Don’t do it – not even in a virtual world

Hannu Ahola has an interesting story to tell.

His story takes place in a virtual world that many of us who are too busy in the real world never visit. Hannu is an active player of an online role-playing game called World of Warcraft. What is he doing then when he is “playing”? In the World of Warcraft, players from all over the world buy accounts and create characters. By accomplishing different missions, these characters gain skills and virtual wealth that other players envy.

So, when does the game end? Never – much to the relief of its 11 million active players.

Hannu’s story started about 4 years ago. His friends were urging him to play World of Warcraft. At first, he was not interested. But after a little convincing, he bought an account from an acquaintance, which turned out to be mistake.  But Hannu didn’t know that yet.

He found himself spending more and more time playing. He estimates that during those first two years he played 8-10 hours per day. Every day. The result was an impressive character that accumulated a substantial amount of wealth and talents. The character was so good that people might have been willing to pay real world money for it.

And this fact did not escape the acquaintance who originally owned the account. Using the original account information, this 18-year old boy was able to take control of Hannu’s character and the virtual wealth Hannu had been building for years. And it seemed that there was nothing Hannu could do about it.

Most of us have trouble understanding this kind of loss. Hannu explained it to me: “What if you had collected stamps passionately for 2 years. You had put all your spare time into it and then someone took it away. How would that make you feel?”

After he figured out that it was his acquaintance who stole his character, Hannu contacted the boy – who promptly ignored him. He then contacted the boy’s mother but got no help.

Stealing is punishable in the real world, but did not seem to matter in the virtual world. Except to Hannu. He hired a lawyer and took the issue to court.

After a 1,5 year battle, the young boy was sentenced to pay Hannu 4000 euros for the character Hannu finally never got back. But Hannu had won the moral battle: there are limits to what you can do in the virtual world. Hannu’s case represents the first time that a real world court in Finland dealt with a matter related to virtual worlds, and I have the feeling there’s more to come.

(For more about Hannu and the value of virtual world commodities, check out Sean from the F-Secure Labs on “What is a World of Warcraft Account Worth?“)

The boundaries between virtual worlds and the real world are blurring. World of Warcraft accounts get phished all the time. Children are bullied in virtual worlds. In China, even murders have been committed because of  virtual world events. But they also provide a lot of opportunities for enjoyment and self-expression – as long as we obey the law. And for that to happen, we’re going to need a lot more people like Hannu.

So good job, my friend!

Cheers,
Marja

More posts from this topic

groupmeeting

Why You May Want to Disable Location Services for Facebook

When news broke that Facebook was at least temporarily using users physical location to suggest real world connections, a strategy that has been employed by the NSA, the backlash was sharp.  It wasn't difficult to imagine scenarios when identities could be inadvertently and uncomfortably revealed through group therapy, 12-step meetings or secretive political movements. The world's most popular social network quickly said it would not continue what it called a small-scale test nor roll the feature on a wider scale in the future. But Facebook is still using your location data for other purposes, Fusion's Kashmir Hill reports: We do know that Facebook is using smartphone location for other things, such as tracking which stores you go to and geotargeting you with ads, but the social network now says it’s not using smartphone location to identify people you’ve been physically proximate to. Hill notes that using location to match users up, thus acting as a tool to reveal the identity of nearby strangers, might violate Facebook's agreement with the Federal Trade Commission . So you should expect that your location -- like everything you do on Facebook -- is being used to turn you into a better product for its advertisers. That's the cost of using a "free" site but you can limit your exposure a bit by turning off location services for Facebook on your phone. Here's very simple instructions for turning off location services on your Facebook and Facebook Messenger apps on your Android of iOS device. Do you mind if Facebook uses your location to suggest new friends? Let us know in the comments. [Image by Lwp Kommunikáció | Flickr]

