The password is a really old way to protect computer systems, yet many systems we use rely solely on them when authenticating users. A simple password might have been a good idea when we used only a handful of systems, but times are changing. Today we need accounts for all the social media we are on, the mail accounts, accounts for on-line shops, the bank, the workplace, you name it… Frankly speaking, I have no idea how many on-line accounts I have. And I can make one confession. I use the same password on some of them, even if the important ones naturally have strong unique passwords.
And here we are at the core problem with passwords. They should be complex enough to withstand brute force and dictionary attacks (that is when hackers systematically try a large number of passwords in hope of finding the right one) and they should be different on all systems you use (to limit the damage if one account is compromised). Many complex passwords and limited brain capacity, that doesn’t work. There are systems to create and remember many complex passwords, but many people aren’t motivated enough to use them. That’s one reason why two-factor authentication is spreading fast.
Another reason to raise the security is that hackers may target a particular system. They may break into it to steal passwords or use phishing techniques to trick you into revealing your password to them. Or plant a keylogger in your system. They may get the password, but still fail to get access to your account if you use two-factor authentication.
But what is two-factor authentication? Let’s start with some theory. An authentication mechanism can use several factors like what you know (a password you remember), what you have (a smartcard or a mechanical key) or what you are (biometrics, retina or fingerprint scans for example). A two-factor or multi-factor authentication system uses at least two of these factors. The best known example is an ATM-card that you have combined with a PIN-code that you know.
The most common way to utilize this for an on-line service is to rely on your mobile phone. You start by entering your user ID and password normally. After that the system sends a unique one-time code to your phone. You type the code and get access to the system. Your phone is the “what you have” -item as the message is directed to that particular device and can’t be read by others. This requires two things; that you have registered your phone number with the service and that you have turned on two-factor authentication. Some services do promote this option actively and ask if you want to use it.
So should I turn it on? Yes, if the service is important to you. You gain a lot of security for a quite small extra effort. You may have noticed several news reports lately about hacked Twitter-accounts. One of the incidents did even impact the stock market. Twitter happens to be one of the major on-line services that doesn’t support two-factor authentication yet. Many of these incidents could have been avoided if they had support for it. Needless to say, if you tweet for a global news agency you really need more security than just a password. But most ordinary people have services that also are important enough to justify this extra security.
Nothing is perfect so what are the downsides with two-factor authentication? The extra effort to type the code after login is of course obvious. But many systems mitigate this by remembering your device and only requiring the code when using a new device. You also must have your phone with you when you log in, which you probably have anyway. Except if you have lost it, which could prevent you from accessing your accounts. Some configuration settings in your browser may also prevent two-factor authentication from working or force you to authenticate every time you log in, even on the same device. Apps that access your account may require some extra attention. They need an extra application specific password that you can create under security settings in the account’s web interface. And last but not least. The service provider must know your phone number, which normally is linked directly to your true identity. This is usually OK, but becomes a problem if you want to be truly anonymous on the site, or have other reasons to not trust them with your number.
And remember that two-factor authentication improves security a lot, but there is no such thing as perfect security. The skimming attacks against ATMs is a classic example. The malware Perkele targets Android devices and works together with desktop malware to defeat on-line banks. Perkele proves that on-line services’ two-factor authentication can be attacked, but this is not a major threat yet.
So the verdict is that two-factor authentication is good. Turn it on if you can. Here’s some examples of where to look for these settings:
Facebook: Security settings / Login approvals.
Google: Accounts / Security / 2-step verification.
MS Hotmail/Live: Micosoft Account / Security info / Two-step verification.
WordPress: Settings / Security / Two Step Authentication.
Twitter: Not supported yet.😦
UPDATE: Twitter got their act together just hours after posting this article. Now they also provide two-factor authentication. Great!
UPDATE2: Seems like Twitter was in a rush to get two-factor authentication out. The implementation is still far from perfect. But it’s a step in the right direction. I’m sure they will get things right, let’s hope it doesn’t take too long.
