Posts in Social media

Logging into Facebook in public

When you log into Facebook, you could see this this message warning you that a government-backed entity of some sort is trying to get into your account: This isn't the site's first attempt to use its gatekeeping power to address security concerns. Facebook detects malware on your computer and if it finds any, you're directed to one of several free online scanners -- including our free online scanner -- to clean your PC before you can log in. What's new about this warning is that it suggests a culprit -- a government, which could possibly even be your government. It's remarkable how accepted the idea is that state-backed organizations are carrying out cyber attacks so regularly that there's a Facebook prompt specifically dedicated to the threat. But it's indicative of the times we live in. F-Secure Labs has warned about cyber threats from state-backed actors for years. "We do this because these types of attacks tend to be more advanced and dangerous than others, and we strongly encourage affected people to take the actions necessary to secure all of their online accounts," Facebook's Chief Security Officer Alex Stamos explained in a post announcing the new prompt. Our Security Advisor Sean Sullivan calls the feature a "good first step." Why? "Facebook is widely used among human rights advocates and attorneys," he told TrustedReviews. "When advocates report being targeted, I suspect that Facebook's security team is readily able to cross-reference IP addresses which interact with and target various accounts. And so Facebook is then able to draw connections between people that might benefit from such notifications." Some in the media have spread some alarm about the feature. Russia Today -- an English-language media outlet sponsored by the Russian government -- framed the feature as an attempt to get your phone number. The article features several references to the NSA, alluding to the revelations former contractor Edward Snowden began releasing in 2013. (This is ironic given F-Secure Labs' recent report on The Dukes, which makes the case that the Russian government is involved with or abetting cyber attacks of its own that extend beyond surveillance into actual espionage.) So does Facebook just want your phone number? Nope. "The feature doesn’t require a phone number," Sean told me. "If you have an Android phone, iPhone, or an iPod touch – you can simply use the Facebook app to generate the approval codes." The suspicions being raised by non state-sponsored media could be tied to Facebook's constant efforts to get you to offer it your mobile phone number to activate security features. Our Chief Research Mikko Hypponen often points out that by pairing your profile with your phone number, websites can unlock a treasure trove of demographic data about you that makes you even more valuable to sell to advertisers. We cannot say for sure that Facebook does this. If you have a spare day or two, you can read through Facebook's Terms and Policies to find out. "Both Facebook and Twitter (and other sites) often ask me for my phone number for the sake of 'security,'" Sean told me. "And while yes, it does offer some security enhancements, in the name of transparency, I wish they also mentioned the other uses." Be aware that if you want to use two-factor authentication to secure your account but don't want to give the site your number, you do have options. It's good to be suspicious about sharing your phone number, but it's also smart to be doubly suspicious when privacy concerns are being stoked by an arm of the Russian government. In the past few years, Facebook -- which used to be constantly ridiculed for its privacy and security concerns -- has really stepped up its game in simplifying its privacy settings, preventing spam and controlling the spread of bad links. This is another promising step from a security team that seems eager to both protect its users and to make us all aware of the growing threat of state-backed attacks.

October 20, 2015

Have you thought of one funny thing? Internet is the Eldorado of anonymity, yet most people are on Facebook under their real name. Facebook has an authentic identity policy, but it is not really enforced. You can sign up under any name you like and they don’t make any attempts to verify it. But Facebook is typically an extension to your real-life social network, so it is natural to sign up with a name your friends know. Yet another example that guiding users towards something in a natural way is so much more effective than laws and mandatory policies. So you can use a false name if you like, but most people use their real names, established nicknames or well-known artist pseudonyms. (* All these names have one thing in common. They may or may not be what’s written on the driving license, but they all have a strong link to the person’s social network in real life. And that’s what really matters. Most people don’t deviate from their real names to be anonymous. Quite the opposite, using well known pseudonyms can make them easier to recognize. The coin always has two sides. Truly anonymous accounts are used for harassment, libel, fraud, scams, identity theft, you name it. Facebook’s real name policy has been in effect for years and this is probably the primary targets they had in mind. It works so that anyone can report other users. Facebook will ask the users to provide some kind of identification, and keep the account closed otherwise. But this issue became headline news lately when it became clear that the policy itself can be used to harass others. Representatives for minorities, like Native Americans and drag performers, became the target of numerous reports. Their names were not meant to be anonymous, they were artist names and Native American names. This is why EFF reacted and published a petition to change Facebook’s rules. They have a long list of problems in the current policy. Many valid points, check it out. One of the main problems on the net is the lack of verified identities. The symptoms are a wide range of issues ranging from fraud to pranks. But one of the most visible effects is the deteriorating debate culture. We have all run into discussion forums that have turned into arenas for venting hate and mental illnesses. You can run into that on Facebook too, but not to the same extent as in other forums. And the reason is clear. People may use pseudonyms, but they are not anonymous to their real-life social network. It’s easier to express hateful opinions in writing than when talking face to face. But you still have to stand behind your opinions on Facebook. Your friends know it’s you no matter what name you use. I think this is a good thing that makes Facebook a better place. But the real name policy can’t take credit for it. It’s the nature of Facebook itself that keeps the debate at a more civilized level. So a community with a pretty strong real name culture is no doubt an asset. But EFF is also making many good points about why the policy goes wrong. So I have two questions for you today. What kind of name are you using and what do you think about real names on Facebook?   [polldaddy poll=9126338]   [polldaddy poll=9126341]   Safe surfing, Micke   PS. LinkedIn is by the way another example of a service where it really doesn’t make much sense to appear under a false name, unless you’re a sockpuppet.   Image by Vincent Diamante   (* Facebook estimate themselves that about 9% of the profiles “aren’t real” in some way. About 1,5% are violating Facebook's policies. More info here.  

