First of all, if you haven’t done it yet, please take this quick quiz to find out if you’re smarter than the guy in the video below. (After you complete the quiz, you can enter to win an Xbox 360 and a Kinect.)
Now that took the quiz know how much smarter you are than John, here’s a quick review of why you shouldn’t do anything John does online.
1. Use unique, strong passwords for all of your important accounts.
John uses the same password for every account. That means if a hacker gets a hold of John’s Twitter password, that hacker would have access to every account John uses at work or at home. Creating and remembering unique, strong passwords is a must for your most important accounts. This system for creating and remembering strong passwords makes it easy.
2. Keep your computer’s software patched and protected.
You probably know which operating system you’re running. John doesn’t. He thinks it’s the one with the “windows.” A PC or a Mac running the latest versions of Windows 7 or OS X is probably as safe as any PC since the birth of the virus. However, if your OS and your applications aren’t patched you may be vulnerable to the kind of attacks John has to deal with on a daily if not hourly basis. Checking all of your applications for updates on a regular basis can be time-consuming. Our free Health Check makes it easy.
3. Realize that you’re vulnerable when you’re on an open Wi-Fi network.
When you use an open Wi-Fi network, the data you enter is only encrypted on secure pages, which start with https. Banks and credit card companies encrypt their sites however not all web email is encrypted. If you’ve ever emailed passwords or personal information, it could be accessible to a hacker. On an unsecured Wi-Fi network, you could get sidejacked by someone using a tool like Firesheep. Using the tracking data in your browser, a hacker can easily pretend she or he is you.
If you have to check your email or get on a social network and you only have open Wi-Fi, make sure you are using a secured session.
How to Secure Sessions
A virtual personal network is the best way to defend yourself from any snoopers. Most large companies insist on their employees using a VPN while doing any business over a wireless network. That’s a strategy John would never follow, but you should, especially if you make purchases or work with confidential information while on public Wi-Fi. Here are some strong VPN options for you to consider.
If you use Firefox, you can use HTTPS Everywhere by The Tor Project and the Electronic Frontier Foundation, which will encrypt your communications on several major websites.
You can secure any Twitter session by typing in an “s” after the http in the browser bar. If you click here, you’ll go to https://twitter.com and session will remain secure until you log out.
This feature is still being rolled out to some users. And it is not entirely secure.
You can activate secured browsing by logging in. Then go to Account> Account Settings> Under “Account Security”, check the box for “Browse Facebook on a secure connection (https) whenever possible”.
PLEASE NOTE: If you use an app, any Facebook app, you’ll get this warning:
PLEASE NOTE: If you use an app, any Facebook app, you’ll get a warning that you are now entering unsecured browsing.
If you continue on to unsecured browsing, your session is not unsecured and you are now vulnerable to a sidejacking attack. You will have to return to the same setting when you are done with the app to enable secured browsing again.
John was recently sidejacked by a friend who posted a hilarious Photoshop of John in the bathtub. Too bad it happened on a day when the HR department of a company that was about to hire John checked out his profile.
Login and go to the “Options” wheel in the uppermost right corner.
Select “Mail settings”.
Under “Browser connection”, select “Always use https”.
Go to https://account.live.com/ManageSSL and login if you have to.
Select “Use HTTPS automatically (please see the note above)”. And check out the note for the exceptions, of course.
4. Check to make sure a site is legitimate and secure before you make a purchase.
John will buy anything from any site. He bought his Snuggie from a website that had more pop-ups than the old AOL. Don’t be like John. Stick to online stores with good reputations. When you try out a new retailer, do a quick search for customer feedback. If you are still unsure, save yourself the trouble and money. Even if you trust a site, always check the URL of the page for two things before submitting your credit card number: 1) Is it a secured https page that will encrypt your information? 2) Am I really on the site I meant to be on? Try to use one credit card for all your online shopping and check the activity on that account often. Check out these safe shopping tips.
5. Don’t be afraid to reject or ignore a Facebook friend request.
On Facebook, wrong click and you could end up spamming your friends with something that will definitely waste their time and possibly your money. The best way to avoid becoming a victim or perpetrator of spam is to eliminate spam from your news feed. This requires you only friending people who are careful where they click. John, of course, lets spammers go on spamming as he adds more and more friends. You, however, should be careful who you add. If a friend shares some spam, inform them in a friendly way that they may have made a mistake. If it keeps happening, unfriend her or him.
Something else to remember: If you wouldn’t tell someone in person that you’re going to be out of town, don’t use Facebook to do so. If your Privacy Settings are set to “Friends of Friends”, you could be sharing your travel plans with thousands of people when you post them on Facebook. Before you post anything, ask yourself, “Would I be okay if all the friends of my friends’ friends knew this?” If your friends are anything like the average Facebook user, you could be thinking about more than a million people. (The average Facebook user has 120 friends. 120 X 120 X 120 = 1,728,000 friends you could be sharing with.)
