1. Know what you’re getting into
Facebook is a business. It exists to take your online activity and turn it into revenue. Facebook will always be free. But there is a cost. You’re paying by being exposed to advertising and allowing limited disclosure of your online activity.
So here’s a short version: basically everything you post, every person you friend, every group you join will be made public to your “friends”, “friends of your friends” or “everyone”—depending on your privacy settings.
To you this may be simple. You assume that everything you’ve posted could be available to the whole world. Others are still learning. People have lost their jobs as a result of things they’ve posted on Facebook. And when this happens, the newly unemployed person will usually claim that s/he thought that the post was private.
And, more importantly, you have to trust yourself to share the right things.
On Facebook, you are exposing your private life in ways you may not even realize. 79% of companies review an applicant’s online information (which is completely illegal in Finland but acceptable in most of the world). Your financial future could depend on how well your profile and your photos and friends list represent you. So think before you post—always.
2. Secure your PC
What does 500,000,000 people on one website look like? To cybercriminals, it looks like a gigantic, unsecured goldmine.
Online gangs and scammers are working twenty-four hours a day to exploit the trust we have for our online friends. Updated Internet security is a must before you use Facebook or any social site. In addition, you have to make certain that your PC is updated with the most recent application system software, which can be time-consuming. F-Secure’s free Health Check makes that easy.
3. Use a unique, strong password
‘Password’ is not a good password. Neither is ‘123456’ or your pet’s name or your name any information that is available publicly on your Facebook profile.
Creating a strong, complex password that you can remember is the key to keeping strangers out of your account. Here’s a simple password system we recommend. You should also use different passwords for your all of your various accounts, especially your email accounts, to keep one hack from becoming a total nightmare.
For extra protection, never let browser remember your password, and lock your PC when you step away from it—especially if you’re living with young children and/or parents and/or anyone, really.
4. Filter your friends
Facebook works overtime to connect you with as many people possible. When you first join, the site combs through your email account to suggest as many people as possible. Then as you use the site it will suggest more email contacts. Email someone new and Facebook will suggest that you become friends.
Run out of contacts, you’ll see friends of friends, brands you might like, your ex.
It’s a strange social dynamic. When see the person’s picture, it feels like this person wants to be your friend. But who knows? All you can be sure of is that Facebook wants you to be friends.
So ask yourself this: Does everyone you email need to be your Facebook friend?
Some people have found that their best friends in the real world make lousy Facebook friends. There are a lot of people who can find you who may not like reconnecting with. According to a recent survey, 70% of Facebook users avoided becoming friends with their bosses.
Maybe you want to limit Facebook to your friends and family and leave professional connections to Twitter and LinkedIn. There’s no perfect formula, but it’s important to have some filter, some limit on what you share with whom. How do you say no when someone you don’t want to offend makes a friend request? Facebook makes this easy. You can just ‘ignore’ the request. That’s a nice way to frame it!
Want to stop Facebook from combing through your email contacts? You can remove your contacts by clicking here. But if you’re using a Facebook app on your phone, first you’ll have to disable the Facebook synchronization feature on your phone.
Want to stop Facebook from suggesting you as a friend to others? Go to “Privacy Settings” click on “Settings” for “Basic Directory Information”. When you get there, set “Search for me on Facebook” to “Friends Only”.
Always remember this: If anyone solicits you directly about money, assume it’s a scam. Ignore and defriend that profile immediately. An easy way to defriend someone is to go to their profile and scroll down the left column until you find “Remove from Friends”.
5. Click carefully
The biggest dangers on Facebook are the links that appear on your wall. With one bad click, you could end up on a site that attempts to serve you malware or scam you using phishing tactics. One, bad ‘like’ and you could end up spamming all of your friends. That’s why you have to remember that links are not your friends.
The most popular Facebook scams involve gift cards and hilarious videos and diet advice. So far most attacks on the site have been more annoying than harmful. But without vigilance, you can be sure that vicious scams and malware are heading your way.
The best antidote to bad links is Internet security with browsing protection. You can double-check any link before you click it by copying it (right-click on it in Windows) and pasting it into F-Secure’s free Browsing Protection.
Prevention is your best cure. Realize the more sensational or strange or generic a link is, the more likely it is to be malicious. Again, links are not your friends. Apply the same caution you’ve learned to use when you’re checking email to checking Facebook. And just because your friend or family linked something, doesn’t mean you have to click on it.
