It’s summer holiday season, when people pack up their smartphones and tablets, sunscreen and tank tops and set off for a change of pace. With connected devices it’s never been easier to find one’s way around, record memories, and stay in touch with friends back home.
When traveling it’s convenient to use public WiFi hotspots in places like airports and restaurants, Our Security Advisor Sean Sullivan says that public WiFi networks should be thought of as just that: public.
Because you’re sharing the network with strangers, there’s the risk that someone is using readily available software that snoops on what you’re doing.
“It may feel private because you’re using your personal device, but it’s not,” he says.
Sean advises against doing anything via public WiFi that you wouldn’t want an eavesdropper to know – including logging into accounts with passwords. “I use public WiFi happily for a topic I would discuss with a friend on the metro. Banking, I do at home,” he says.
Here’s a quick look at how people feel about traveling with their devices and how to stay safe online when you’re on the road.
Here are some more tips that will keep you secure wherever you may roam:
• Don’t let your device connect to public WiFi spots automatically.
• Delete out the WiFi access points you’ve used when you arrive home.
• Don’t be logged into apps you don’t need while traveling.
• Check with the establishment you’re at to make sure the network you log onto is really theirs, and not one a snoop has set up to trick you.
• Be aware of your surroundings and anyone who could be trying to peek over your shoulder.
• Use a unique password for each account.
• For laptops, disable file sharing and turn on the firewall, setting it to block incoming connections.
• Use a VPN (virtual private network) if possible, which secures your connection even on public WiFi.
• Use a travel router with a prepaid SIM card for your own personal WiFi network.
• At the very least, watch for the padlock and “https” in the address bar for any site with your personal information. If they’re not there, avoid the site.
• A good general rule: Assume anything you do over public WiFi is part of a public conversation.
[Photo by uros velickovic via Flickr.com]
Not good enough. That's the assessment of the Parliament's Joint Committee that has been investigating the Draft Investigatory Powers Bill, which will set the guidelines for how the UK carries out intelligence gathering in this era when terror and cyberthreats are merging. And our Cyber Security Advisor Erka Koivunen who testified in front of the committee, agrees. "Sharper, clearer definitions are required in order to protect both the privacy of citizens and viability of the British tech industry," he said after reviewing the 198-page report. Legislators hope to pass the bill before the Data Retention and Investigatory Powers Act 2014 expires in December of this year. A few major problems stood out for Erka. "The committee’s case for Equipment Interference, known by some as 'hacking,' is persuasive and also give voice to the equally persuasive critics of the Government having the power to intrude upon communications in way that lawfully captures evidence," he said. "However, there appears to be little discussion about collateral damage caused by bulk equipment interference activities. We’ve seen in the Stellar Wind and Belgacom cases that equipment interference activity on non-terrorist and non-combatant organizations can be used to create stepping-stones to the intended targets, or as way to hide the intelligence traces that would point the operation back to GCHQ." Limiting the scope of investigations is key, along with allowing developers that ability to preserve the integrity of their products. "We support Mozilla and the open source community in the insistence that all vulnerabilities should be identified and fixed, regardless of who put them there," Erka said. The committee made a strikingly straightforward case for bulk collection of data, noting that search tools can make such information relevant. "However, the justification for such powers -- 'why would the authorities request the bulk powers if they didn't believe them to be effective' -- is simply naïve," Erka said. "It has been demonstrated many times over that GCHQ and NSA have invested lots of time and resources in bulk collection. It is only natural for them to defend their investment and seek to continue their work without interruption. Doing otherwise would put past conduct under scrutiny and future activities in question." Privacy advocates generally agree that the bill should not become law in its current form. "It needs more than mere tweaking, it needs to be fundamentally rethought and rebuilt," said Lord Paul Strasburger, who was on the committee. "Like the other two committees, [we] found the Bill to be sloppy in its wording and short on vital details," he said. Erka notes that the clock is ticking quickly. "The 'sunset clause' now forces the UK Government to work against the clock as the old RIPA authorities will cease to exist in the near future. Talk about "going dark!'" The threat of a complete lapse in surveillance will be wielded by proponents of a purposely vague and broad law. That should not happen, especially given the abundance of input the government has. "The bill, as written, fails to address our concerns about the potential for abuse and lack of oversight. We applaud the committee for addressing these shortcomings—and encourage the Government not to use the rush to pass the law as an excuse to pass a flawed bill." Photo: GCHQ/Crown Copyright/MOD
