Arriving at the Frankfurt airport late in the evening. The flight was almost on schedule so I have some 30 minutes left before the final leg to Helsinki. A nice opportunity to check my mail and the latest headlines. What a blessing with free WiFi on the airports! And Frankfurt is no exception; the “open network available” -indicator is on when I grab the phone. And there we have the welcome-screen that pops up in the browser. But wait a minute, this one looks different. “Please fill in your mobile phone number and select your country. We will send you an SMS with details about how to log into the wireless network.”
Stop! You should always stop and think when an unknown website asks for your mobile phone number (well, actually when asked for any kind of personal information). Knowing your number is the key prerequisite for someone who want to scam you with premium rate text messages. Ask yourself the following questions when you encounter a page like this:
Most people already know that one should be careful when entering mail addresses at fishy websites. Your junk mail folder may start to fill up much faster than before. But what about your mobile phone number? It’s easy to forget that the mobile number is a key to a billing system. It can be a lot more harmful if it gets in the wrong hands. You may get an unpleasant surprise in the next phone bill.
How does the scam work? Someone puts up a web page where you can sign up for anything that sounds interesting. A lottery is a typical example. Your phone number is required as part of your personal information. And you are of course keen to get it right as you want to make sure they can reach you if you win. There’s also the usual checkbox indicating that you accept the terms, but who cares about those legal details?
Well, you should care. Somewhere deep down in the terms there is a paragraph where you agree to receive informational text messages, or whatever they are called, for a price that can be several Euros each. Yes, that’s right. The billing system of our mobile phones supports messages that are paid by the recipient. This scheme is not even illegal as you have agreed to receive them. And needless to say, the sender is impossible to reach if you change your mind and want to terminate the agreement.
You should leave out your phone number or steer clear of the site if you have any doubts about it. If the organization isn’t trusted, but you still feel that you really have to participate, get familiar with the legal terms. Yes, I really mean reading them!
Another variant of the scam is to send you an unexpected text message that invites you to a quiz, a lottery or something else. Responding to the message means in practice that you sign up to the scam.
So what about Frankfurt? Well, the page asking for my phone number was pretty nicely designed. It looked legit. But there was a legal document that users must accept. So I decided to not use the network. It’s much nicer to spend the remaining 20 minutes before departure reading a good book about sailing in the Mediterranean than reading legal terms.
PS. I’m of course not claiming that the Frankfurt network login is a scam. The point is that I can’t know for sure, and I don’t have to take the risk as the benefit I could have gained was very small.
Photo by whiteafrican @ Flickr
The first day of September may go down in internet security history -- and not just because it's the day when F-Secure Labs announced that its blog, which was the first antivirus industry blog ever, has moved to a new home. It's also the day that Google's Chrome began blocking flash ads from immediately loading, with the goal of moving advertisers to develop their creative in HTML5. Google is joining Amazon, whose complete rejection of Flash ads also begins on September 1. "This is a very good move on Amazon’s part and hopefully other companies will follow suit sooner than later," F-Secure Security Advisor Sean Sullivan wrote in August when Amazon made its announcement. "Flash-based ads are now an all-too-common security risk. Everybody will be better off without them." Last month, Adobe issued its 12th update in 2015 for the software addressing security and stability concerns. An estimated 90 percent of rich media ads are delivered through Flash. Having the world's largest online retailer reject your ad format is a significant nudge away from the plugin. But it would be difficult to overstate the impact of Chrome actively encouraging developers to drop Flash. About 1 out of every 2 people, 51.74 percent, who access the internet through a desktop browser do it via Chrome, according to StatCounter. This makes it the world's most popular web interface by far. Facebook's Chief Security Officer has also recently called for the end of Flash and YouTube moved away from the format by default in January. “Newer technologies are available and becoming more popular anyway, so it would really be worth the effort to just speed up the adoption of newer, more secure technologies, and stop using Flash completely," F-Secure Senior Researcher Timo Hirvonen told our Business Insider blog. So what's keeping Flash alive? Massive adoption and advertisers. “Everyone in every agency’s creative department grew up using Adobe’s creative suite, so agencies still have deep benches of people who specialize in this,”Media Kitchen managing partner Josh Engroff told Digiday. “Moving away from it means new training and calibration.” And Flash does have some advantages over the format that seems fated to replace it. "HTML5 ads may be more beautiful, and are perceived to be more secure, but the files can be a lot larger than Flash," Business Insider's Laura O'Reilly wrote. In markets, stability can breed instability and it seems that our familiarity and reliance on Flash has resulted in unnecessary insecurity for our data. Has Flash hit its moment when its dominance rapidly evaporates? We can have hope. "I sincerely hope this is the end of Flash," Timo told us. Cheers, Sandra [Image by Sean MacEntee | Flickr]
Kaisu who is working for us is also studying tourism. Her paper on knowledge of and behavior related to information security amongst young travelers was released in May, and is very interesting reading. The world is getting smaller. We travel more and more, and now we can stay online even when travelling. Using IT-services in unknown environments does however introduce new security risks. Kaisu wanted to find out how aware young travelers are of those risks, and what they do to mitigate them. The study contains many interesting facts. Practically all, 95,7%, are carrying a smartphone when travelling. One third is carrying a laptop and one in four a tablet. The most commonly used apps and services are taking pictures, using social networks, communication apps and e-mail, which all are used by about 90% of the travelers. Surfing the web follows close behind at 72%. But I’m not going to repeat it all here. The full story is in the paper. What I find most interesting is however what the report doesn’t state. Everybody is carrying a smartphone and snapping pictures, using social media, surfing the web and