Posts in Social media

Connecting people

You have all seen the pictures circulating on the net. A bunch of people all tapping at their smartphones and paying no attention to the world around them. With the title: ANTISOCIAL. And you have probably also seen this is real life. Sometimes a friend just seems to be more interested in the phone than in you. And maybe it has been the other way around sometime? ;) Most of these people are probably using social media. I do agree that it is rude to ignore persons who are physically present and pay more attention to the phone. Especially if you are alone with someone. And yes, that behavior seems antisocial from other’s point of view. But the funny thing is really that social media and our mobile devices form the most social system invented so far. Think about it. You can be in contact with people everywhere in the world. You can send and receive messages instantly and follow what others do right now. You can share your own feelings spontaneously. You can have a pure peer-to-peer exchange of thoughts not curated by any outsiders. You can select to communicate with a single person or a larger group. You are not limited to written text, you can use pictures and video as well. The real point here is that those “antisocial” types aren’t just tapping their phones, they are communicating with real people. Our traditional definition for the word social was formed before we had Internet. People associate it with personal face-to-face contact and are slow to update their mindsets. Or to be precise, we already have a younger generation who have grown up with the net and social media services. Their definition is up to date, but many of us older persons still see the net as less social or not social at all. Let’s all agree to never call someone who is concentrating on the phone antisocial. But the word rude may be justified. Let’s also agree to not be rude against others by ignoring them in favor of the phone. It’s of course OK to check the phone now and then at the party, but always prioritize people who are present and want to talk to you. And why not take it one step further? Turn off the phone and try to be without it for a couple of hours. Can you do it? Next time you go out for dinner with someone is a good time for that experiment. You may be less social on the net for a while, but your company will see you as much more social.   Safe surfing, Micke   PS. If you must be able to take urgent calls and can’t turn off the phone, at least turn off the data connection. That will mute the social media apps.  

Aug 21, 2014
1.2 billion stolen password

You have heard the news. Russian hackers have managed to collect a pile of no less than 1,2 billion stolen user IDs and passwords from approximately 420 000 different sites. That’s a lot of passwords and your own could very well be among them. But what’s really going on here? Why is this a risk for me and what should I do? Read on, let’s try to open this up a bit. First of all. There are intrusions in web systems every day and passwords get stolen. Stolen passwords are traded on the underground market and misused for many different purposes. This is nothing new. The real news here is just the size of the issue. The Russian hacker gang has used powerful scripts to harvest the Internet for vulnerable systems and automatically hacked them, ending up with this exceptionally large number of stolen passwords. But it is still good that people write and talk about this, it’s an excellent reminder of why your personal passwords habits are important. Let’s first walk you through how it can go wrong for an ordinary Internet user. Let’s call her Alice. Alice signs up for a mail account at Google. She’s lucky, alice@gmail.com is free. She’s aware of the basic requirements for good passwords and selects one with upper- and lowercase letters, digits and some special characters. Alice is quite active on the net and uses Facebook as well as many smaller sites and discussion forums. Many of them accepts alice@gmail.com as the user ID. And it’s very logical to also use the same password, it sort of belongs together with that mail address and who wants to remember many passwords? Now the evil hackers enter the scene and starts scanning the net for weak systems. Gmail is protected properly and withstands the attacks. But many smaller organizations have sites maintained on a hobby basis, and lack the skills and resources to really harden the site. One of these sites belongs to a football club where Alice is active. The hackers get access to this site’s user database and downloads it all. Now they know the password for alice@gmail.com on that site. Big deal, you might think. The hackers know what games Alice will play in, no real harm done. But wait, that’s not all. It’s obvious that alice@gmail.com is a Gmail user, so the hackers try her password on gmail.com. Bingo. They have her email, as well as all other data she keeps on the Google sites. They also scan through a large number of other popular internet sites, including Facebook. Bingo again. Now the hackers have Alice’s Facebook account and probably a couple of other sites too. Now the hackers starts to use their catch. They can harvest Alice’s accounts for information, mail conversations, other’s contact info and e-mails, documents, credit card numbers, you name it. They can also use her accounts and identity to send spam or do imposter scams, just to list some examples. So what’s the moral of the story? Alice used a good password but it didn’t protect her in this case. Her error was to reuse the password on many sites. The big sites usually have at least a decent level of security. But if you use the same password on many sites, its level of protection is the same as the weakest site where it has been used. That’s why reusing your main mail password, especially on small shady sites, is a huge no-no. But it is really inconvenient to use multiple strong passwords, you might be thinking right now. Well, that’s not really the case. You can have multiple passwords if you are systematic and use the right tools. Make up a system where there is a constant part in every password. This part should be strong and contain upper- and lowercase characters, digits and special characters. Then add a shorter variable part for every site. This will keep the passwords different and still be fairly easy to remember. Still worried about your memory? Don’t worry, we have a handy tool for you. The password manager F-Secure Key. But what about the initial question? Does this attack by the Russian hackers affect me? What should I do? We don’t know who’s affected as we don’t know (at the time of writing) which sites have been affected. But the number of stolen passwords is big so there is a real risk that you are among them. Anyway, if you recognize yourself in the story about Alice, then it is a good idea to start changing your passwords right away. You might not be among the victims of these Russian hackers, but you will for sure be a victim sooner or later. Secure your digital identities before it happens! If you on the other hand already have a good system with different passwords on all your sites, then there’s no reason to panic. It’s probably not worth the effort to start changing them all before we know which systems were affected. But if the list of these 420 000 sites becomes public, and you are a user of any of these sites, then it’s important to change your password on that site.   Safe surfing, Micke  