Many of you have seen them. And some of you have no doubt been victims too. Malware spreading through social media sites, like Facebook, is definitively something you should look out for. You know those posts. You raise your eyebrows when old Aunt Sophie suddenly shares a pornographic video with all her friends. You had no idea she was into that kind of stuff! Well, she isn’t (necessary). She’s just got infected with a special kind of malware called a social bot. So what’s going on here? You might feel tempted to check what “Aunt Sophie” really shared with you. But unfortunately your computer isn’t set up properly to watch the video. It lacks some kind of video thingy that need to be installed. Luckily it is easy to fix, you just click the provided link and approve the installation. And you are ready to dive into Aunt Sophie’s stuff. Yes, you probably already figured out where this is going. The social bots are excellent examples of how technology and social tricks can work together. The actual malware is naturally the “video thingy” that people are tricked to install. To be more precise, it’s usually an extension to your browser. And it’s often masqueraded as a video codec, that is a module that understands and can show a certain video format. Once installed, these extensions run in your browser with access to your social media accounts. And your friends start to receive juicy videos from you. There are several significant social engineering tricks involved here. First you are presented with content that people want to see. Juicy things like porn or exposed celebrities always work well. But it may actually be anything, from breaking news to cute animals. The content also feels safer and more trustworthy because it seems to come from one of your friends. The final trick is to masquerade the malware as a necessary system component. Well, when you want to see the video, then nothing stops you from viewing it. Right? It’s so easy to tell people to never accept this kind of additional software. But in reality it’s harder than that. Our technological environment is very heterogeneous and there’s content that devices can’t display out of the box. So we need to install some extensions. Not to talk about the numerous video formats out there. Hand on heart, how many of you can list the video formats your computer currently supports? And which significant formats aren’t supported? A more practical piece of advice is to only approve extensions when viewing content from a reliable source. And we have learned that Facebook isn’t one. On the other hand, you might open a video on a newspaper or magazine that you frequently visit, and this triggers a request to install a module. This is usually safe because you initiated the video viewing from a service that shouldn’t have malicious intents. But what if you already are “Aunt Sophie” and people are calling about your strange posts? Good first aid is going to our On-line Scanner. That’s a quick way to check your system for malware. A more sustainable solution is our F-Secure SAFE. Ok, finally the poll. How do you react when suddenly told that you need to download and install software to view a video? Be honest, how did you deal with this before reading this blog? [polldaddy poll=9394383] Safe surfing, Micke Image: Facebook.com screenshot
Yet another big vulnerability in the headlines. The Metaphor hack was discovered by Israel-based NorthBit and can be used to take control over almost any Android device. The vulnerability can be exploited from video files that people encounter when surfing the web. It affects all versions of Android except version 6, which is the latest major version also known as Marshmallow. But why is this such a big deal? Severe vulnerabilities are found all the time and we receive updates and patches to fix them. A fast update process is as a matter of fact a cyber security cornerstone. What makes this issue severe is that it affects Android, which to a large extent lack this cornerstone. Android devices are usually not upgraded to new major versions. Google is patching vulnerabilities, but these patches’ path to the devices is long and winding. Different vendors’ practices for patching varies a lot, and many devices will never receive any. This is really a big issue as Android’s smartphone market share is about 85% and growing! How is this possible? This underlines one of the fundamental differences between the Android and iOS ecosystems. Apple’s products are planned more like the computers we are used to. They are investments and will be maintained after purchase. iOS devices receive updates, and even major system upgrades, automatically and free of charge. And most users do install them. Great for the security. Android is a different cup of tea. These devices are mostly aimed at a cheaper market segment. They are built as consumables that will be replaced quite frequently. This is no doubt a reasonable and cost-saving strategy for the vendors. They can focus on making software work on the currently shipping devices and forget about legacy models. It helps keeping the price-point down. This leads to a situation where only 2,3% of the Android users are running Marshmallow, even half a year after release. The contrast against iOS is huge. iOS 9 has been on the market about the same time and already covers 79% of the user base. Apple reported a 50% coverage just five days after release! The Android strategy backfires when bugs like Metaphor are discovered. A swift and compete patch roll-out is the only viable response, but this is not available to all. This leaves many users with two bad options, to replace the phone or to take a risk and keep using the old one. Not good. One could think that this model is disappearing as we all grow more and more aware of the cyber threats. Nope, development actually goes in the opposite direction. Small connected devices, IoT-devices, are slowly creeping into our homes and lives. And the maintenance model for these is pretty much the same as for Android. They are cheap. They are not expected to last long, and the technology is developing so fast that you would be likely to replace them anyway even if they were built to last. And on top of that, their vendors are usually more experienced in developing hardware than software. All that together makes the IoT-revolution pretty scary. Even if IoT-hacking isn’t one of the ordinary citizen’s main concerns yet. So let’s once again repeat the tree fundamental commands for being secure on-line. Use common sense, keep your device patched and use a suitable security product. If you have a system that provides regular patches and updates, keep in mind that it is a valuable service that helps keeping you safe. But it is also worth pointing out that nothing as black and white. There are unfortunately also problematic update scenarios. Safe surfing, Micke Photo by etnyk under CC