October 14, 2015

You are precious. You are very valuable. At least to companies dealing in advertising and customer profiling. The value of you and your peers make giants like Google and Facebook tick, with a combined revenue of about $78 billion. I’m sure most of you understand this value. But how many are really making smart choices to guard it? If you’re on Facebook, you may have seen posts like this: “Your Friday night. Tina wants to sleep. Jan destroys furniture. Aaron wakes up handcuffed. Wilhelm starts a drinking competition.” Clicking the image takes you to, or a localized version in your own language. Once there you can create your own test that reveals funny things about you and your friends. It’s obvious that these test are more entertaining than scientific. And this site can’t be blamed for lacking fantasy! Who thinks you’re sweet? How many children will you have? Who should you write a love song for? Who of your friends belong in your stuffed animal collection? Stuffed animal collection! OMG. LOL. :) You can find out all this and much more with the tests at The site is operated by a German company named Socialsweethearts, that claim to have over 1500 tests in more than 40 languages! OK, just another funny and harmless site that creates virally spreading posts and cashes in on advertising, you might think. But let’s take a closer look at what’s going on here. Many of the test involve your friends, revealing whom would be or do something. And to provide this they must know who your friends are, right? So it’s perfectly legit when a dialog pops up asking for access to your Facebook account and friends list. Wait! This is where you should stop and think. Let’s rephrase what’s going on. You purchase an automatically generated joke about you and your friends and pay by allowing them access to your friend list and Facebook wall, including all your past, current and future posts. A good deal? No, I don’t think so. And on top of that, you pay with knowledge about all your friends too, but without asking them for permission. Ok, Socialsweethearts is a German company, and Germany has strong privacy laws. I think there is a pretty good chance that this company isn’t misusing your data shamelessly, even if they definitively has the technical opportunity to do so. But this is pure luck. I bet that virtually none of the folks using these tests actually checked the background of the company and made an educated decision to trust it. Did you? But on the other hand. Pretty much all the giants that make billions on our private data are from the Americas. Europe has totally lost this race. A German company entering the same business successfully would be bright news, sort of. Bad news for your privacy but good news from European business perspective. So don’t worry too much if you have used the services on But this is anyway an excellent opportunity to clean up the list of apps that have access to your data. In Facebook, go to Settings and choose Apps in the menu to the left. Now you see a list of all apps and sites that have been granted access. Some of them are no doubt legit, for example apps that should be able to post to your wall. But the permissions will stay when you stop using something. And some permissions are only needed on a one-time basis, but they will stay on the list. belongs to that category and should be erased. Go through the list and remove anything you don’t need. If you see something that you don’t understand the meaning of, it’s safest to remove it too. Permissions can always be added back and apps that lose their permissions will notify you and ask you to grant new permissions. Happy cleaning, Micke   [caption id="attachment_8485" align="alignnone" width="300"] This is what it looks like when want's permission to access your data in Facebook.[/caption]   Images: Screenshots from and  