June 30, 2016
Porn blog post image

4 People who can see what Porn you Watch, and 4 Tips to Stop it

In the grand scheme of things, there certainly are more important facets to online privacy than keeping one’s porn habits private (government overreach, identity theft, credit card fraud to name a few). However, adult browsing histories are one of the secrets in their online lives people want to protect the most, so it might be disconcerting to know that porn browsing is not as private as one might think. A large majority of web users are lulled into a false sense of security by incognito mode or private browsing, but this is only one of the steps needed toward becoming private online. Here are a few people who have access to this info, along  with a few easy tips that can be taken to prevent this from happening. 1. Anyone on the same hotspot No one is suggesting you should watch porn at your local coffee shop (in fact, please don’t). However, what people surf in places like the privacy of their hotel room should probably stay there. With that in mind, the following statement might be more than a little disconcerting: What you do on Wi-Fi can be usually be seen by pretty much anyone connected to that hotspot. It doesn't require great hacking skills to see what other people connected to the same network are doing. Only traffic on encrypted websites starting with https is always secure, and almost no adult sites fall under this category. 2. Foreign web service providers When traveling, it's easy to forget that what might be culturally acceptable in one country can land you in hot water with the authorities in another. Whether on public Wi-Fi or roaming on the network of a foreign internet service provider, they may be bound by law to report anyone surfing adult material. The personal freedom we enjoy to surf anything we want online is so second nature to many of us by now, we easily forget the same isn't true for others. 3. Analytics and advertisers (often one and the same) It might not bee too surprising to hear that most companies aren't exactly jumping at the chance to be associated with adult websites. For this reason, networks that serve ads to adult websites don't serve ads to "normal" websites, making porn sites mostly self-contained when it comes to using your private information for advertising purposes. Unfortunately, your adult browsing can still be connected to you. Many adult websites implement analytic services, as well as "like" and "share" buttons, that feed into major advertisers such as Google and Facebook. 4. Your employer (in the U.S. and many other countries) Now, we are DEFINITELY not suggesting you watch naughty stuff at work. I mean, they call it NSFW for a reason. However, that doesn’t change the fact that in some countries, companies have an uncomfortable amount of rights to spy on their workers. It’s natural that employers don’t want their workers doing anything illegal, but you still have a right to privacy, even on a work network. What are your options? So what can you do to prevent privacy intrusions? The first and most obvious choice is to not supply any personal information to adult websites. A lot of porn sites require registration in order to comment on videos (if that's your thing) or to view content in higher quality. Keeping a separate email address for adult websites is therefore highly recommended. The other obvious choice is to always have private browsing on, as this prevents cookie-based tracking and embarrassing browsing histories from being saved on your computer. A slightly more technical but still very easy tip is to disable JavaScript from your browser settings while surfing adult websites. A lot of websites don't function without JavaScript, but all the adult websites we tried for research purposes work just fine. JavaScript makes it much easier  to do something called device fingerprinting. This frustratingly intrusive method of snooping involves the use of scripts to identify your computer based on variables such as your screen size, operating system and number of installed fonts. It might not seem like it, but there are enough variables to make most devices in the world completely unique. But the simplest and most efficient method of controlling your privacy is to use a VPN. A VPN (virtual private network) encrypts all your traffic, meaning no one is able to intercept it and see what sites you visit or what you download. It also hides your real IP address, the unique number which can easily be used to identify you online. A top-tier VPN like Freedome also contains extra features like anti-tracking to stop advertising networks from identifying you, and malware protection to automatically block webpages that contain malicious code. The app is easy to use, and available on most platforms. Online privacy is not a difficult or expensive  goal to achieve, and by following these few steps you will be able to surf what you want without worry.

June 13, 2016
BY 
Could the Sony and Hacking Team hacks have been detected sooner?