We can see signs of a disturbing trend. Nowadays there is a built-in update process in almost every software product, and the automatic updates are essential for our devices’ security. The main driver to implement them was to be able to reach out quickly when vulnerabilities are discovered. And most users got the message. We understand the need for updates and let them be installed promptly. This is great from security point of view. So I’m very sad to see increasing misuse of users’ trust in the updates. Apple is making headlines right now with the “Error 53 scandal”. In short, upgrading to iOS 9 may brick your device, that is render it totally useless, if the new system detects that an unauthorized repair has been performed. The official reason is that Apple wants to protect the user’s data against attacks involving tampering with the device. The new functionality does however smell to high heaven. Apple has already a bad reputation for keeping its ecosystem closed and tightly managed, and this incident just feeds that reputation. It doesn’t take a genius to figure out that a move like this also benefits authorized Apple service companies over unauthorized. Bashing Windows 10 is also popular right now. I’m not going into all the security and privacy issues here. But I think the way Microsoft is pushing out Windows 10 to users of previous versions is disturbing. Yes, the automatically distributed upgrade is convenient, if you want to upgrade. And as said, upgrading is usually good from security point of view. But people may have tons of valid reasons to postpone the upgrade, and this is where things get nasty. Several gigabytes are downloaded anyway and use up disk space in vain. Language in the upgrade dialog suggests you have to upgrade. And it starts all over even if you decline, clean up and disable the updates. Even worse, now the upgrade may even start automatically without your consent! People are raging over these incidents because they cause major inconvenience and interferes with your ability to use a product you have purchased. But another at least equally severe side effect is that every case like this undermines peoples’ trust in update services. I bet people with a bricked iPhone will be hesitant to install new versions of iOS in the future. And my opinion about Microsoft’s update service has definitively changed while defending a touch-screen computer with Windows 8.1 from the upgrade. Yes, I have tried Windows 10 on it. No, it didn’t work properly so I had to roll back to 8.1. So to conclude. Rapid updates are more important than ever. Therefore it is very sad to see companies misuse the update channels to roll out features and versions that are designed mainly to boost their own business. The outcome may be that people to a larger extent decline updates or try to block update systems that can’t be disabled. Permanent damage has been caused in that case. Micke PS. There’s some good news for people who want to stay on their previous Windows versions. There is a registry setting that can be used to prevent the upgrade. See MS Knowledge Base Article 3080351 for more details. Image by Nick Hubbard
Today is Safer Internet Day – a day to talk about what kind of place the Internet is becoming for kids, and what people can do to make it a safe place for kids and teens to enjoy. We talk a lot about various online threats on this blog. After all, we’re a cyber security company, and it’s our job to secure devices and networks to keep people protected from more than just malware. But protecting kids and protecting adults are different ballparks. Kids have different needs, and as F-Secure Researcher Mikael Albrecht has pointed out, this isn’t always recognized by software developers or device manufacturers. So how does this actually impact kids? Well, it means parents can’t count on the devices and services kids use to be completely age appropriate. Or completely safe. Social media is a perfect example. Micke has written in the past that social media is basically designed for adults, making any sort of child protection features more of an afterthought than a focus. Things like age restrictions are easy for kids to work around. So it’s not difficult for kids to hop on Facebook or Twitter and start social networking, just like their parents or older siblings. But these services aren't designed for kids to connect with adults. So where does that leave parents? Parental controls are great tools that parents can use to monitor, and to a certain extent, limit what kids can do online. But they’re not perfect. Particularly considering the popularity of mobile devices amongst kids. Regulating content on desktop browsers and mobile apps are two different things, and while there are a lot of benefits to using mobile apps instead of web browsers, it does make using special software to regulate content much more difficult. The answer to challenges like these is the less technical approach – talking to kids. There’s some great tips for parents on F-Secure’s Digital Parenting web page, with talking points, guidelines, and potential risks that parents should learn more about. That might seem like a bit of a challenge to parents. F-Secure’s Chief Research Officer Mikko Hypponen has pointed out that today’s kids have never experienced a world without the Internet. It’s as common as electricity for them. But the nice thing about this approach is that parents can do this just by spending time with kids and learning about the things they like to do online. So if you don’t know what your kids are up to this Safer Internet Day, why not enjoy the day with your kids (or niece/nephew, or even a kid you might be babysitting) by talking over what they like to do online, and how they can enjoy doing it safely.