How to protect your data privacy on social networks

Studies have said public speaking makes as many as 3 out of 4 people anxious. But that was before Facebook.

The 650 million people on Facebook suggest that most of us are getting over—or want to get over—that fear of communicating (or at least sharing pictures) in public. In just a few years, Twitter, YouTube and Facebook have given billions of people the chance to connect to an audience they would never had access to before.

But now that you’re becoming comfortable in public, you may begin to wonder: Am I revealing too much? In a world with the NSA, TMZ and Wikileaks, do I have any privacy? Is it possible to be a public person and still protect my information from being misused?

Friday January 28 is Data Privacy Day 2011, an international celebration of the dignity of the individual represented through personal information. Protecting your irreplaceable data is our mission and we take this mission very seriously. (Here is F-Secure’s Privacy Policy.)

The risks

The more visible, attractive or rich you are, the more you’re a target for the haters, the stalkers and online criminals of the 21st century. Heck, if you have a credit card, you’re a target for both the online criminals and unscrupulous marketers of the world.

Sharing personal information in an age where data can travel faster than lightning requires a 21st century view of data privacy. Some think it’s vain to worry about privacy. But don’t think about your ego, think about social engineering.

Wiktionary describes social engineering as “The practice of tricking a user into giving, or giving access to, sensitive information, thereby bypassing most or all protection.” Criminals have discovered that human error is the easiest vulnerability to exploit. If you’re not careful, your private data (or even public data) can be used to fool you into making mistakes that even your award-winning Internet Security can’t prevent.

Ignorance may be bliss, but it’s not an excuse. Once your private data is stolen, you’ll have to deal with the consequences. The good news is that you can do a lot to make your data more secure

My nephew once told me, “Facebook is so easy that even old people can use it.” And by old people, he meant me.

I agree with my nephew. Most people who use social media don’t suffer significant negative consequences for doing so—or there wouldn’t be millions of new people trying it every day. Stories of people being fired or arrested for what they’ve done on Facebook are rare. But they get lots of attention because Facebook is the superstar everyone knows.

Only a small percentage of those on social media fall victim to the worst of identity theft, malware or scams. And that’s still too many people suffering needlessly—especially because most of these scourges are avoidable.

The lessons

If you learned to manage the benefits and risks of email, you can do the same for social media. Here a few things you can do to help keep your private data private.

1. Decide why you’re social networking.
For some, social networking is an extension of your private life. You mostly interact with people you know or would like to know in the real world. The main topics of conversation are personal. Even when you delve into entertainment or politics or sports, it’s about sharing opinions to have fun and connect. Intimacy is the goal so private things are often shared nonchalantly. For instance, you might reveal what you did on a day when you played hooky from school or work.

For others, social networking is like interacting at a conference. You’re seeking out people in your industry or whom you admire. Conversation is like a cocktail party—being interesting and on-topic matters. When you talk about entertainment or politics or sports, it’s a way to network and establish trust. You want people to feel like they know you, but getting too personal too fast raises red flags. For instance, you may reveal what you did on your vacation but only in a way that you wouldn’t mind your boss reading.

For a growing number of people, social network is a chance to build a little fame or fortune. You’re looking for an audience who trusts and enjoys you to the point you might even sell them things. You converse with fellow influencers and friends but you also broadcast for a targeted or general audience. When you talk about entertainment or politics or sports, you’re entertaining or engaging an audience while establishing expertise. You may share extremely private details or never talk about your personal life. Either way, you’re establishing a persona that’s relatable to the audience you’re trying to attract. For instance, you may reveal a joke a well-known person shared with you.

By the time you’re out of college for a few years, most people have tried out some variation of each of these approaches to social media. And your approach definitely affects your data security.

The rule is: the bigger the audience you seek, the more you have to think about the information you share.

All of us have to protect our ID, account and phone numbers, our address and our Mother’s maiden name. But if you’re an aspiring Disney star or class president, you have to think about which pictures you take—since you know they’ll all be posted eventually. And George Clooney probably shouldn’t use Foursquare to share his location unless he wants to spend his day shaking hands or filing restraining orders.

We all need to be cautious about sharing details that can be used to scam us. If you achieve, or accidentally achieve, fame, your privacy will become even more precious. So if you want to be internet famous, you need to be savvy about which information you share online—or you’ll have to hire people who are.

2. Secure your systems
Don’t use the default password for your voicemail or anything. Use strong, unique passwords for all your accounts. Don’t use work email addresses or passwords for social accounts. Put security software on your PC and your mobile device, if possible. Password protect your Wi-Fi networks. Turn on secure browsing on Facebook. Put a remote lock on your mobile phone. Always lock your PC and mobile devices when you aren’t using them. Keep your system and application software updated. (Our free Health Check makes that easy.) Turn off GPS on your phone and pictures if you don’t want strangers to know your location.