September 21, 2015
Hide Your LinkedIn Connections

Hiding your LinkedIn connections is easy. Click on your profile pic in the upper fight hand corner and select "Privacy & Settings". You'll probably be asked to log in again, which is smart of LinkedIn. Then under "Privacy Controls" select "Select who can see your connections". You'll see this screen: Select "Only You". You can also hide a specific contact. Here are some more LinkedIn privacy settings you may want to check, including how to make it so people don't know if you've viewed their page. So why would you want to hide your connections? If you're in industry where your contacts are an asset -- like sales -- or an industry where your connections can easily be turned into targets -- like security -- you may simply not want to make life easier for your competitors or the bad guys. The paradox of discussing privacy on social networks most of us aren't on social networks to not be noticed. Your social graph -- your network of online friends -- can be used to fight hackers or encourage them. And if you're person likely to be targeted, such as CEO, you need to take additional precautions to prevent threats like whaling. Another reason you may want to hide your "friends" on sites on sites like Facebook or LinkedIn is that they could be used to factor in things like your credit score, in the near future. We honestly don't know the long-term implications of exposing ourselves and our networks on the internet. But it's always good to know what you can control, so you have a better idea of what you can't.

September 16, 2015

Kaisu who is working for us is also studying tourism. Her paper on knowledge of and behavior related to information security amongst young travelers was released in May, and is very interesting reading. The world is getting smaller. We travel more and more, and now we can stay online even when travelling. Using IT-services in unknown environments does however introduce new security risks. Kaisu wanted to find out how aware young travelers are of those risks, and what they do to mitigate them. The study contains many interesting facts. Practically all, 95,7%, are carrying a smartphone when travelling. One third is carrying a laptop and one in four a tablet. The most commonly used apps and services are taking pictures, using social networks, communication apps and e-mail, which all are used by about 90% of the travelers. Surfing the web follows close behind at 72%. But I’m not going to repeat it all here. The full story is in the paper. What I find most interesting is however what the report doesn’t state. Everybody is carrying a smartphone and snapping pictures, using social media, surfing the web and communicating. Doesn’t sound too exotic, right? That’s what we do in our everyday life too, not just when travelling. The study does unfortunately not examine the participants’ behavior at home. But I dare to assume that it is quite similar. And I find that to be one of the most valuable findings. Traveling is no longer preventing us from using IT pretty much as we do in our everyday life. I remember when I was a kid long, long ago. This was even before invention of the cellphone. There used to be announcements on the radio in the summer: “Mr. and Mrs. Müller from Germany traveling by car in Lapland. Please contact your son Hans urgently.” Sounds really weird for us who have Messenger, WhatsApp, Facebook, Twitter, Snapchat and Skype installed on our smartphones. There was a time when travelling meant taking a break in your social life. Not anymore. Our social life is today to an increasing extent handled through electronic services. And those services goes with us when travelling, as Kaisu’s study shows. So you have access to the same messaging channels no matter where you are on this small planet. But they all require a data connection, and this is often the main challenge. There are basically two ways to get the data flowing when abroad. You can use data roaming through the cellphone’s ordinary data connection. But that is often too expensive to be feasible, so WiFi offers a good and cheap alternative. Hunting for free WiFi has probably taken the top place on the list of travelers’ concerns, leaving pickpockets and getting burnt in the sun behind. Another conclusion from Kaisu’s study is that travelers have overcome this obstacle, either with data roaming or WiFi. The high usage rates for common services is a clear indication of that. But how do they protect themselves when connecting to exotic networks? About 10% are using a VPN and about 20% say they avoid public WiFi. That leaves us with over 70% who are doing something else, or doing nothing. Some of them are using data roaming, but I’m afraid most of them just use whatever WiFi is available, either ignoring the risks or being totally unaware. That’s not too smart. Connecting to a malicious WiFi network can expose you to eavesdropping, malware attacks, phishing and a handful other nasty tricks. It’s amazing that only 10% of the respondents have found the simple and obvious solution, a VPN. It stands for Virtual Private Network and creates a protected “tunnel” for your data through the potentially harmful free networks. Sounds too nerdy? No, it’s really easy. Just check out Freedome. It’s the super-simple way to be among the smart 10%.   Safe surfing, Micke   PS. I recently let go of my old beloved Nokia Lumia. Why? Mainly because I couldn’t use Freedome on it, and I really want the freedom it gives me while abroad.   Image by Moyan Brenn  