Aug 7, 2014
red roses

Dating is an interesting on-line service. It touches on a very private aspect of our lives, but is conducted over the Internet, which has many anonymity and privacy challenges. It also brings a radical change to the ways we find a spouse. Previously we used to meet people in person, get a crush and then later find out if we are compatible. On-line dating turns this upside down, you can first screen the “market” for candidates which seem to be suitable. Then you see them and get the crush, or not. Taste varies, some prefer on-line dating, some the traditional way. An unavoidable aspect of on-line dating is that you have to publicly state the fact that you are seeking company. Some people are fine with that, some are hesitant. Can you even do on-line dating without revealing who you really are? Yes, you can. But there are several things you should know and think about before setting up your profile. I recently got an excellent opportunity to do some research in this area without cheating on anyone, but let’s not go into details about that. ;) Here comes my findings and advice for singles who want to hide their true identities. Do care about your privacy. Or at least think about it thoroughly before going on-line. You may have an extrovert personality and be OK with publishing private things. But you will sooner or later run into someone who didn’t take the medicine and deals badly with a no. It’s so much easier to deal with those if they don’t know your real name and contact info. Your alias. Dating services assume you want some level of privacy and let users appear under aliases. Do not selects the same alias as you use on other services. It is easy to Google for it, and your real identity may be visible on another service where you use the same alias. The profile picture. Dating services vary but the picture of you is almost always very important. And some services require a picture where you are recognizable. This means that you can’t be anonymous for people who know you. The best strategy is to just accept this, but there are alternatives. You can use a profile picture that deliver some kind of feeling or tells something about your life, but you are not recognizable in the picture. Or you can omit it completely. Use a unique picture. Modern search engines can easily find where a certain picture has been published. The picture may link your profile to other services where you reveal more personal info than you want revealed in this context. Make sure your profile picture isn’t on-line anywhere else. Your picture can contain unwanted meta-data. Many modern cameras automatically add the owner’s name, and even contact info, into hidden fields in digital photos. Professionals and serious amateurs may also use workflows that add this data later. It’s also very common with geotagged photos, photos with embedded GPS-coordinates. Those coordinates may point to your home. The dating service may strip out this data automatically, but it’s better to be on the safe side and do it before uploading. Your e-mail. Sometimes you chat inside the dating service, sometimes it’s more convenient to continue by e-mail. It’s a no-brainer that an e-mail address like firstname.lastname@something .com is a privacy problem. But even a more anonymous address is yet another thing that people can google for, and perhaps find you in another context. Set up a separate free mail account dedicated for the dating project. That’s convenient and safe. Chat handles and phone number. The same is actually true for all kinds of communication. Set up dedicated chat accounts. Get a cheap pre-paid phone if you want to talk to, or text with, untrusted persons. Communication and contents. It’s a no-brainer that you can give away your identity when communicating with someone. Mail footers and thoughtlessly revealed information comes to mind immediately. But what may be less obvious is that the issues with pictures not only affect your profile picture. Any picture file you share with the other part may be a privacy risk in the same way. Also check the URL if you share links to uploaded photos or videos. Is your cloud account identifiable from the link? Yes, you can google other people. Some people thinks it’s a bad manners to dig for info about others by googling. That’s a really outdated attitude. You can google for others and you can’t expect others to not google you. Be prepared that people will use any tiny piece of information you share to learn more about you. That’s just how the world works today, trying to fight it is futile. And last but not least. When you find someone, you have to come out of your shell sooner or later. There’s always a point when you have to trust the other and reveal your true identity. People like to know who they are dealing with and you can score some extra points by being brave and open about who you are. Holding on to your anonymity too long sends a message of distrust. But you should naturally first communicate with the other for a while to make sure he or she is sane. And remember that most people are OK. The stalkers and trouble-makes are a minority, but keep in mind that they do exist. Several things to think about, but dating anonymously is not really hard. There’s a lot of talk about Internet privacy now after the Snowden-revelations. It is next to impossible to be truly anonymous on-line if an intelligence agency is after you. But this is totally different. Here we are talking about peer-privacy, not provider-privacy or authority-privacy. These instructions are enough to maintain your anonymity against your peers, but not to run a criminal business. This level of privacy is probably enough for most on-line daters. Good luck. Just go for it. Think about your privacy but don’t let it put you off. Prepare for some disappointments but remember that sooner or later luck will shine on you. :)   Happy dating, Micke    