3. Choose services you trust
Any store, service or site that has your data, should have a privacy policy. A key feature of a good privacy policy is that your data will not be shared or sold. By 2011, most reputable online businesses have privacy policies that make that basic promise. But in addition to privacy also have to trust that any organization you trust with your data had security that won’t be compromised. Quality can have a price. If privacy is more important to you than cost, you can buy dedicated email services that won’t serve you ads. Regardless if they charge or not, you should only use reputable online services you trust. Before you enter any data into any website, think, “Do I trust this organization?” If there’s any doubt, ask others what they think.

4. On a social network, your information could be shared with everyone– no matter what your privacy settings are.
Twitter is simple. There are two privacy settings: everyone or “Protect my tweets”. But even if you go with the protected option, your approved followers can still retweet your information to everyone. Facebook’s privacy settings are much more complex. They’re so complex that it almost feels like you should get college credits for really using them. Going with “Friends Only” is a good start, then you have to decide if you want your page on Google (if you don’t want your Facebook page to show up on Google, go to Account > Privacy Settings > Apps and Websites: Edit your settings > Public Search: Edit Settings > Uncheck Enable public search)  and if you want to automatically share your information with other websites.

The safest rule is: get your settings right and still assume that what you post could go public so only share information you wouldn’t mind a future boss (or fan) seeing. NEVER share information that could be used to crack your passwords. Also keep in mind that the information you’re sharing that could be used by identity thieves and social engineers.

5. Be available or don’t
There is a difference between following and friending people. You can follow a lot of people but our brains can only handle around 130 friends. Rejecting or ignoring friend requests can be emotionally difficult, but your privacy is more important than others’ feelings. I say follow anyone on Twitter but on Facebook I’d recommend only befriending people you know or trust. And realize that the person is your friend, not their links. If anyone begins to spam you, let them know the problem. If they keep spamming, unfriend them. If anyone harasses you at all, block their communication. If you’re threatened, contact law enforcement.

You have the right to keep your private data secure while living your digital life to the fullest. All you have to do is respect your own data privacy and do your best to make sure that the people and businesses you interact with do the same.

Cheers,
Jason

CC image by Sudhamshu Hebbar

More posts from this topic

5588953445_51dcf922aa_o_crop

Why are Android bugs so serious?

Yet another big vulnerability in the headlines. The Metaphor hack was discovered by Israel-based NorthBit and can be used to take control over almost any Android device. The vulnerability can be exploited from video files that people encounter when surfing the web. It affects all versions of Android except version 6, which is the latest major version also known as Marshmallow. But why is this such a big deal? Severe vulnerabilities are found all the time and we receive updates and patches to fix them. A fast update process is as a matter of fact a cyber security cornerstone. What makes this issue severe is that it affects Android, which to a large extent lack this cornerstone. Android devices are usually not upgraded to new major versions. Google is patching vulnerabilities, but these patches’ path to the devices is long and winding. Different vendors’ practices for patching varies a lot, and many devices will never receive any. This is really a big issue as Android’s smartphone market share is about 85% and growing! How is this possible? This underlines one of the fundamental differences between the Android and iOS ecosystems. Apple’s products are planned more like the computers we are used to. They are investments and will be maintained after purchase. iOS devices receive updates, and even major system upgrades, automatically and free of charge. And most users do install them. Great for the security. Android is a different cup of tea. These devices are mostly aimed at a cheaper market segment. They are built as consumables that will be replaced quite frequently. This is no doubt a reasonable and cost-saving strategy for the vendors. They can focus on making software work on the currently shipping devices and forget about legacy models. It helps keeping the price-point down. This leads to a situation where only 2,3% of the Android users are running Marshmallow, even half a year after release. The contrast against iOS is huge. iOS 9 has been on the market about the same time and already covers 79% of the user base. Apple reported a 50% coverage just five days after release! The Android strategy backfires when bugs like Metaphor are discovered. A swift and compete patch roll-out is the only viable response, but this is not available to all. This leaves many users with two bad options, to replace the phone or to take a risk and keep using the old one. Not good. One could think that this model is disappearing as we all grow more and more aware of the cyber threats. Nope, development actually goes in the opposite direction. Small connected devices, IoT-devices, are slowly creeping into our homes and lives. And the maintenance model for these is pretty much the same as for Android. They are cheap. They are not expected to last long, and the technology is developing so fast that you would be likely to replace them anyway even if they were built to last. And on top of that, their vendors are usually more experienced in developing hardware than software. All that together makes the IoT-revolution pretty scary. Even if IoT-hacking isn’t one of the ordinary citizen’s main concerns yet. So let’s once again repeat the tree fundamental commands for being secure on-line. Use common sense, keep your device patched and use a suitable security product. If you have a system that provides regular patches and updates, keep in mind that it is a valuable service that helps keeping you safe. But it is also worth pointing out that nothing as black and white. There are unfortunately also problematic update scenarios.   Safe surfing, Micke     Photo by etnyk under CC

