mikko recommends four ways to defend yourself from this -- and almost every scam: Always backup your important files. Ensure software is up-to-date. Be suspicious of message attachments and links in email. Always run updated comprehensive security software. He adds, "Don't pay money to these clowns unless you absolutely have to." 2. Technical support scams. "In a recent twist, scam artists are using the phone to try to break into your computer," reports the U.S. Federal Trade Commission. "They call, claiming to be computer techs associated with well-known companies like Microsoft. They say that they’ve detected viruses or other malware on your computer to trick you into giving them remote access or paying for software you don’t need." Never give anyone who calls you unsolicited your private information or access to your computer. As a matter a fact, don't do that even if the call is solicited. If you feel the call may actually important, ask who they are calling from and then contact the organization directly. For more tips visit the FTC site. 3. Facebook freebies. Free iPad! Free vacation! Free gift card! If it's free, it's on Facebook and it comes from someone you do not know or trust directly, assume it's a scam. At best it's a waste of your time, at worst it could end up costing you money. Unfortunately, there are only two things you can do to avoid these scams. Don't follow people who share crap like this on Facebook and don't click on things that seem too good to be true. "There is no way a company can afford to give every Facebook user a $25.00, $50.00 or $100.00 gift card," Facecrooks, a site that monitors these scams, reminds you. "A little common sense here tells you that something is way off base." So be suspicious of everything on Facebook. Even friends asking for money. 4. Loan scams. Scammers are smart. They know that the more a person is in financial need, the more desperate she or he becomes. For this reason, loans of various kinds -- especially mortgages that are in foreclosure -- are often lures for a scam. Once they have your attention, they may use a variety of tactics to dupe you, the FTC explains. They may demand a fee to renegotiate your loans for lower payments or to do an "audit" of what you're paying. It may even go far enough that they'll ask you directly or trick you into signing over your house to ease the pressure from your creditors. There are many warning signs to look out for. Keep in mind that if you're ever in doubt, the best step is to back off and seek advice. You can also tell the person you're going to get a second opinion on this from a lawyer. If the person you're dealing with insists that you not or freaks out in any other way, it's a good sign you're being taken. 5. Money mule scams. These scams are a variation on the 419 scams where a foreign prince asks you to hold money for him. All you have to do is wire him some first. But in this case you may actually get the money and be used as a tool of organized crime. A money mule illegally transfers money for someone in exchange for some of the take. Many law-abiding people get drawn into this crime while searching for jobs or romance, which is why your should stick to legitimate sites if you're seeking either of those things. Greed and the lure lottery winnings and inheritances is also used as a lure for potential victims. Trust is the most important thing on the internet. Anyone who trusts you too quickly with offers of money or love is probably scamming you. Cheers, Sandra [Image by epSos .de | Flickr]

June 24, 2015

Latest Posts

15855489588_6c209780a9_b

“The cloud” is a big thing nowadays. It’s not exactly a new concept, but tech companies are relying on it more and more. Many online services that people enjoy use the cloud to one extent or another, and this includes security software. Cloud computing offers unique security benefits, and F-Secure recently updated F-Secure SAFE to take better advantage of F-Secure’s Security Cloud. It combines cloud-based scanning with F-Secure’s award-winning device-based security technology, giving you a more comprehensive form of protection. Using the cloud to supplement device-based scanning provides immediate, up-to-date information about threats. Device-based scanning, which is the traditional way of identifying malware, examines files against a database saved on the device to determine whether or not a file is malicious. This is a backbone of online protection, so it’s a vital part of F-Secure SAFE. Cloud-based scanning enhances this functionality by checking files against malware information in both the local database found on devices, and a centralized database saved in the cloud. When a new threat is detected by anyone connected to the cloud, it is immediately identified and becomes "known" within the cloud. This ensures that new threats are identified quickly and everyone has immediate access to the information, eliminating the need to update the database on devices when a new threat is discovered. Plus, cloud-based scanning makes actual apps easier to run. This is particularly important on mobile devices, as heavy anti-virus solutions can drain the battery life and other resources of devices. F-Secure SAFE’s Android app has now been updated with an “Ultralight” anti-virus engine. It uses the cloud to take the workload from the devices, and is optimized to scan apps and files with a greater degree of efficiency. Relying on the cloud gives you more battery life, and keeps you safer. The latest F-Secure SAFE update also brings Network Checker to Windows PC users. Network Checker is a device-based version of F-Secure’s popular Router Checker tool. It checks the Internet configuration your computer uses to connect to the Internet. Checking your configuration, as opposed to just your device, helps protect you from attacks that target home network appliances like routers – a threat not detected by traditional anti-virus products. So the cloud is offering people much more than just extra storage space. You can click here to try F-Secure SAFE for a free 30-day trial if you’re interested in learning how F-Secure is using the cloud to help keep people safe. [Image by Perspecsys Photos | Flickr]