Hacks in the Headlines: Two Huge Breaches That Could Have Been Detected

The Sony hack of late 2014 sent shock waves through Hollywood that rippled out into the rest of the world for months. The ironic hack of the dubious surveillance software company Hacking Team last summer showed no one is immune to a data breach - not even a company that specializes in breaking into systems. After a big hack, some of the first questions asked are how the attacker got in, and whether it could have been prevented. But today we're asking a different question: whether, once the attacker was already in the network, the breach could have been detected. And stopped. Here's why: Advanced attacks like the ones that hit Sony and Hacking Team are carried out by highly skilled attackers who specifically target a certain organization. Preventive measures block the great majority of threats out there, but advanced attackers know how to get around a company's defenses. The better preventive security a company has in place, the harder it will be to get in…but the most highly skilled, highly motivated attackers will still find a way in somehow. That's where detection comes in. Thinking like an attacker If an attacker does get through a company's defensive walls, it's critical to be able detect their presence as early as possible, to limit the damage they can do. There has been no official confirmation of when Sony's actual breach first took place, but some reports say the company had been breached for a year before the attackers froze up Sony's systems and began leaking volumes of juicy info about the studio's inner workings. That's a long time for someone to be roaming around in a network, harvesting data. So how does one detect an attacker inside a network? By thinking like an attacker. And thinking like an attacker requires having a thorough knowledge of how attackers work, to be able to spot their telltale traces and distinguish them from legitimate users. Advanced or APT (Advanced Persistent Threat) attacks differ depending on the situation and the goals of the attacker, but in general their attacks tend to follow a pattern. Once they've chosen a target company and performed reconnaissance to find out more about the company and how to best compromise it, their attacks generally cover the following phases: 1. Gain a foothold. The first step is to infect a machine within the organization. This is typically done by exploiting software vulnerabilities on servers or endpoints, or by using social engineering tactics such as phishing, spear-phishing, watering holes, or man-in-the-middle attacks. 2. Achieve persistence. The initial step must also perform some action that lets the attacker access the system later at will. This means a persistent component that creates a backdoor the attacker can re-enter through later. 3. Perform network reconnaissance. Gather information about the initial compromised system and the whole network to figure out where and how to advance in the network. 4. Lateral movement. Gain access to further systems as needed, depending on what the goal of the attack is. Steps 2-4 are then repeated as needed to gain access to the target data or system. 5. Collect target data. Identify and collect files, credentials, emails, and other forms of intercepted communications. 6. Exfiltrate target data. Copy data to the attackers via network. Steps 5 and 6 can also happen in small increments over time. In some cases these steps are augmented with sabotaging data or systems. 7. Cover tracks. Evidence of what was done and how it was done is easily erased by deleting and modifying logs and file access times. This can happen throughout the attack, not just at the end. For each phase, there are various tactics, techniques and procedures attackers use to accomplish the task as covertly as possible. Combined with an awareness and visibility of what is happening throughout the network, knowledge of these tools and techniques is what will enable companies to detect attackers in their networks and stop them in their tracks. Following the signs Sony may have been breached for a year, but signs of the attack were there all along. Perhaps these signs just weren't being watched for - or perhaps they were missed. The attackers tried to cover their tracks (step 7) with two specific tools that forged logs and file access and creation times - tools that could have been detected as being suspicious. These tools were used throughout the attack, not just at the end, so detection would have happened well before all the damage was done, saving Sony and its executives much embarrassment, difficult PR, lost productivity, and untold millions of dollars. In the case of Hacking Team, the hacker known as Phineas Fisher used a network scanner called nmap, a common network scanning tool, to gather information about the organization’s internal network and figure out how to advance the attack (step 3). Nmap activity on a company internal network should be flagged as a suspicious activity. For moving inside the network, step 4, he used methods based on the built-in Windows management framework, PowerShell, and the well-known tool psexec from SysInternals. These techniques could also potentially have been picked up on from the way they were used that would differ from a legitimate user. These are just a few examples of how a knowledge of how attackers work can be used to detect and stop them. In practice, F-Secure does this with a new service we've just launched called Rapid Detection Service. The service uses a combination of human and machine intelligence to monitor what's going on inside a company network and detect suspicious behavior. Our promise is that once we've detected a breach, we'll alert the company within 30 minutes. They'll find out about it first from us, not from the headlines. One F-Secure analyst sums it up nicely: "The goal is to make it impossible for an attacker to wiggle his way from an initial breach to his eventual goal." After all, breaches do happen. The next step, then, is to be prepared.   Photo: Getty Images

May 31, 2016
BY