March 18, 2016
BY 
going back in time with macro malware

Hack to the Future: The Return of Macro Malware

We who write stuff in the security industry are used to dashing off sentences like, “Online attacks are becoming more and more advanced” or “Malware is continually evolving in sophistication.” But in the past year we experienced a surprising throwback to one type of malware from an earlier era. Malware that uses a rather old technique, but it’s causing plenty of trouble nonetheless. It kinda feels like we've gone back in time. I’m talking about macro malware. It’s something we hadn’t seen prominently since the early 2000’s. And now, as touched on in our just released Threat Report covering the 2015 threat landscape, it has reared its head again. What is macro malware? Macro malware takes advantage of the macro feature in Office documents to execute commands. And macros are simply shortcuts the user can create for repeated tasks. For example, let’s say you are creating a document in Word and you find yourself repeatedly editing text to be red with a yellow highlight, 16 point, italic and right aligned. To save time, you can create a macro of your commands and then whenever you need that kind of style, simply run the macro. A little history Macro malware was common back in the 1990’s and early 2000’s. The first macro malware, Concept, was discovered in 1995, although it was basically harmless, simply displaying a dialogue box. In 1999, one of the most notorious macro malware, Melissa, was discovered. Melissa emailed itself to 50 addresses in the user’s address book, spreading to 20% of the world’s computers. But macro malware wouldn’t last long. When Microsoft released Word 2003, the default security settings were changed to stop macros from automatically running when a document opened. This made it more difficult to infect a computer through macros and attackers mostly dropped them to focus on other methods. So what happened? Why is it back again? The re-emergence, according to Sean Sullivan, Security Advisor in F-Secure Labs, may be correlated with the decline of exploitable vulnerabilities due to security improvements in today’s common software applications like Microsoft Office. Exploits have been one of the most common ways to infect machines in recent years, but with fewer software holes to exploit, malware authors seem to be reverting to other tricks. How it’s successful Today’s macro malware attempts to get around Microsoft’s default settings with a simple trick. When a document is opened, the information inside doesn’t appear properly to the viewer – for example, sometimes the document looks like scrambled gobbledygook. Text in the document claims that macros, or content, must be enabled for proper viewing. Here’s one example: Curiosity? Just plain unaware? Whatever the reason, as Sean says, the malware’s reappearance has been successful because “People click.” Once macros have been enabled, the malicious macro code is executed – which then downloads the payload. Macro malware is used by crypto-ransomware families like Cryptowall and the newest threat Locky. These families encrypt the data on a computer and then demand payment to unencrypt it. Although we don’t know for sure, it’s possible it was macro malware that was used in the holding of a Hollywood hospital for ransom last month. The banking Trojan Dridex, which allows attackers to steal banking credentials and other personal info from infected machines, also uses the technique. How to avoid it Fortunately, if you use security from F-Secure, you’re protected from these threats. But aside from that, the old advice still holds: Be wary of email attachments from senders you don’t know. And take care not to enable macros on documents you’ve received from sources you’re not 100% sure of.   "Back to the Future" banner image courtesy of Garry Knight, flickr.com

March 15, 2016
BY 
travel pics

What bloggers need to know about cyber security

So you sit down at a coffee shop in Thailand or Belgium or São Paulo to upload your photos for you next post. You coffee is properly sugared and milked and your tablet passcode is entered.Now you've got the Wi-Fi network selected and you're heading into your Gmail. Before you get halfway into your coffee, someone has stolen your Amazon credentials, reset your password and ordered some Happy Socks using your credit card. You’ve been hacked and you’re lucky.  As a travel blogger, your blog is your business. If you’d logged in, your precious photos and the site you’ve spent years building up could have been trashed or infected with malware. All a criminal would need is your username and password—and if your password is weak enough, your username is all that’s needed to take over your site. In the worst case scenario, the banking credentials lingering in your browser could be used to access your account. Anyone who gets online – especially through public Wi-Fi – has to take basic precautions when it comes to security. But bloggers have more at risk than most of us. That’s why we invited about a dozen of the best local travel bloggers we could find to F-Secure headquarters to demonstrate how easy it is to be hacked, if you don’t take basic precautions. After our Chief Research Officer Mikko Hypponen explained how easy it is for “white hat” or good guy hackers poke around in the computers of banks and cars, Anssi from the F-Secure labs demonstrated how easy it was to hack from a Gmail account to free Happy Socks on me as I used a tablet. You could see in the bloggers eyes the realization of how many times they could have been hacked and all of the information their browser could expose about them. And when they learned about the growing threat of ransomware, which could take all of their precious media hostage, I thought some of them might faint. To put them on the right track, we emphasized the importance of strong passwords, running updated system and security software like SAFE and using a VPN like Freedome every time they connect to an open network. Do you really want to do your banking over open Wi-Fi in thousands of miles away from home without protection? It’s a message we hope they’ll spread – along with their beautiful photographs and unique travel advice.

March 13, 2016
BY