5 Ways to Keep Your Mobile Phone Safe

Think about how it feels to lose your wallet. The money, the credit card, all the essential data you need to function in the world.

Now think about this: 57% of the mobile phone users we surveyed said their mobile phone contains more important information their wallet. MORE!

Over the last few years, our mobile phones have grown from a useful toy to our digital connection to world. Think about what’s on your phone’s hard drive. Your have your email, your phone numbers and contacts, texts. What else? You use it to bank, shop, enjoy apps and, in some places, even as your digital wallet.

F-Secure Labs has pointed how phishing scams are newly effectively on mobile phones. Bad apps, mobile botnets and spyware are no longer theoretical threats. Mobile malware that is designed to to seek make money grows more sophisticated all the time.

Is your phone as protected as it could be? Here are 5 ways you can secure your phone

1. Do not click links in your email.
Phishing scams are more powerful on mobiles and links can lead to scams or possibly even bad apps. You’d never click on an attachment from a stranger in your email. Think of links in emails the same way whether you’re on your phone or your PC.

2. For apps, stick to trusted marketplaces and vendors.
Apple’s walled garden method of approving all the apps in the iOS store has created a level of security that hasn’t been available on for Android users. There have been somewhat rare instances of bad apps showing up in the Android Marketplace, which is now Google Play. In general if you stick to the official marketplace, check reviews and research vendors you’ve never heard of, you’ll have a good chance of only installing safe apps.

3. Never install software you did not seek out.
Did you know QR codes can trigger an app install on your phone? The likeliest way you’ll get mobile malware is by installing it. So if any app asks to install itself without you intentionally seeking it out, immediately cancel if possible.

4. Lock your phone and put a remote wipe app on it.
Would you leave your open wallet lying around? You should always lock your phone the same way you lock your PC when you aren’t using it. For extra protection consider a remote-wipe software such as our free Anti-Theft for Mobile. It gives you the power to lock and erase your phone wherever you are.

5. Keep your system updated and get a quality security app if available.
You phone is a little computer. Old software can have vulnerabilities that can lead to mobile malware trouble. Take any software update your provider or phone manufacturers offer. And keep your apps updates. For the kind of protection for your mobile you’ve grown to expect for your PC, consider mobile security software. You can try F-Secure’s Mobile Security for free.

Cheers,

Jason

More posts from this topic

Juhannus

How To Prepare Yourself and Your Phone For Juhannus

In Finland, there is this thing called juhannus. A few years ago, our former colleague Hetta described it like this: Well, Midsummer – or juhannus – as it is called in Finnish, is one of the most important public holidays in our calendar. It is celebrated, as you probably guessed, close to the dates of the Summer Solstice, when day is at its longest in the northern hemisphere. Finland being so far up north, the sun doesn’t set on juhannus at all. Considering that in the winter we get the never ending night, it’s no surprise we celebrate the sun not setting. So what do Finns do to celebrate juhannus? I already told you we flock to our summer cottages, but what then? We decorate the cottage with birch branches to celebrate the summer, we stock up on new potatoes which are just now in season and strawberries as well. We fire up the barbecue and eat grilled sausages to our hearts content. We burn bonfires that rival with the unsetting sun. And we get drunk. If that isn't vivid enough, this video may help: [protected-iframe id="f18649f0b62adf8eb1ec638fa5066050-10874323-9129869" info="https://www.facebook.com/plugins/video.php?href=https%3A%2F%2Fwww.facebook.com%2Fsuomifinland100%2Fvideos%2F1278272918868972%2F&show_text=0&width=560" width="560" height="315" frameborder="0" style="border: none; overflow: hidden;" scrolling="no"] And because the celebration is just so... celebratory, it's easy to lose your phone. So here are a few ways to prepare yourself for a party that lasts all night. 1. Don't use 5683 as your passcode. That spells love and it's also one of the first passcodes anyone trying to crack into your phone will try. So use something much more creative -- and use a 6-digit code if you can on your iPhone. You can also encrypt your Android. 2. Write down your IMEI number. If you lose your phone, you're going to need this so make sure you have it written down somewhere safe. 3. Back your content up. This makes your life a lot easier if your party goes too well and it's pretty simple on any iOS device. Just make sure you're using a strong, unique password for your iCloud account. Unfortunately on an Android phone, you'll have to use a third-party app. 4. Maybe just leave it home. Enjoy being with your friends and assume that they'll get the pictures you need to refresh your memory. And while you're out you can give your phone a quick internal "clean" with our free Boost app. [Image by Janne Hellsten | Flickr]