6. Don’t rely on Facebook to protect your privacy
The whole point of Facebook is to “connect and share with the people in your life.” But there’s a point, for nearly everyone, where all the connecting and sharing can be too much—especially as your information becomes increasingly available to people who aren’t necessarily “in your life.”
So whenever you use Facebook, you have to ask yourself two things: Who do I want to see what I’m doing? And how would I feel if the whole world saw this?
There’s no technical tool to stop your friends from sharing your information. But Facebook does offer you the tools to control who sees your activity. That’s why you need to get to know your privacy settings.
Start at “Account”> “Privacy Settings”. Then click on “Settings” for “Basic Directory Information” . This is where you decide who can find you and what they’ll see when they do.
You get to decide. How easy do you want to make it to find you on Facebook? Which is more important to you: privacy or connection.
If you’re more interested in connection, select “Everyone” for the top three settings “Search for me on Facebook”, “Send me a friend request” and “Send me a message”. Then consider making all the other settings “Friends Only”. This will encourage people to become your friend, and it gives you more power over your information.
Next you can click back to “Privacy Settings” and set how you share on Facebook.
You can go with the preset options or customize each category individually.
Your safest bet is “Friends Only.” You may want to want to open your activity to “Friends of Friends”; however, there is certain information that you should not make available to “Everyone”. This includes your birthday, your email address and IM, your phone number and address, political and religious beliefs and your family and relationships.
Why? All of this information may be public somewhere else, like a phone book, but you’re simply making too much identifiable information public in one easily accessible place. There may not be enough there for true identity theft, but you are giving a stranger enough information to pose as you online convincingly, which could be a problem if some potential employer or date is checking out your online presence.
You may also want to uncheck the box that says “Let friends of people tagged in my photos and posts see them.” This way you won’t unintentionally draw attention to an image one of your friends may not want others to see.
If you’re very interested in your privacy, you should continue and edit your Application and Website Settings.
Here you should do two things. 1) Remove any applications you aren’t using. 2) Click on “Turn off all platform applications”. Then you can select which applications you don’t ever want to show up on your wall ever again. That’s right. You can say goodbye to FarmVille forever, if you want to.
You can also turn off all platform applications, which will keep your friends from automatically sharing your information with the applications they’re using. Not a bad idea.
Next you can click on “Game and application activity”. Click “Customize” and select “Only Me” to keep all of your Game and application activity to yourself, which is a good idea if you’re friends with people (read: co-workers) who may judge how you spend your time.
After that, take a look at “Info accessible through your friends”. Here you’ll see all the information that is available to the applications your friends decide to use. That’s right, your friends share all this information automatically with the applications they use.
Once you see that screen, you may want to go back to “Turn off all platform applications”. Why not turn it off until you have a good reason to turn it on?
So what does Instant Personalization do? It shares your information with three Facebook partner sites: Docs, Yelp and Pandora. Could more partners be added? Yes. Could you just opt out of one or two? Yes. Just click on Docs, Yelp or Pandora and then click on “Block Application.”
Again, unless you know you want to share information with these sites, it’s a good idea to opt out for now.
If you made it this far, you will be rewarded. We are now at, perhaps, the most important Facebook privacy setting: “Public Search”.
You probably heard how recently the information of over 100 million Facebook users was made available for download. All of that information was public before a security researcher took it and turned it into one downloadable file. Those 100 million Facebook users probably had enabled public search.
This is where get to decide if the whole world can find your Facebook profile and information. With one click, your profile could become the top result of a Google search for your name. If you want to avoid disclosure of your information to the world, you may want to start by limiting who can search for you. I recommend that you do not click the box to “Enable public search”.
So those are the tools Facebook gives you to protect your information. They’re complex, and that’s probably on purpose. Facebook is not shy about encouraging it’s users to share and share and share. That’s why you have to remember that Facebook (and your friends) can’t share anything you don’t post to the site.
So be careful not to post anything that can be used against you. This includes travel plans and itineraries, complaints about bosses, co-workers and customers, company secrets, threats… Has anyone actually had a home robbed after posting plans on Facebook? Yes, indeed.
There are a million things you shouldn’t post. And you are the only person who can decide what you SHOULD share with Facebook and the world. So choose wisely.
