Criminals aren’t just targeting your PC anymore. Whether your on your tablet, phone, Mac or laptop, you’re being targeted for scams designed to get your private information and money into their pockets.
And there’s even more you can do to make sure you’re not leaving yourself vulnerable. How many of these SAFE tips are you already following?
1. Keep your system, browsers, applications and security software patched and updated. Our free F-Secure Health Check makes this easy.
2. Lock your cell phone, tablet and PC when they’re not in use.
3. Use unique, complex passwords for all of your most important accounts. Our Key app makes that easy.
4. Keep your email inbox organized and spam free so you’ll recognize suspicious emails when you get them.
5. Use official app stores to find new software for your mobile devices.
6. Check the reviews on any app before you install.
7. Check your apps permissions to see what you’re sharing. Our free Permissions app for Android.
8. Remember there’s no such thing as “private” on a social network. Your friends can share whatever you post with the world.
9. Use a VPN when connecting through an unsecured WiFi. Freedome by F-Secure gives your phone VPN protection.
10. Are you sharing your location without even realizing it? Your photos and your social media accounts may be announcing where you are to strangers. Check your settings.
11. Set up a separate, Java-free browser dedicated just to shopping and banking.
12. Always check your URLS before filling out a form. You’re looking for a padlock and https, which means secured, and that you’re on the domain you meant to be on.
13. Don’t let your device connect to public WiFi spots automatically and delete old WiFi access points you’ve used when you arrive home.
14. Check the credit card you use for online purchases regularly for unusual activity.
15. When using a business’s WiFi network, check with the establishment you’re at to make sure the network you log onto is really theirs, and not one a snoop has set up to trick you.
16. When at an ATM or using your devices in public, be aware of your surroundings and anyone who could be trying to peek over your shoulder.
17. In many countries you can use a travel router with a prepaid SIM card for your own personal WiFi network.
18. Assume anything you do over public WiFi is part of a public conversation.
19. Put masking tape over your webcam when you’re not using it.
20. Don’t share crucial identification information – Social Security number, account information, Mother’s maiden name—with sites you don’t know.
21. If you have any questions about a strange email you’ve received from your bank or credit card company, contact the institution directly, preferably by phone.
We’re glad you’re staying protected and hope you’ll consider F-Secure SAFE for complete protection for all your devices.
In response to news that the secret records of more than 22 million Americans have been breached, possibly by attackers from China, you may have heard the loaded term being used to describe the unprecedented attack. "Why are we ignoring a cyber Pearl Harbor?" a conservative columnist asked. F-Secure Security Advisor Sean Sullivan joined other experts in explaining that while the Office of Personnel Management hack was a very big deal, it's hyperbole to call it an act of war. Sean argues that the term cyber war should be limited to cyber weapons that cause actual physical damage. It would have to break the so-called "kinetic barrier". There is no international treaty that defines online rules of engagement but he points to NATO's Tallinn Manual on the International Law Applicable to Cyber Warfare, which attempts to apply existing laws to cyber warfare. Cyber attacks present an even more vexing challenge in attributing the author of an attack than stateless terrorism. But regardless the author, any cyber attacks on a hospital, for instance, would be illegal under existing law. Sullivan sees the OPM hack as more likely to be part of another governmental activity that predates the internet: espionage. "Espionage can be a part of warfare, if you think they’re gathering that information for military defense purposes," he said. "Or it can be counterintelligence." He suggests the OPM hack data could be used to find which Americans are, for instance, not working on diplomatic mission and thus might be intelligence. He notes that former NSA contractor Edward Snowden briefly worked at a U.S. embassy. The lack of a background check in that instance could suggest that he was working as a spy under a false identity. There’s a difference between war and warfare, Sean notes. "It could be China is interested in defensive capabilities," he said. "It’s an aspect of warfare. It’s not war." If it were to transgress to the level of war, the results would be severe. "We can assume that China is a rational actor," Sean said. "It wants world power without wrecking the world economy. Military posturing is more likely." He suggests that the U.S. should be much more concerned about the protection of all of its digital data. “I guarantee you that the IRS’ records are just as vulnerable," he said, suggesting that the one thing that may be keeping taxpayers' records safe is the government's tendency to rely upon dated technology like magnetic tape. And at least some powerful U.S. officials agree that more must be done to secure America's private information. But don't expect them to be satisfied with the same sort of restricted networks the private sector relies upon. A bipartisan coalition of senators are backing new legislation that would give the Homeland Security secretary the authority "to detect intrusions on .gov domains and take steps similar to what the National Security Agency can do with the Pentagon," according to Roll Call. Ah, so more powers for the NSA. Isn't that always the endgame these days when the language of war being tossed around? [Image by U.S. Naval War College | Flickr]
Wired.com broke a shocking but hardly surprising story on July 21st. The reporter was driving his Jeep on the highway when strange things started to happen. First the fan and radio went on and later the whole car came to a stop. On the highway! Andy Greenburg was not in control of the car anymore. It was controlled remotely by two hackers, Charlie Miller and Chris Valasek, from miles away. They had not tampered with the car, and as a matter of fact never even touched it. All was done by connecting remotely to the vehicle and utilizing a vulnerability in its own software. A highway is not the safest place for this kind of demonstration so they continued with the brakes and steering manipulation in a parking place. Yes, that’s right. Brakes and steering! Scary? Hell yes! This is a great demonstration of security issues with the Internet of Things trend (IoT). Anything connected to the net can in theory be hacked and misused remotely. IoT is typically associated with “smart” appliances like toasters and fridges, but a car connected to the net is very much IoT as well. And a hacked car is a lot scarier than a hacked fridge. So let’s look at the tree fundamental questions this hack raises. How can this be possible? Car manufacturers were taken with their pants