June 22, 2016
Could the Sony and Hacking Team hacks have been detected sooner?

Hacks in the Headlines: Two Huge Breaches That Could Have Been Detected

The Sony hack of late 2014 sent shock waves through Hollywood that rippled out into the rest of the world for months. The ironic hack of the dubious surveillance software company Hacking Team last summer showed no one is immune to a data breach - not even a company that specializes in breaking into systems. After a big hack, some of the first questions asked are how the attacker got in, and whether it could have been prevented. But today we're asking a different question: whether, once the attacker was already in the network, the breach could have been detected. And stopped. Here's why: Advanced attacks like the ones that hit Sony and Hacking Team are carried out by highly skilled attackers who specifically target a certain organization. Preventive measures block the great majority of threats out there, but advanced attackers know how to get around a company's defenses. The better preventive security a company has in place, the harder it will be to get in…but the most highly skilled, highly motivated attackers will still find a way in somehow. That's where detection comes in. Thinking like an attacker If an attacker does get through a company's defensive walls, it's critical to be able detect their presence as early as possible, to limit the damage they can do. There has been no official confirmation of when Sony's actual breach first took place, but some reports say the company had been breached for a year before the attackers froze up Sony's systems and began leaking volumes of juicy info about the studio's inner workings. That's a long time for someone to be roaming around in a network, harvesting data. So how does one detect an attacker inside a network? By thinking like an attacker. And thinking like an attacker requires having a thorough knowledge of how attackers work, to be able to spot their telltale traces and distinguish them from legitimate users. Advanced or APT (Advanced Persistent Threat) attacks differ depending on the situation and the goals of the attacker, but in general their attacks tend to follow a pattern. Once they've chosen a target company and performed reconnaissance to find out more about the company and how to best compromise it, their attacks generally cover the following phases: 1. Gain a foothold. The first step is to infect a machine within the organization. This is typically done by exploiting software vulnerabilities on servers or endpoints, or by using social engineering tactics such as phishing, spear-phishing, watering holes, or man-in-the-middle attacks. 2. Achieve persistence. The initial step must also perform some action that lets the attacker access the system later at will. This means a persistent component that creates a backdoor the attacker can re-enter through later. 3. Perform network reconnaissance. Gather information about the initial compromised system and the whole network to figure out where and how to advance in the network. 4. Lateral movement. Gain access to further systems as needed, depending on what the goal of the attack is. Steps 2-4 are then repeated as needed to gain access to the target data or system. 5. Collect target data. Identify and collect files, credentials, emails, and other forms of intercepted communications. 6. Exfiltrate target data. Copy data to the attackers via network. Steps 5 and 6 can also happen in small increments over time. In some cases these steps are augmented with sabotaging data or systems. 7. Cover tracks. Evidence of what was done and how it was done is easily erased by deleting and modifying logs and file access times. This can happen throughout the attack, not just at the end. For each phase, there are various tactics, techniques and procedures attackers use to accomplish the task as covertly as possible. Combined with an awareness and visibility of what is happening throughout the network, knowledge of these tools and techniques is what will enable companies to detect attackers in their networks and stop them in their tracks. Following the signs Sony may have been breached for a year, but signs of the attack were there all along. Perhaps these signs just weren't being watched for - or perhaps they were missed. The attackers tried to cover their tracks (step 7) with two specific tools that forged logs and file access and creation times - tools that could have been detected as being suspicious. These tools were used throughout the attack, not just at the end, so detection would have happened well before all the damage was done, saving Sony and its executives much embarrassment, difficult PR, lost productivity, and untold millions of dollars. In the case of Hacking Team, the hacker known as Phineas Fisher used a network scanner called nmap, a common network scanning tool, to gather information about the organization’s internal network and figure out how to advance the attack (step 3). Nmap activity on a company internal network should be flagged as a suspicious activity. For moving inside the network, step 4, he used methods based on the built-in Windows management framework, PowerShell, and the well-known tool psexec from SysInternals. These techniques could also potentially have been picked up on from the way they were used that would differ from a legitimate user. These are just a few examples of how a knowledge of how attackers work can be used to detect and stop them. In practice, F-Secure does this with a new service we've just launched called Rapid Detection Service. The service uses a combination of human and machine intelligence to monitor what's going on inside a company network and detect suspicious behavior. Our promise is that once we've detected a breach, we'll alert the company within 30 minutes. They'll find out about it first from us, not from the headlines. One F-Secure analyst sums it up nicely: "The goal is to make it impossible for an attacker to wiggle his way from an initial breach to his eventual goal." After all, breaches do happen. The next step, then, is to be prepared.   Photo: Getty Images