Bonus tip: Use Facebook’s one true security feature
Facebook’s one true security feature is simple but powerful. Facebook will inform you anytime any new device accesses your account. That means if some PC or smartphone you’ve never used before logs into your account, Facebook will email you.
To turn this feature on, go to “Account Settings”. Then select “Account Security”.
Just click “Yes ” and then “Submit”.
Now, what do you do if you find out that someone beside you accessed your account? Change your password immediately. On the “Account Settings” page find “Password” and click “change”.
OK. That’s all I know about making Facebook safer a place for you and your friends. For ongoing tips you can follow F-Secure on Facebook. Do you have any tips to add?
Many of you have seen them. And some of you have no doubt been victims too. Malware spreading through social media sites, like Facebook, is definitively something you should look out for. You know those posts. You raise your eyebrows when old Aunt Sophie suddenly shares a pornographic video with all her friends. You had no idea she was into that kind of stuff! Well, she isn’t (necessary). She’s just got infected with a special kind of malware called a social bot. So what’s going on here? You might feel tempted to check what “Aunt Sophie” really shared with you. But unfortunately your computer isn’t set up properly to watch the video. It lacks some kind of video thingy that need to be installed. Luckily it is easy to fix, you just click the provided link and approve the installation. And you are ready to dive into Aunt Sophie’s stuff. Yes, you probably already figured out where this is going. The social bots are excellent examples of how technology and social tricks can work together. The actual malware is naturally the “video thingy” that people are tricked to install. To be more precise, it’s usually an extension to your browser. And it’s often masqueraded as a video codec, that is a module that understands and can show a certain video format. Once installed, these extensions run in your browser with access to your social media accounts. And your friends start to receive juicy videos from you. There are several significant social engineering tricks involved here. First you are presented with content that people want to see. Juicy things like porn or exposed celebrities always work well. But it may actually be anything, from breaking news to cute animals. The content also feels safer and more trustworthy because it seems to come from one of your friends. The final trick is to masquerade the malware as a necessary system component. Well, when you want to see the video, then nothing stops you from viewing it. Right? It’s so easy to tell people to never accept this kind of additional software. But in reality it’s harder than that. Our technological environment is very heterogeneous and there’s content that devices can’t display out of the box. So we need to install some extensions. Not to talk about the numerous video formats out there. Hand on heart, how many of you can list the video formats your computer currently supports? And which significant formats aren’t supported? A more practical piece of advice is to only approve extensions when viewing content from a reliable source. And we have learned that Facebook isn’t one. On the other hand, you might open a video on a newspaper or magazine that you frequently visit, and this triggers a request to install a module. This is usually safe because you initiated the video viewing from a service that shouldn’t have malicious intents. But what if you already are “Aunt Sophie” and people are calling about your strange posts? Good first aid is going to our On-line Scanner. That’s a quick way to check your system for malware. A more sustainable solution is our F-Secure SAFE. Ok, finally the poll. How do you react when suddenly told that you need to download and install software to view a video? Be honest, how did you deal with this before reading this blog? [polldaddy poll=9394383] Safe surfing, Micke Image: Facebook.com screenshot
Yet another big vulnerability in the headlines. The Metaphor hack was discovered by Israel-based NorthBit and can be used to take control over almost any Android device. The vulnerability can be exploited from video files that people encounter when surfing the web. It affects all versions of Android except version 6, which is the latest major version also known as Marshmallow. But why is this such a big deal? Severe vulnerabilities are found all the time and we receive updates and patches to fix them. A fast update process is as a matter of fact a cyber security cornerstone. What makes this issue severe is that it affects Android, which to a large extent lack this cornerstone. Android devices are usually not upgraded to new major versions. Google is patching vulnerabilities, but these patches’ path to the devices is long and winding. Different vendors’ practices for patching varies a lot, and many devices will never receive any. This is really a big issue as Android’s smartphone market share is about 85% and growing! How is this possible? This underlines one of the fundamental differences between the Android and iOS ecosystems. Apple’s products are planned more like the computers we are used to. They are investments and will be maintained after purchase. iOS devices receive updates, and even major system upgrades, automatically and free of charge. And most users do install them. Great for the security. Android is a different cup of tea. These devices are mostly aimed at a cheaper market segment. They are built as consumables that will be replaced quite frequently. This is no doubt a reasonable and cost-saving strategy