June 30, 2015
money, burnt, online, internet, scams

There wouldn't be billions people online every moment of every day if everyone was getting scammed all the time. Online security is, in many ways, better than ever, as are the sites designed to attract our attention. But exploits and the crooks that want to exploit us still exist, enjoying advanced malware-as-service models proven to steal our data, time and money. And with the awesome number of people online, scams only need to work a tiny percentage of the time to make the bad guys rich. We're sure you're savvy enough to avoid most trouble. But for everyone else you know, here are 5 common scams to look out for. 1. Ransomware. This scam, which F-Secure Labs has been tracking for over 5 years, prospers because it offers incredible returns -- to the scammer. "It estimated it would cost $5,900 (£3,860) to buy a ransomware kit that could return up to $90,000 in one month of operation," the BBC reports. It works like this. You suddenly get a message saying that your files are being held and you need to pay a ransom to release them. Sometimes the scam pretends to be from a police organization to make them extra scary: Anonymous cyber-currencies like bitcoin have made the scam even more appealing. "That's what really enabled the ransomware problem to explode," our Mikko Hypponen said. "Once the criminals were able to collect their ransom without getting caught, nothing was stopping them." They really do take your files and they generally will give them back. Ironically, their reputation matters since people will stop paying if they hear it won't work. Mikko recommends four ways to defend yourself from this -- and almost every scam: Always backup your important files. Ensure software is up-to-date. Be suspicious of message attachments and links in email. Always run updated comprehensive security software. He adds, "Don't pay money to these clowns unless you absolutely have to." 2. Technical support scams. "In a recent twist, scam artists are using the phone to try to break into your computer," reports the U.S. Federal Trade Commission. "They call, claiming to be computer techs associated with well-known companies like Microsoft. They say that they’ve detected viruses or other malware on your computer to trick you into giving them remote access or paying for software you don’t need." Never give anyone who calls you unsolicited your private information or access to your computer. As a matter a fact, don't do that even if the call is solicited. If you feel the call may actually important, ask who they are calling from and then contact the organization directly. For more tips visit the FTC site. 3. Facebook freebies. Free iPad! Free vacation! Free gift card! If it's free, it's on Facebook and it comes from someone you do not know or trust directly, assume it's a scam. At best it's a waste of your time, at worst it could end up costing you money. Unfortunately, there are only two things you can do to avoid these scams. Don't follow people who share crap like this on Facebook and don't click on things that seem too good to be true. "There is no way a company can afford to give every Facebook user a $25.00, $50.00 or $100.00 gift card," Facecrooks, a site that monitors these scams, reminds you. "A little common sense here tells you that something is way off base." So be suspicious of everything on Facebook. Even friends asking for money. 4. Loan scams. Scammers are smart. They know that the more a person is in financial need, the more desperate she or he becomes. For this reason, loans of various kinds -- especially mortgages that are in foreclosure -- are often lures for a scam. Once they have your attention, they may use a variety of tactics to dupe you, the FTC explains. They may demand a fee to renegotiate your loans for lower payments or to do an "audit" of what you're paying. It may even go far enough that they'll ask you directly or trick you into signing over your house to ease the pressure from your creditors. There are many warning signs to look out for. Keep in mind that if you're ever in doubt, the best step is to back off and seek advice. You can also tell the person you're going to get a second opinion on this from a lawyer. If the person you're dealing with insists that you not or freaks out in any other way, it's a good sign you're being taken. 5. Money mule scams. These scams are a variation on the 419 scams where a foreign prince asks you to hold money for him. All you have to do is wire him some first. But in this case you may actually get the money and be used as a tool of organized crime. A money mule illegally transfers money for someone in exchange for some of the take. Many law-abiding people get drawn into this crime while searching for jobs or romance, which is why your should stick to legitimate sites if you're seeking either of those things. Greed and the lure lottery winnings and inheritances is also used as a lure for potential victims. Trust is the most important thing on the internet. Anyone who trusts you too quickly with offers of money or love is probably scamming you. Cheers, Sandra [Image by epSos .de | Flickr]