Jul 28, 2014
Safe online while travelling

If you bring your phone, tablet or laptop with you when you travel, there's one thing to keep in mind: public WiFi networks are public. "That open Wi-Fi connection opens the door for hackers," writes NPR's Steve Henn. "They can get in the middle of transactions between, say, you and your bank." Because you’re sharing the network with strangers, there’s the risk that someone is using readily available software that snoops on what you’re doing. “It may feel private because you’re using your personal device, but it’s not,” our Security Advisor Sean Sullivan told us last year. Sean advises against doing anything via public WiFi that you wouldn’t want an eavesdropper to know – including logging into accounts with passwords. Before you hit the road make sure all your devices are backed up, your applications and operating system are patched and you're running an updated security solution on any device you can. You can try F-Secure SAFE on up to 3 devices for free for the next month. Here are some more tips that will keep you secure wherever you may roam: • Don’t let your device connect to public WiFi spots automatically. • Delete out the WiFi access points you’ve used when you arrive home. • Log out of all your apps you don’t need while traveling. • Lock any device you're your using with a code that can't be guessed. • Be aware of your surroundings and anyone who could be trying to peek over your shoulder. • Use a unique, strong password for each account. • For laptops, disable file sharing and turn on the firewall, setting it to block incoming connections. • Use a VPN (virtual private network) like Freedome if possible, which secures your connection even on public WiFi. • Use a travel router with a prepaid SIM card for your own personal WiFi network. • At the very least, watch for the padlock and “https” in the address bar for any site with your personal information. If they’re not there, avoid the site. • A good general rule: Assume anything you do over public WiFi is part of a public conversation. Cheers, Sandra [Image by Mario Mancuso via Flickr]