May 31, 2016
BY 
5588953445_51dcf922aa_o_crop

Why are Android bugs so serious?

Yet another big vulnerability in the headlines. The Metaphor hack was discovered by Israel-based NorthBit and can be used to take control over almost any Android device. The vulnerability can be exploited from video files that people encounter when surfing the web. It affects all versions of Android except version 6, which is the latest major version also known as Marshmallow. But why is this such a big deal? Severe vulnerabilities are found all the time and we receive updates and patches to fix them. A fast update process is as a matter of fact a cyber security cornerstone. What makes this issue severe is that it affects Android, which to a large extent lack this cornerstone. Android devices are usually not upgraded to new major versions. Google is patching vulnerabilities, but these patches’ path to the devices is long and winding. Different vendors’ practices for patching varies a lot, and many devices will never receive any. This is really a big issue as Android’s smartphone market share is about 85% and growing! How is this possible? This underlines one of the fundamental differences between the Android and iOS ecosystems. Apple’s products are planned more like the computers we are used to. They are investments and will be maintained after purchase. iOS devices receive updates, and even major system upgrades, automatically and free of charge. And most users do install them. Great for the security. Android is a different cup of tea. These devices are mostly aimed at a cheaper market segment. They are built as consumables that will be replaced quite frequently. This is no doubt a reasonable and cost-saving strategy for the vendors. They can focus on making software work on the currently shipping devices and forget about legacy models. It helps keeping the price-point down. This leads to a situation where only 2,3% of the Android users are running Marshmallow, even half a year after release. The contrast against iOS is huge. iOS 9 has been on the market about the same time and already covers 79% of the user base. Apple reported a 50% coverage just five days after release! The Android strategy backfires when bugs like Metaphor are discovered. A swift and compete patch roll-out is the only viable response, but this is not available to all. This leaves many users with two bad options, to replace the phone or to take a risk and keep using the old one. Not good. One could think that this model is disappearing as we all grow more and more aware of the cyber threats. Nope, development actually goes in the opposite direction. Small connected devices, IoT-devices, are slowly creeping into our homes and lives. And the maintenance model for these is pretty much the same as for Android. They are cheap. They are not expected to last long, and the technology is developing so fast that you would be likely to replace them anyway even if they were built to last. And on top of that, their vendors are usually more experienced in developing hardware than software. All that together makes the IoT-revolution pretty scary. Even if IoT-hacking isn’t one of the ordinary citizen’s main concerns yet. So let’s once again repeat the tree fundamental commands for being secure on-line. Use common sense, keep your device patched and use a suitable security product. If you have a system that provides regular patches and updates, keep in mind that it is a valuable service that helps keeping you safe. But it is also worth pointing out that nothing as black and white. There are unfortunately also problematic update scenarios.   Safe surfing, Micke     Photo by etnyk under CC

March 18, 2016
BY