June 24, 2015
Network, networking cable,

The U.S.'s Office of Personnel Management wants you to know that it thwarts 10 million hack attempts a month. But it just takes one successful breach to undo all that successful thwarting. And last year, OPM's network was breached by an attack it identified as coming from China. The government of China has denied any involvement but 4 million federal employees have been offered 18 months of credit report monitoring. "Follow-up reports indicate that the breach may extend well beyond federal employees to individuals who applied for security clearances with the federal government," Brian Krebs wrote, in an excellent summation of the hack. As many as 14 million people who've worked for or attempted to work for the government may be affected. What kind of information did the hackers get access to? F-Secure's Chief Research Officer Mikko Hypponen tweeted this sample: Knowing which federal employees have admitted to illegal drug use could be pretty valuable information, especially if there's anyone who is actually honest about such behavior on these kinds of forms. That the U.S. government has had networks containing secret data infiltrated is obviously a huge problem. Especially disturbing is the news that the files weren't encrypted because the OPM's systems were too antiquated. (UPDATE: Apparently, encryption wouldn't have helped.) Some are calling this hack a "cyber Pearl Harbor" and wondering why the Obama Administration isn't retaliating more directly. But there's a perfectly clear reason why "cyber Pearl Harbor" is not an accurate description, as much as critics of President Obama and those in favor of cybersecurity laws like CISPA might like it to be. "Pearl Harbor metaphors should be restricted to war," F-Secure Security Advisor Sean Sullivan told me. "This is espionage, and so the use of it is hyperbole." Also, Pearl Harbor -- the famed "sneak attack" on the U.S. military installations by the Japanese that killed more than 2,5000 and drew America into World War II -- suggests an unprovoked attack by a state. It's unclear if this attack was entirely unprovoked or backed by a government. The U.S. has been accused of its own hacking and launching its own cyber attacks. The Snowden revelations include claims of "large-scale, organized cyber theft, wiretapping and supervision of political figures, enterprises and individuals of other countries, including China." And those claims are backed up by substantial evidence, leaving the U.S. in an awkward position as it reckons with its own security failings and potential response, especially when attributing the sources of attacks is increasingly difficult. If nothing else, this attack shows that the U.S. government suffers from the same failings as many large corporations that have fallen prey to hacks in recent years. The costs of such breaches are escalating for businesses and states. Still it's important to keep perspective. Pear Harbor was an aberrational act of war that triggered a global reaction. The OPM hack is perhaps an unprecedented act of espionage when it comes to a breach of U.S. government networks. But unfortunately it doesn't seem indicative of something unusual, but rather an ominous hint of a new normal. [Image by Jonathan Briggs | Flickr]