Jun 24, 2014
Digital Freedom is worth fighting for

We are worried about our digital freedom and need your help. The world our children will inherit may lack some fundamental rights we take for granted, unless actions are taken now. Our Digital Freedom Manifesto is one such action. Read on to learn more. The United Nations’ Universal Declaration of Human Rights, Article 12: No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks. I think this is a very good and important article, and most people probably agree. We have all gotten used to concepts like secrecy of telephony and the postal service. In short, we have the right to privacy and the right to decide ourselves what private information we share with others. And we value these rights. We would not accept that our letters arrive opened or the police installing cameras in our homes. But on the Internet everything seems to be different. The information you think is private may actually be transferred and stored by systems far away from you, often in other countries. This gives a wide range of agencies and companies a technical possibility to access your data. Article 12 is often your only protection but you have no way to verify that all involved parties respect it. After the Snowden leaks we know for sure what we feared earlier, there are several countries that pay no respect at all to article 12. The ability to monitor most of the world’s Internet traffic, and that way gain political and economic benefits, is just too desirable no matter how unethical it is. USA, where most of our data is hosted, is sadly among the worst offenders. If warrantless wholesale data collection for political and economic purposes isn’t a violation of article 12, then what is? What’s really going on here? Are we ready to dump article 12 or should something be done? Why are we accepting erosion of our digital rights, while similar violations would cause an immediate outcry if some other area of our lives was affected? We at F-Secure are ready to fight for your digital freedom. We do that by providing products that guard your on-line life, like F-Secure SAFE, F-Secure Freedome and Younited. But that is not enough. Guarding privacy is an uphill battle if the network's foundations are unreliable or hostile. And the real foundations have nothing to do with technology, they are the laws regulating network use and the attitude of the authorities that enforce or break those laws. That’s why we need the F-Secure Digital Freedom Manifesto. We know that many people around the word share our concern. This manifesto is crowd sourced and will be made available to the public and selected decision makers when ready. We want you to participate, preferable with your own words, or just by reading it and thinking about how valuable digital freedom is for you. The manifesto will not change anything by itself, but it will help raise awareness. And when the people are aware, then we can demand change. We have democracy after all, right? You can participate until June 30th. Or just read the draft and think about how all this affects your digital life. Right now is a good moment to get familiar with it. Micke

Jun 19, 2014
Password joke

There’s a lot of advice out there about passwords – how to generate them, store them, manage them. It’s certainly important to get a grip on your passwords – especially after Heartbleed, possibly the greatest vulnerability in Internet history. But for many of us (myself included), the idea of managing ALL those passwords is overwhelming. I have accounts that I can’t even remember. We recently did a little survey in social media (thanks to those of you who participated!) and 58% of you have over 20 password-protected online accounts, or simply too many to keep track of. Getting all those passwords in order – setting a unique, strong password for each individual account – might seem a little like starting a new healthy diet and exercise regimen – you know you should do it, but you just don’t. So we asked Sean Sullivan, our Security Advisor here at F-Secure, for some advice. Sean boiled it down into this simple tip (no, it's not the one above in the photo!):   Identify the critical accounts to protect, and then make sure the passwords for those accounts are unique and strong.   Sean’s advice takes into account the fact that many of us have accounts for services where little personal information is stored. “If you created an account for some website and there’s hardly anything more in there than your username and password, then that’s probably not a critical account,” he says. “But your Amazon account with your credit card info, your bank account, your primary email accounts, the Facebook account with your life story, these are examples of the critical ones. If you don’t have time or inclination to tackle everything, at least take care of those.” Another example of a critical account is an email account that is used as the point of contact for password resets on other accounts. For these “master key” accounts, it’s also a good idea to activate two-factor authentication if available. By unique, Sean means that your password shouldn't be used for any other accounts. By strong, he means use a combination of letters, numbers and special characters and the longer the better. Oh, and about that survey. Here are some more of the results: 43% of you reported using the same password for more than one important account. 40% of you use a password manager to keep track of your passwords. 57% of you changed passwords after hearing about Heartbleed (and 11% hadn't heard of Heartbleed). If you want an easy way to create unique, strong passwords and protect them too, check out F-Secure Key. It’s free to use on any one computer or mobile device.   Image courtesy of Lulu Hoeller, flickr.com