6. Never use a password that is in the dictionary or could be guessed by a friend.
We’re back to passwords again because they can tend to be a weak link in many users’ security. And this weak link can be easily strengthened. The number of people who use “password” or their first name to secure their accounts is mind-blowing. Even John wouldn’t be that silly. It’s just as silly to use any word in the dictionary. Why? Because when a hacker uses a program to figure out your password, what do you think it tries first? Your passwords have to be unique and complex. They should also not be anything that could be guessed by a friend. If someone you know can guess your password, a stranger might be able to do the same thing by studying your Facebook profile.
7. Keep an eye out for Phishing Scams, even when you’re on your phone.
A Phishing Scam is a sneaky attempt to get you to turn over your financial data to criminals. That’s right crooks have found that Internet users, like John, will occasionally just hand over the account information needed to commit credit card fraud. All they do have to do is pretend to be a trustworthy site with official looking graphics and people fill in the forms and click submit. The best way to avoid Phishing scams is to check the URL of the webpage you are on to make certain it is on the domain of the bank or institution you think it is. Also, be skeptical of any email that contacts you asking you to change your password. If you’re ever in doubt, contact the institution directly. All of your accounts have values to a scammer, so keep in mind that you can even be phished for your Facebook account—and even when you’re on your phone. That’s why our Mobile Security blocks such scams.
8. Password protect your Wi-Fi network.
There’s plenty of good reasons to secure your home Wi-Fi network. You don’t want your neighbors to have access to private info. You don’t want strangers to slow down the connection you’re paying for. You don’t want people to use your connection to take part in illegal activities. The only reason to leave it open is if you want to give someone like John access to your digital life. Here’s how to set up a security key for your wireless network.
9. Don’t open strange email attachments (without scanning them).
The first computer security rule you probably learned was “Don’t open email attachments from strangers.” This is still true—even though John forgot it long ago. In fact, targeted attacks that use social engineering and profile their victims are becoming more advanced all the time. You should still refuse to open any attachment that you were not expecting. If you feel you must open an attachment, download it to you PC and scan it with your Internet security software first. Here’s more on how to deal with email attachments.
10. Don’t expect anyone else to protect your privacy.
Do you blame your telephone when you use it to tell someone something you shouldn’t? Then you can’t only blame Facebook when you post information that may cause you trouble. Even when you use the privacy settings correctly and keep your account under control, your information is only as secure as the people you share it with. If you need to share any information that could cause you trouble at work or could be used to answer your security questions, use private messages, email or even that old-fashion marvel the telephone. And never, under any circumstances, shout your password in public through a megaphone. John still hasn’t learned that one yet.
Which of these tips is most important? Which is John least likely to follow? Let us know in the comments.
“The cloud” is a big thing nowadays. It’s not exactly a new concept, but tech companies are relying on it more and more. Many online services that people enjoy use the cloud to one extent or another, and this includes security software. Cloud computing offers unique security benefits, and F-Secure recently updated F-Secure SAFE to take better advantage of F-Secure’s Security Cloud. It combines cloud-based scanning with F-Secure’s award-winning device-based security technology, giving you a more comprehensive form of protection. Using the cloud to supplement device-based scanning provides immediate, up-to-date information about threats. Device-based scanning, which is the traditional way of identifying malware, examines files against a database saved on the device to determine whether or not a file is malicious. This is a backbone of online protection, so it’s a vital part of F-Secure SAFE. Cloud-based scanning enhances this functionality by checking files against malware information in both the local database found on devices, and a centralized database saved in the cloud. When a new threat is detected by anyone connected to the cloud, it is immediately identified and becomes "known" within the cloud. This ensures that new threats are identified quickly and everyone has immediate access to the information, eliminating the need to update the database on devices when a new threat is discovered. Plus, cloud-based scanning makes actual apps easier to run. This is particularly important on mobile devices, as heavy anti-virus solutions can drain the battery life and other resources of devices. F-Secure SAFE’s Android app has now been updated with an “Ultralight” anti-virus engine. It uses the cloud to take the workload from the devices, and is optimized to scan apps and files with a greater degree of efficiency. Relying on the cloud gives you more battery life, and keeps you safer. The latest F-Secure SAFE update also brings Network Checker to Windows PC users. Network Checker is a device-based version of F-Secure’s popular Router Checker tool. It checks the Internet configuration your computer uses to connect to the Internet. Checking your configuration, as opposed to just your device, helps protect you from attacks that target home network appliances like routers – a threat not detected by traditional anti-virus products. So the cloud is offering people much more than just extra storage space. You can click here to try F-Secure SAFE for a free 30-day trial if you’re interested in learning how F-Secure is using the cloud to help keep people safe. [Image by Perspecsys Photos | Flickr]