June 16, 2015
keyboard

More sad hacking news. The password manager LastPass has recently suffered from an intrusion where some sensitive data got in the wrong hands. The incident didn’t, fortunately, leak any passwords directly. But some data that makes it easier to break the system leaked out. Intrusions happen all the time. But this incident is remarkable because it targeted the most holy of it all. The password manager that stores all the important passwords and can open the door to every system. It’s hard to imagine anything worse than a broken password manager. Isn’t it? But what can and should we do? Users of LastPass should change their master password promptly. But one question remains, is it a good idea to trust a password manager and put all the eggs in one basket? Some people are already telling us to only store the password database locally on our device. But that is clumsy as we need the passwords on many devices. Do we really have to dump cloud-based password managers? First of all. Yes, you should keep using a password manager. Don’t let this incident scare you. It enables you to use stronger passwords on every service, and still be on top of it. A password manager does increase your security. But it is a component that you need to select carefully to ensure it doesn’t become the weakest link. But what about cloud storage of the password database? Yes, storing this critical database in the cloud will introduce new risks, which was demonstrated in the LastPass case. But there is a way to eliminate these risks and still have the passwords available on all devices. The team behind F-Secure Key was very well aware of these risks and created a hybrid solution. This product does store your encrypted password database in the cloud, but not the keys needed to decrypt it. They are only handled on your own devices, never in the cloud. We are naturally still hardening all the involved systems to make server intrusions as unlikely as possible. But even if someone manages to break in, the cloud-stored data is incomplete. That’s a pretty reliable defense. So to conclude. Yes, keep using a password manager and worry less about compromised accounts and forgotten passwords. And if your choice is F-Secure Key, you can stop worrying about data leaks from the servers too.   Safe surfing, Micke   Image by Hochgeladen von Colin  

June 16, 2015
insured, business security, cartoon

This is the second in a series of posts about Cyber Defense that happened to real people in real life, costing very real money. Peter came into work thinking, “Today is gonna be boring as hell. I can’t wait till my shift ends”. He couldn’t have been more wrong. One terrible password “Policy 2014” would soon turn his insurance agency upside down. Peter had been working in a 24/7 security centre for a couple of years. He was an IT security specialist and he thought that he’d seen it all. This illusion was shattered when he picked up the phone. “We have a problem. We are losing clients!” he heard through the receiver. He kept listening, though he had no idea how this applied to him. “I think someone might have broken into our sales system! He calls our clients whose contracts are soon to expire. Just before we have a chance to do so ourselves”, the caller complained. The situation was beginning to look serious, and confusing. The system had recently been updated to boost security. At first, the staff who drafted offers for sales reps were accused of leaking the information. It had to be them. They had full access to the system. However, after close monitoring of the system, these suspicions proved to be unfounded. A lead was discovered by sheer coincidence: someone tried to log into the internal sales system using the account of an employee who was currently on holidays. The situation required immediate action. Peter had to identify the exact time and place the system was hacked into through sales reps’ accounts. For this purpose he used a Network Monitoring System of his own design. Unfortunately, it didn’t shed much light on the matter. The login location shifted each time he scanned the system. What is more, these locations were often miles away from each other! Then he started to think like a detective – he decided to lay some bait for the hacker. He created a fake profile for a client whose contract was about to expire. A sales rep was to call him in exactly five days. However, Peter entered his own phone number in the client’s profile details. It only took three days for the hacker to bite. After a two-minute phone call, everything became clear enough. It turned out that the mysterious hackers were in fact employees of a distributor with whom Peter’s company had entered into a contract for the sale of its insurance policies. These suspicions were only made more certain when it was discovered that the company had recently recorded an increase in its sales of insurance products through the distributor. The investigation revealed that an employee from the IT department had facilitated the hacking. He confessed, and revealed that temporary passwords to the sales system were always the same (“Policy 2014”) and that hardly anyone ever changed them – this was enough to obtain customer account data. Finally, the situation was brought under control. The sales system was secured and sales specialists were properly trained in data and password protection techniques. However, the company’s image suffered. Although much effort was made to keep the case confidential, many clients grew concerned about the safety of their personal data. Nevertheless, it was the sales personnel who suffered the most as their commissions dwindled. For the latest on business security, be sure to visit F-Secure's Business Insider.