down. They have for decades been thinking deformation zones and airbags when you say security. Now they need to become aware of digital security too. I’m confident that they already have some level of awareness in this field, but the recent Jeep-incident shows that they still have a lot to learn. I’m not only thinking about preventing this from happening in the first place. No system is perfect, and they must also be able to deal with discovered vulnerabilities. A fix for the problem was created, but patching vehicles required a visit to the car dealer. Like taking your computer to the store to have Windows updates applied. No way! This underlines that digital security is about more than just design and quality control. It’s also about incident response and maintenance processes. Good morning car manufacturers and welcome to the world of digital security. You have a lot to learn. Ok, it can be done, but why? We are now at the “Wow! This is really possible!” –stage. The next stage will be “Ok, but how can this be utilized?” There’s a lot of headlines about how we could be killed by hacked cars. That may be technically possible, but has so far never happened. Hackers and virus writers used to work out of curiosity and do pranks just because it was possible. But that was in the eighties and nineties. Earning money and collecting information are the motives for today’s cyber criminals and spies. Killing you by driving your car off a cliff will not support either of those objectives, but it does make juicy headlines. Locking your car and asking for a ransom to unlock it is however a plausible scenario. Turning on the hands-free microphone to spy on your conversations is another. Or just unlocking it so that it can be stolen. Anyway, the moral of the story is that scary headlines about what car hackers can do are mostly hype. The threat will look very different when or if it becomes reality in the future. Let’s just hope that the car manufacturers get their act together before this becomes a real problem. Should I be worried? No. Not unless your job is to design software for vehicles. The current headlines are very important wake-up calls for the car industry, but have very little impact on ordinary consumers. Some early incidents, like this Jeep case, will be handled by calling cars to the dealer for an update. But it is clear that this isn’t a sustainable process in the long run. Cars are like appliances, any update process must be fully automatic. And the update process must be much faster than applying the latest software once a year when the car is in for routine maintenance. So any car hooked up to the net also needs an automatic update process. But what about the hackers driving me off a cliff? You said it could be possible, and I don’t want to die. First, does anyone have a motive to kill you? Luckily most of us don't have that kind of enemies. But more important. Doing that may or may not be possible. Car manufacturers may be inexperienced with hacking and IT security, but they understand that any technical system can fail. This is why cars are built with safeguards at the hardware level. The Jeep-hackers could steer the car remotely, but only at low speed. This is natural as the electronically controlled steering is needed for parking assistance, not for highway cruising. Disabling this feature above a certain speed threshold makes perfect sense from safety perspective. But, on the other hand. I can think of several scenarios that could be lethal despite low speed. And the hackers could fool the speedometer to show the wrong speed. What if they can feed an incorrect speed reading into the system that turns off electronic steering? Ok, never say never. But hiring a traditional contract killer is still a better option if someone want's you gone. And there’s naturally no safeguards between software and hardware when the self-driving cars take over. Widespread self-driving cars are still sci-fi, and hacking them is even further away. But we are clearly on a path that leads in that direction. A few wrong turns and we may end up with that problem becoming reality. The good news is on the other hand that all publicity today contribute to improved digital security awareness among vehicle manufacturers. But finally back to today’s reality. It is still a lot more likely for you to be killed by a falling meteorite than by a hacker taking over your car. Not to talk about all the ordinary traffic accidents! Safe cruising, Micke
Tomasz was a finance graduate, fresh out of university. This wasn’t what he had dreamed of studying, but he expected to find a well-paid job afterwards. This is why he started working in a branch of a local cooperative bank. The job wasn’t very demanding. During the day he didn’t have to deal with many customers, which suited him just fine. It did annoy him a bit that his work computer was only connected to an internal network and not the Internet, as with every other computer in the bank. This protocol protected the system from unauthorised outside access, which is crucial for a bank. It also, however, meant that employees were not able to check their private email accounts or access newsfeeds on social networking sites. One day, Tomasz noticed his computer behaving in a strange way. The machine was slow and crashed repeatedly, not to mention the error messages flashing on his screen. It was of no use for work. Things got even worse when the monitor simply went dark. Despite trying numberous times, Tomasz couldn’t turn it on again. He didn’t want to waste his precious time so he called the IT department about the problem. It turned out that he wasn’t the only one. All of the computers at the bank had gone crazy. The branch had to be closed down for four hours. A ten-person IT team responded to the crisis, launching a backup system. After several hours they were able to restore all computers to working order. What had happened was that a virus had infected the network. The head of the IT department wanted to know whose computer was attacked first. An internal investigation revealed that the malware came from Tomasz’s machine and the source of the infection was one of the bank’s flash drives. A few weeks earlier, Tomasz had copied his holiday photos to the drive to show them to his colleagues. The virus entered the device’s memory when the photos were copied from Tomasz’s private laptop. He was quickly called into his boss’s office. Tomasz knew all too well that he had violated security protocol. He knew that he would be punished, but how harshly? In the end, Tomasz was officially reprimanded and a note was placed on his file. Considering that his negligence cost the bank several thousand euro, this was merely a slap on the wrist. However, because of his recklessness, Tomasz had endangered sensitive data stored in the bank’s system, not to mention his own future career. Your business can be smart enough to prevent your own Tomasz from causing you heartache. "Your network can be set up so only administrators can add new hardware," F-Secure Security Advisor Sean Sullivan explained. "And why shouldn't it be?" For more insight into how to keep your business safe, check out our Business Insider blog. Cheers, Sandra