A recent PEW report says that 86 percent of people have taken action to avoid online surveillance, including simple things like clearing their browser cache, as well as using more effective methods, such as using a VPN (virtual private network). The same report says that 61 percent of participants indicated that they’d like to do more. Many people understand their privacy is at risk when they do things online, and want to do something about it. But that’s easier said than done. Not only do you have to have the will to make it happen, but you have to know where to start. Who do you want to protect your privacy from anyway? Facebook? The NSA? Nosey neighbors? PEW’s report says that 91 percent of people agree or strongly agree that consumers have lost control over personal information that is collected and used by companies. So if you want to take this control back, the first thing you need to do is figure out who’s stalking you online. F-Secure’s Freedome VPN, which you can try for free, has baked-in tracking protection technologies to help people protect their privacy while they’re surfing online. It also has Tracker Mapper – a feature that people can use to control how they expose themselves to Internet trackers. Tracker Mapper has been available for Macs and Windows PCs for about half a year, and was just launched for Freedome’s Android and iOS apps. So how does using Tracker Mapper help you control your online privacy? Here’s our Chief Research Officer, Mikko Hyppönen, talking about how online tracking threatens people’s privacy, and how Freedome (and Tracker Mapper) can help people protect themselves. [youtube=https://www.youtube.com/watch?v=X1F8sHjCBx0&w=560&h=315] I ran a little experiment to help me learn how to limit my exposure to trackers while planning a vacation. I used Alexa to help me find some popular travel websites that I could use to shop for deals on hotels. After that, I turned on Tracker Mapper (which is turned off by default, because we respect the fact that people don’t want apps to create logs without permission) so I could find out which of these websites used the most tracking to study me as I used their site. I chose 5 of the more popular sites, and then I spent about 10 minutes on each, and left a bit of extra time so I could check out the results in between. The whole thing took me about an hour, giving me a one-hour log of the tracking attempts Freedome blocked while I browsed these sites. Tracker Mapper creates an interactive visualization of the blocked tracking attempts, and gives you information on what trackers attempted to monitor you on different websites. It also shows how these trackers link together to create a network capable of monitoring you as you navigate from website to website. These are screenshots showing how Tracker Mapper visualizes online tracking, as well some of the statistics it provides. The capture on the left shows the entire overview of the session (which lasted exactly one hour). The shot in the middle shows the sites I visited ordered by the most tracking attempts. The capture on the right shows the actual trackers that attempted to track me during my session, ordered by the number of blocked attempts. Based on this, Trip Advisor appears to have made the most tracking attempts. But you can learn even more about this by combining Tracker Mapper with a bit of online digging. You can tap on the different “bubbles” in Tracker Mapper to pull up statistics about different websites and tracking services. The first screen capture shows how many tracking attempts from different services were blocked when I visited Trip Advisor. The next two show the most prominent tracking services Freedome blocked – the tracker that TripAdvisor has integrated into its website (www.tripadvisor.com), and a tracking tag from Scorecard Research (b.scorecardresearch.com). As you might have guessed, TripAdvisor’s own tracking service is only used on their website (it’s what’s called “first-party tracking”). That’s why Tracker Mapper doesn’t show any connections between it and other websites. The second one, Scorecard Research, is used on both Trip Advisor and Lonely Planet. That’s why there are lines connecting it with both (it’s what’s called “third-party tracking”). Scorecard research is a marketing research firm that provides tracking and analytic services by having websites host their “tags”, which collect information about those website’s visitors. The Guardian has an excellent write-up about Scorecard Research, but what’s missing from the Guardian story is that you can opt-out of Scorecard Research’s tracking. Basically, they put a cookie on your browser, which isn’t an uncommon way for tracking companies to allow web surfers to protect their privacy (and oddly enough, a common way for them to track you). Stripping trackers out of websites lets people take control of who’s monitoring what they do online. PEW’s survey found that this idea of control is central to people’s concerns about online privacy - 74 percent of respondents said it’s important to control who can get information, and 65 percent said its important to control what information is collected. However, opting out of every tracking service (and for every browser you use) by installing opt-out cookies isn’t as convenient as using Freedome. And as F-Secure Security Advisor Sean Sullivan pointed out in this blog post, it actually works much better for your browsing (one experiment found that Freedome can reduce the time it takes to load web pages by about 30 percent, and decrease data consumption by about 13 percent). You can download Freedome for a free trial and find out for yourself if how it can help you control your online privacy. And right now, you can win free annual subscriptions, as well as cool swag (like stylish hoodies) by posting a screenshot showing your blocked tracking attempts to F-Secure’s Facebook wall, or on Instagram with F-Secure tagged. The contest is open till March 23rd, and 5 winners will be randomly drawn after it ends.