for the vendors. They can focus on making software work on the currently shipping devices and forget about legacy models. It helps keeping the price-point down. This leads to a situation where only 2,3% of the Android users are running Marshmallow, even half a year after release. The contrast against iOS is huge. iOS 9 has been on the market about the same time and already covers 79% of the user base. Apple reported a 50% coverage just five days after release! The Android strategy backfires when bugs like Metaphor are discovered. A swift and compete patch roll-out is the only viable response, but this is not available to all. This leaves many users with two bad options, to replace the phone or to take a risk and keep using the old one. Not good. One could think that this model is disappearing as we all grow more and more aware of the cyber threats. Nope, development actually goes in the opposite direction. Small connected devices, IoT-devices, are slowly creeping into our homes and lives. And the maintenance model for these is pretty much the same as for Android. They are cheap. They are not expected to last long, and the technology is developing so fast that you would be likely to replace them anyway even if they were built to last. And on top of that, their vendors are usually more experienced in developing hardware than software. All that together makes the IoT-revolution pretty scary. Even if IoT-hacking isn’t one of the ordinary citizen’s main concerns yet. So let’s once again repeat the tree fundamental commands for being secure on-line. Use common sense, keep your device patched and use a suitable security product. If you have a system that provides regular patches and updates, keep in mind that it is a valuable service that helps keeping you safe. But it is also worth pointing out that nothing as black and white. There are unfortunately also problematic update scenarios. Safe surfing, Micke Photo by etnyk under CC
We who write stuff in the security industry are used to dashing off sentences like, “Online attacks are becoming more and more advanced” or “Malware is continually evolving in sophistication.” But in the past year we experienced a surprising throwback to one type of malware from an earlier era. Malware that uses a rather old technique, but it’s causing plenty of trouble nonetheless. It kinda feels like we've gone back in time. I’m talking about macro malware. It’s something we hadn’t seen prominently since the early 2000’s. And now, as touched on in our just released Threat Report covering the 2015 threat landscape, it has reared its head again. What is macro malware? Macro malware takes advantage of the macro feature in Office documents to execute commands. And macros are simply shortcuts the user can create for repeated tasks. For example, let’s say you are creating a document in Word and you find yourself repeatedly editing text to be red with a yellow highlight, 16 point, italic and right aligned. To save time, you can create a macro of your commands and then whenever you need that kind of style, simply run the macro. A little history Macro malware was common back in the 1990’s and early 2000’s. The first macro malware, Concept, was discovered in 1995, although it was basically harmless, simply displaying a dialogue box. In 1999, one of the most notorious macro malware, Melissa, was discovered. Melissa emailed itself to 50 addresses in the user’s address book, spreading to 20% of the world’s computers. But macro malware wouldn’t last long. When Microsoft released Word 2003, the default security settings were changed to stop macros from automatically running when a document opened. This made it more difficult to infect a computer through macros and attackers mostly dropped them to focus on other methods. So what happened? Why is it back again? The re-emergence, according to Sean Sullivan, Security Advisor in F-Secure Labs, may be correlated with the decline of exploitable vulnerabilities due to security improvements in today’s common software applications like Microsoft Office. Exploits have been one of the most common ways to infect machines in recent years, but with fewer software holes to exploit, malware authors seem to be reverting to other tricks. How it’s successful Today’s macro malware attempts to get around Microsoft’s default settings with a simple trick. When a document is opened, the information inside doesn’t appear properly to the viewer – for example, sometimes the document looks like scrambled gobbledygook. Text in the document claims that macros, or content, must be enabled for proper viewing. Here’s one example: Curiosity? Just plain unaware? Whatever the reason, as Sean says, the malware’s reappearance has been successful because “People click.” Once macros have been enabled, the malicious macro code is executed – which then downloads the payload. Macro malware is used by crypto-ransomware families like Cryptowall and the newest threat Locky. These families encrypt the data on a computer and then demand payment to unencrypt it. Although we don’t know for sure, it’s possible it was macro malware that was used in the holding of a Hollywood hospital for ransom last month. The banking Trojan Dridex, which allows attackers to steal banking credentials and other personal info from infected machines, also uses the technique. How to avoid it Fortunately, if you use security from F-Secure, you’re protected from these threats. But aside from that, the old advice still holds: Be wary of email attachments from senders you don’t know. And take care not to enable macros on documents you’ve received from sources you’re not 100% sure of. "Back to the Future" banner image courtesy of Garry Knight, flickr.com