May 20, 2014
Choosing good password

Time for a reminder about password security. We have talked a lot about how to choose good passwords. But they are worth nothing if they don’t stay secret. This is about a quite simple scheme that tricks many users into revealing their e-mail passwords. “John Doe found 4 new friends by searching his email contacts. Give it a try”. That’s what pops up in my Facebook now and then. You just have to submit your email and the password to your account. Facebook can then connect to your mail account, parse the contact list and match it against its own user database. Sounds simple and it sure works. The drawback is of course that you at the same time grant Facebook full access to your mail, no matter what system it is hosted on. Facebook can not only read your contacts but also your mail messages and calendar items. Facebook could even manipulate the content in your account, delete items or send mail on behalf of you. I’m not claiming that they misuse account details in this way, but it’s best to not even give them the chance to do so. Facebook’s reputation for privacy isn’t exactly stellar and for me it’s a no-brainer that they can’t be trusted with secret info like one’s mail password. Frankly speaking, I haven't even bothered to check what kind of privacy promise they make about this feature. Their promise is pretty irrelevant anyway, this is just simply a bad idea. So don’t use this feature if Facebook offers it to you. If you have used it, your mail password is compromised and need to be changed ASAP. And this is by the way true for any other system that might offer a similar feature. Linkedin is one example. To wrap up. Passwords are secret. They should only be entered into the system they belong to, into an app or program that is designed to use the system or into a password manager program you trust. They should not be kept on stickers or in files that aren’t properly protected. They should not be entered into other systems that promise to do something on your behalf (the Facebook feature falls into this category), unless you are 100% sure about the reliability of that system. Safe surfing, Micke

May 19, 2014
Internet Security 2014

I’m proud of working for a company like F-Secure, with a 25-year long history of protecting people’s digital life. But I was especially proud on one day in early 2014. That’s the day when I got green light to write and publish a paper documenting what data our Internet Security 2014 product collects from the customers’ computers. I’m proud of this because this is something I think all software companies should do in the future, and we are probably the first anti-malware company to do it. Privacy is becoming one of the really big issues in our lives for many reasons. We live more and more of our lives through our electronic gadgets. We communicate electronically and we store our valuable data in the cloud. We do have a real life outside social media, but most of that life is somehow documented and commented electronically too. So anyone who can peek into your personal devices and cloud accounts have a really comprehensive picture of you. And this is exactly what the big data companies and many government agencies want to do. People are pretty much unaware of this data’s value, and even unaware of how comprehensive it is. Many software and service providers on the Internet play on this ignorance and grab the data like it was free to be taken. Hell, that’s not right! People own the data on their devices and in their cloud accounts. This ownership should be respected and nobody should steal that data without permission. Or with a permission buried deep in some EULA that hasn’t been read by a single human being, except lawyers. We think different at F-Secure. We don’t see the user data itself as a business potential. For us the business potential lies in the users’ desire to protect this data, and we are sure this potential will grow exponentially in the future. So we stick to a very traditional business concept. We want real money for our product. This is the only feasible business model for people who want to manage their digital privacy. We don’t give products away “for free”, just to secretly take payment in a currency the user don’t fully understand, private data. But how does the paper about data transfer fit into this? It has to do with a concept of fundamental importance, trust. Customers have no way to verify what software on their devices really do and how cloud providers really handle their data. All you can do is evaluate the reputation of the provider and read the privacy policy documents. And they tend to be rather useless as they are in legal language and describe what the provider reserve the right to do with your data, not what it actually does. We think transparency is a cornerstone when building trust. That’s why we wanted to be more open about how our Internet Security customer’s data is handled. We wanted to give customers a clear list of what data we transfer, why we have to transfer that data and what we do with it. The document had to be fairly short, clear and easy to read. No legal language. We have run into the demand for something like this several times, and after a discussion on Twitter in early 2014 we decided it’s time to act. Hat tip to @cynicalsecurity for that. So now we are transparent about how we handle Internet Security customers’ data. Great, but can customers trust this data declaration? They do still not have any means to really verify that the document is correct. That is an excellent question and it boils down to trust, once again. You just have to trust us on that. This is actually a huge fundamental problem in our new digital world. I think the whole software industry must be more transparent and by default declare what data is transferred and how it is handled. This is an inevitable development in a world where people becomes aware of their digital assets’ value. But the question is really what mechanisms there will be to monitor and verify these declarations? A new system of independent tests, audits and certifications? Time will tell. The document can be found here.   Micke

Apr 30, 2014