F-Secure Labs reported this week on a new WhatsApp scam that’s successfully spammed over 22,000 people. Spam seems to be as old as the Internet itself, and is both a proven nuisance AND a lucrative source of revenue for spammers. Most people don’t see what goes on behind the scenes, but spammers often employ very sophisticated schemes that can expose web surfers to more than just ads for Viagara or other “magic beans”. Spam typically tries to drive Internet traffic by tricking people into clicking certain websites, where scammers can bombard unsuspecting web surfers with various types of advertising. Profit motives are what keep spammers working hard to circumvent spam blocks, white lists, and other protective measures that people use to try and fight back – and it can pay off. Numerous spammers have been indicted and suspected of generating hundreds of thousands of dollars in revenue from their spam campaigns, with one study projecting that spammers could generate in excess of 3.5 million dollars annually. While most spam circulates via e-mail, the popularity of services like WhatsApp is giving spammers new resources to exploit people, and new ways to make money. Here’s a few ways spammers and cyber criminals are using WhatsApp to make money off users: Following Malicious Links: One way that cyber criminals use WhatsApp to scam people is to trick them into following malicious links. For example, a recent scam sent SMS messages to WhatsApp users telling them to follow a link to update the app. But the message was not from WhatsApp, and the link didn’t provide them with any kind of update. It signed them up for an additional service, and added a hefty surcharge to victims' phone bills. Sending Premium Rate Messages: Premium rate SMS sending malware was recently determined by F-Secure Labs to be the fastest growing mobile malware threat, and WhatsApp gives cyber criminals a new way to engage in this malicious behavior. Basically the users receive a message that asks them to send a response – “I’m writing to you from WhatsApp, let me know here if you are getting my messages”, “Get in touch with me about the second job interview”, and various sexual themed messages have all been documented. Responding to these messages automatically redirects your message through a premium rate service. Spanish police claim that one gang they arrested made over 5 million euros using this scheme – leaving everyday mobile phone users to foot the bill. Manipulating Web Traffic: A lot of spam tries to direct web traffic to make money off advertising. As you might imagine, this means they have to get massive numbers of people to look at the ads they’re using for their scams. Scammers use WhatsApp to do this by using the app to spread malware or social engineer large numbers of people to visit a website under false pretenses. F-Secure Labs found that people were being directed to a website for information on where they could get a free tablet. In March there was a global spam campaign claiming people could test the new WhatsApp calling feature. Both cases were textbook scams, and instead of getting new tablets or services, the victims simply wasted their time spreading misleading spam messages and/or exposing themselves to ads. WhatsApp and other services are great for people, but like any new software, requires a bit of understanding to know how to use. Hopefully these points give WhatsApp users a heads up on how they can avoid spam and other digital threats, so they can enjoy using WhatsApp to chat with their friends. [ Image by Julian S. | Flickr ]
Espionage – it’s not just for James Bond type spies anymore. Cyber espionage is becoming an increasingly important part of global affairs, and a threat that companies and organizations handling large amounts of sensitive data are now faced with. Institutions like these are tempting targets because of the data they work with, and so attacks designed to steal data or manipulate them can give attackers significant advantages in various social, political and industrial theaters. F-Secure Labs’ latest malware analysis focuses on CozyDuke – an Advanced Persistent Threat (APT) toolkit that uses combinations of tactics and malware to compromise and steal information from its targets. The analysis links it to other APTs responsible for a number of high-profile acts of espionage, including attacks against NATO and a number of European government agencies. CozyDuke utilizes much of the same infrastructure as the platforms used in these attacks, effectively linking these different campaigns to the same technology. “All of these threats are related to one another and share resources, but they’re built a little bit differently to make them more effective against particular targets”, says F-Secure Security Advisor Sean Sullivan. “The interesting thing about CozyDuke is that it’s being used against a more diverse range of targets. Many of its targets are still Western governments and institutions, but we’re also seeing it being used against targets based in Asia, which is a notable observation to make”. CozyDuke and its associates are believed to originate from Russia. The attackers establish a beachhead in an organization by tricking employees into doing something such as clicking a link in an e-mail that distracts users with a decoy file (like a PDF or a video), allowing CozyDuke to infect systems without being noticed. Attackers can then perform a variety of tasks by using different payloads compatible with CozyDuke, and this can let them gather passwords and other sensitive information, remotely execute commands, or intercept confidential communications. Just because threats like CozyDuke target organizations rather than individual citizens doesn’t mean that they don’t put regular people at risk. Government organizations, for example, handle large amounts of data about regular people. Attackers can use CozyDuke and other types of malware to steal data from these organizations, and then use what they learn about people for future attacks, or even sell it to cyber criminals. The white paper, penned by F-Secure Threat Intelligence Analyst Artturi Lehtiö, is free and available for download from F-Secure’s website. [ Image by Andrew Becraft | Flickr ]