August 24, 2015

It’s amazing how advertising can power huge companies. Google has over 57 000 employees and some 66 billion US dollars in revenue. And Facebook with 12 billion and 10 000 employees. These two giants are the best know providers of ad-financed services on the net. And modern advertising is targeted, which means that they must know what the users want to see. Which means that they must know you. Let’s take a closer look at Facebook. We have already written about their advertising preferences and I have been following my data for some time. Part of the data used to target ads is input by yourself, age, gender, hometown, movies you seen etc. But Facebook also analyzes what you do, both in Facebook and on other sites, to find out what you like. It’s obvious how the tracking works inside Facebook itself. Their servers just simply record what links you click. Tracking in the rest of the net is more sinister, it’s described in this earlier post. Your activity record is analyzed and you are assigned to classes of interest, called “Your Ad Preferences” by Facebook. Advertisers can then select classes they want to target, and the ad may be shown to you based on these classes. You can view and manage the list using a page that is fairly well hidden deep in Facebook’s menus. Let’s check your preferences in moment, but first some thoughts about this. Advertising may be annoying, but it is the engine that drives so many “free” services nowadays. So I’m not going to blame Facebook for being ad-financed. I’m not going to blame them for doing targeted ads either. That can in theory be a good thing, you see more relevant ads that potentially can be of value to you. But any targeted ad scheme must be based on data collection, and this is the tricky part. Can we trust Facebook et al. to handle these quite extensive personal profiles and not misuse them for other purposes? It’s also nice that Facebook is somewhat open about this and let you view “Your Ad Preferences” (Note. Not available in all countries.). But that name is really misleading. The name should be “Facebook’s Ad Preferences for You”. Yes, you can view and delete classes, but that gives you a false sense of control. Facebook keeps analyzing what you do and deleted classes will reappear shortly. I made a full clean-up a couple of months ago, but now I have no less than 210 classes of interest again! This is really amazing if you take into account that I block tracking outside of Facebook, so those activities are not contributing. And I have a principle of not clicking ads in any on-line media, including Facebook. And liking commercial pages in a very restrictive manner. But the thing is that Facebook has realized that people dislike ads. “Suggested posts” or “Sponsored posts” are in fact masqueraded ads and any interaction with them will record your interest in the classes they represent. I have to admit that I do click this kind of content regularly. And where did that suicide thing come from? No, I’m fine. I’m not going to jump off a bridge and I’m not worried about any of my dearests’ mental health. I have not interacted with any kind of Facebook content related to suicide. Except that I can’t know that for sure. Facebook tries to give an open and honest image of itself when presenting its Ad Preferences settings and the possibilities to manage them. But this rosy picture is not the full truth. The inner workings of Facebook advertising is in reality a very complex secret system. When you interact with something on Facebook, you have no way of knowing how it affects your profile. Something I have clicked was apparently associated with suicides even if I had no clue about it. Ok, time to take the Facebook personality test. Let’s see what kind of person they think you are. Follow these instructions: Go to Facebook and locate an ad, a “sponsored post” or a “suggested post”. These items should have a cross or a down-arrow in the upper right corner. Click it. Select “Why am I seeing this?” from the pop-up menu. This screen contains some interesting info but proceed to “Manage your ad preferences”. Review the list and come back here to tell us what you think of it. Delete the inappropriate classes. Deleting all may reduce the number of ads you see.   So let’s see what people think about this test’s accuracy:   [polldaddy poll=9023953]   So using Facebook’s Ad Preferences as a personality test may be entertaining, but not very accurate after all. You should probably look elsewhere for a real test. The catch is that you can select what test to take, but not how others collect data about you. Someone else may rely on this test when evaluating you. You have actually granted Facebook the right to share this data with basically anyone. Remember this clause in the agreement that you read and approved before signing up? “We transfer information to vendors, service providers, and other partners who globally support our business, such as providing technical infrastructure services, analyzing how our Services are used, measuring the effectiveness of ads and services, providing customer service, facilitating payments, or conducting academic research and surveys.” You did read it before signing, didn’t you?   Safe surfing, Micke   Image: Screenshot from  