June 12, 2015
travel, amalfi coast, digital safety, security

My wife had to remind me to look up from my smartphone. We were traveling on the one-lane coastal road that connects Sorrento with Italy's Amalfi coast. I looked down and saw the Li Galli islands, which according to local legend are where the sirens beckoned the hero of Homer's Odyssey into the rocks. In Naples, my iPhone had been my tour guide, allowing me to get pizza recommendations from my friend and then scout out when was the best time to eat, according to the reviews. It had brought us to the Museo Cappella Sansevero to see Veiled Christ and helped us chose a gelateria from the hundreds of options. And now I was plotting our visit to the beachfront town of Positano. If you're addicted to your mobile device or checking in online, you know it can improve or ruin your vacation. And missing a great view could be the least of your worries. You should look up from your phone occasionally, but you can stay connected and safe with a few precautions. 1. Lock your devices. You wouldn't leave post-it note with your PIN on your ATM card. So don't invite strangers into your phone to turn off your anti-theft app and start digging through your digital life. Use an unguessable passcode on all your devices and set your devices to lock. 2. Don't bank or shop on a public computer. Strange computers can have strange keyloggers or some other malware that could slurp up your information. (If you have to use a public computer to get on Facebook, for instance, use a one-time password.) 3. Clean up your phone. You hear lots of news reports about how gross and covered with bacteria our phones are. But the inside suffers from the same buildup of crap. "Phones and computers always store information about what you do. Internet browsers store a history," Security Advisor Sean Sullivan told us. "Apps create temporary files where they store stuff to help them run faster. A lot of apps and websites have passwords and contact information about you stored." Our free Booster app makes cleaning your device easy. 4. Assume you're being watched. What do using a ATM and logging into your MacBook Pro both say to crooks? I have money that you could take. While you're sightseeing, you become the sight criminals are seeing. You use a money belt to hold your passports, cash and credit cards -- or you should. So use the same caution whenever looking at a screen. 5. Practice safe Wi-Fi and use a VPN. If you're using someone else's Wi-Fi -- whether you're at a motel, coffee shop or a rental you booked through AirBnB -- it's someone else's Wi-Fi. Even five-star hotel network isn't 100 percent safe. So don't expect others to watch out for you. "You often have to choose between using free Wi-Fi hotspots or paying roaming charges to use your mobile connection," Sullivan said. "Using a VPN like Freedome gives you a secure funnel that lets you use public Wi-Fi connections without assuming the risks." 6. Before you go, store your important passwords and PIN codes in a safe location. Have you ever struggled with forgotten passwords or PIN codes after a relaxing summer break? Why not being a bit smarter this year, so store your passwords in a password manager, and they are there waiting for you when you come back. You can download F-Secure KEY for free for your iPhone, iPad or Android phone here. Cheers, Jason [Photo by Giuseppe Milo | Flickr]

June 10, 2015
drive-by downloads, stopping drive-by downloads, drive-by infections

Back before most of your smartphones were born, people used to install their own malware. This mostly happened through opening email attachments cloaked to hide the fact that it was malware. While this method is seeing a bit of a renaissance with some savvier delivery methods, people are far more aware that clicking on attachments they weren't expecting could unleash a digital nightmare. Online crooks. have adapted. They've figured out ways to avoid user precautions and install their malware for you... Meet the drive-by download. 1. F-Secure Labs has seen this sort of attack for more than half a decade. "The criminals' new preferred way of spreading malware is via drive-by downloads on the Web," Mikko Hypponen wrote in March of 2008. "These attacks often still start with an e-mail spam run but the attachment in the e-mail has been replaced by a web link, which takes you to the malicious web site." By simply clicking on an email, a website or a pop-up window, you could be inviting rogue software in. If you hear a major site was serving up malware through bad ads, chances are a drive-by download was involved. It's been used to get PCs "stoned", has evolved into a mobile threat and was the method used to spread the largest Mac threat ever -- Flashback. It's even utilized by the FinFisher attack tools marketed for use by governments and law enforcement. 2. It takes a village (or at least an infrastructure) to make it work. "The threat is an ecosystem – there are lots of players," Security Advisor Sean Sullivan explained. "For example, the bank robber somehow buys a list of email addresses and would then hire a spammer who spams, and the spam links to the hired exploit kit vendor who drops a trojan-downloader (which was bought from some other vendor), and then the trojan-downloader downloads and installs the bank robber’s trojan (which is also likely based on a kit, such as ZeuS)." 3. It may be smarter than your anti-virus. This threat is engineered to get around your security software and any security training that you have. Keeping all your software updated all the time is a necessary precaution. But these attacks tend to involve exploit kits that could target any and all vulnerabilities. Make sure your security software uses multiple methods to protect against both known and unknown threats. Timo Hirvonen -- keeper of F-Secure's nearly mystical Deepguard -- told me, "It’s a prime example of a threat where all our protection layers contribute to protecting the user." Cheers, Jason  

June 5, 2015