communicating. Doesn’t sound too exotic, right? That’s what we do in our everyday life too, not just when travelling. The study does unfortunately not examine the participants’ behavior at home. But I dare to assume that it is quite similar. And I find that to be one of the most valuable findings. Traveling is no longer preventing us from using IT pretty much as we do in our everyday life. I remember when I was a kid long, long ago. This was even before invention of the cellphone. There used to be announcements on the radio in the summer: “Mr. and Mrs. Müller from Germany traveling by car in Lapland. Please contact your son Hans urgently.” Sounds really weird for us who have Messenger, WhatsApp, Facebook, Twitter, Snapchat and Skype installed on our smartphones. There was a time when travelling meant taking a break in your social life. Not anymore. Our social life is today to an increasing extent handled through electronic services. And those services goes with us when travelling, as Kaisu’s study shows. So you have access to the same messaging channels no matter where you are on this small planet. But they all require a data connection, and this is often the main challenge. There are basically two ways to get the data flowing when abroad. You can use data roaming through the cellphone’s ordinary data connection. But that is often too expensive to be feasible, so WiFi offers a good and cheap alternative. Hunting for free WiFi has probably taken the top place on the list of travelers’ concerns, leaving pickpockets and getting burnt in the sun behind. Another conclusion from Kaisu’s study is that travelers have overcome this obstacle, either with data roaming or WiFi. The high usage rates for common services is a clear indication of that. But how do they protect themselves when connecting to exotic networks? About 10% are using a VPN and about 20% say they avoid public WiFi. That leaves us with over 70% who are doing something else, or doing nothing. Some of them are using data roaming, but I’m afraid most of them just use whatever WiFi is available, either ignoring the risks or being totally unaware. That’s not too smart. Connecting to a malicious WiFi network can expose you to eavesdropping, malware attacks, phishing and a handful other nasty tricks. It’s amazing that only 10% of the respondents have found the simple and obvious solution, a VPN. It stands for Virtual Private Network and creates a protected “tunnel” for your data through the potentially harmful free networks. Sounds too nerdy? No, it’s really easy. Just check out Freedome. It’s the super-simple way to be among the smart 10%. Safe surfing, Micke PS. I recently let go of my old beloved Nokia Lumia. Why? Mainly because I couldn’t use Freedome on it, and I really want the freedom it gives me while abroad. Image by Moyan Brenn
You have all heard the classic mantra of computer security: use common sense, patch your system and install antivirus. That is still excellent advice, but the world is changing. We used to repeat that mantra over and over to the end users. Now we are entering a new era where we have to stress the importance of updates to manufacturers. We did recently write about how Chrysler reacted fairly quickly to stop Jeeps from being controlled remotely. They made a new firmware version for the vehicles, but didn’t have a good channel to distribute the update. Stagefright on Android demonstrates a similar problem, but potentially far more widespread. Let’s first take a look at Stagefright. What is it really? Stagefright is the name of a module deep inside the Android system. This module is responsible for interpreting video files and playing them on the device. The Stagefright bug is a vulnerability that allows and attacker to take over the system with specially crafted video content. Stagefright is used to automatically create previews of content received through many channels. This is what makes the Stagefright bug really bad. Anyone who can send you a message containing video can potentially break into your Android device without any actions from you. You can use common sense and not open fishy mail attachments, but that doesn’t work here. Stagefright takes a look at inbound content automatically in many cases so common sense won't help. Even worse. There’s not much we can do about it, except wait for a patch from the operator or phone vendor. And many users will be waiting in vain. This is because of how the Android system is developed and licensed. Google is maintaining the core Linux-based system and releasing it under an open license. Phone vendors are using Android, but often not as it comes straight from Google. They try to differentiate and modifies Android to their liking. Google reacted quickly and made a fix for the Stagefright bug. This fix will be distributed to their own Nexus-smartphones soon. But it may not be that simple for the other vendors. They need to verify that the patch is compatible with their customizations, and releasing it to their customers may be a lengthy process. If they even want to patch handsets. Some vendors seems to see products in the cheap smartphone segment as disposable goods. They are not supposed to be long-lived and post-sale maintenance is just a cost. Providing updates and patches would just postpone replacement of the phone, and that’s not in the vendor’s interest. This attitude explains why several Android vendors have very poor processes and systems for sending out updates. Many phones will never be patched. Let’s put this into perspective. Android is the most widespread operating system on this planet. 48 % of the devices shipped in 2014 were Androids (Gartner). And that includes both phones, tablets, laptops and desktop computers. There’s over 1 billion active Android devices (Google’s device activation data). Most of them are vulnerable to Stagefright and many of them will never receive a patch. This is big! Let’s however keep in mind that there is no widespread malware utilizing this vulnerability at the time of writing. But all the ingredients needed to make a massive and harmful worm outbreak are there. Also remember that the bug has existed in Android for over five years, but not been publically known until now. It is perfectly possible that intelligence agencies are utilizing it silently for their own purposes. But can we do anything to protect us? That’s the hard question. This is not intended to be a comprehensive guide, but it is however possible to give some simple advice. You can stop worrying if you have a really old device with an Android version lower than 2.2. It’s not vulnerable. Google Nexus devices will be patched soon. A patch has also been released for devices with the CyanogenMod system. The privacy-optimized BlackPhone is naturally a fast-mover in cases like this. Other devices? It’s probably best to just google for “Stagefright” and the model or vendor name of your device. Look for two things. Information about if and when your device will receive an update and for instructions about how to tweak settings to mitigate the threat. Here’s an example. Safe surfing, Micke Image by Rob Bulmahn under CC BY 2.0