August 13, 2015

The user register of AshleyMadison has been hacked. You don’t know what that is? Well, that’s perfectly fine. It’s a dating site for people who want to cheat on their spouses. Many dislike this site for moral reasons, but there is apparently a demand for it. The Canadian site has some 37 million users globally! Some user data has already been leaked out and the hackers, calling themselves Impact Team, have announced that they will leak the rest unless the site shuts down. So this hack could contribute to many, many divorces and a lot of personal problems! "We will release all customer records, profiles with all the customers' sexual fantasies, nude pictures and conversations and matching credit card transactions, real names and addresses." The Impact Team This is one hack in a long row, not the first and certainly not the last site hack where user data is leaked. But it is still remarkable because of the site’s sensitive nature. Think about it. What kind of information do you store in web portals and what bad could happen if that data leaks out? If you are cheating on your spouse, then that is probably one the most precious secrets you have. Disclosure of it could have devastating effects on your marriage, and maybe on your whole life. Millions of users have put their faith in AshleyMadison’s hands and trusted them with this precious secret. AshleyMadison didn’t misuse the data deliberately, but they failed to protect it properly. So it’s not that far-fetched to say that they cheated on the cheaters. What makes the AshleyMadison hack even worse is the site’s commercial nature. Users typically pay with a credit card issued in their own name. They can appear anonymously to their peers, but their true identities are known to the site owner, and stored in the database. So any leaked information can be linked reliably to real people. The sad thing is that the possibility of a leak probably never even crossed the mind of these 37 million users. And this is really the moral of the story. Always think twice before storing sensitive information in a data system. You must trust the operator of the system to not misuse your data, but also to have the skills, motivation and resources to protect it properly. And you have very poor abilities to really verify how trustworthy a site is. This is not easy! Refraining from using a site is naturally the ultimate protection. But we can’t stop using the net altogether. We must take some risks, but let’s at least think about it and reflect over what a compromised site could mean. This hack is really interesting in another way too. AshleyMadison is a highly controversial site as cheating is in conflict with our society’s traditional moral norms. The hack is no doubt a criminal act, but some people still applaud it. They think the cheaters just got what they deserved. What do you think? Is it right when someone takes the law in his own hands to fight immorality? Or should the law be strictly obeyed even in cases like this? Can this illegal hacking be justified with moral and ethical arguments? [polldaddy poll=8989656]       Micke   Image: Screenshot from  

July 21, 2015

There wouldn't be 1.44 billion active users on Facebook if the risks outweighed the rewards. Likewise, with more than a billion using a website that requires you to use your real identity to share our media, thoughts and feelings, we can't expect there to be zero risks to social media. The same way someone can study your driveway to find out when you're not home, your profile can be stalked for insights into your life. Despite this, the worst most of us have had to deal with is being awkwardly contacted by people we've purposely kept out of our lives. Most of us will never have to deal with what female gamers were forced to endure when they ignored or rejected friend requests from a seventeen-year old resident of British Columbia. "He exposed their private secrets to the world, put their lives in danger and shut down Disneyland in the process," CBC News' Jason Proctor explains. His alleged speciality was a combination of "doxing" and "swatting." "Doxing" has come to mean "using the internet to find and expose a target's personal information," which is technically legal, though against the terms and conditions of many sites, in most places. "Swatting," which is "the faking emergency calls to trigger the deployment of SWAT teams to a victim's house," is not legal anywhere. What can you do to prevent this kind of behavior? If the perpetrator is fixated enough, not much. “You’re not going to stop a dedicated attacker from doxxing you," F-Secure Security Advisor Sean Sullivan told me. "Get offline for that.” Any threat of harm online should be taken seriously. Take a screenshot and report it to both the platform where the threat was posted and the appropriate law enforcement agency. But the good news is that most perpetrators are not clever and lawless enough to go to the extremes this young man was. And even if they were, most of us have gotten pretty good at not oversharing after more than a decade of living in a world where Google makes researching people's lives easy. “The world has gotten smaller because of the internet, not just social media," Sean explained. If you Google your name along with the name of the city you live in, for instance, you may be disturbed at what you find. And even if you are good at limiting what's posted online about you along with what you share and with whom, you still may be vulnerable. "Oversharing is not the problem," he said. "Security questions are." The answers to many of the security questions attackers could use to infiltrate your accounts and dig out private information from you or your friends are based on "trivia" from your life, like what school you attended. Such information can be easily Googled. What can you do about that? "Consider lying," Sean said. But that does create a problem. As Mark Twain said, “If you tell the truth, you don't have to remember anything.” If you lie on your security questions, you'll have to remember those lies. Sean's suggestion, "Use a Password Manager like F-Secure KEY that has a notes section." Then you can record your fibs and protect your strong, unique passwords that are -- along with updates system and security software and a reliable VPN -- essential for keeping intruders from accessing your accounts. "Now would be a good time update your security questions." [Image by Secretive Ireland | Flickr]

July 17, 2015