Since joining the company a few months back, I have had the pleasure to listen to many talented and extremely enthusiastic people talk about security – and the solutions related to it. In these months I think I have learned more about the security threats and how to prevent them than in all the years of my working life so far.  One of the key learnings is that the foundation of security is to have the right tools for all levels of security.

• End-point protection protects you from internet threats. According to F-Secure Threat Report H2/2012, the most common way to get hit by malware is browsing the web.
• Server protection keeps your content safe from spam, malware and other threats. Protecting servers certainly doesn’t sound like a hot topic, but talking to our product managers, it actually is something much more interesting than you would first think.
• Email protection safeguards your communication. Even though email no longer is the number one target for attacks, due to its frequent and wide use, email protection is still as relevant as ever. Talking to one of our sales engineers just the other day, I was shown some stunning examples of how reliable and trustworthy spam mail can actually look like! Forget about the typical “Click here for this unbelievable one-time offer” type of obvious attempts… – Spam today is much more sophisticated.
• Web filtering protects your identity and reputation. The Threat Report additionally states that some types of hosting sites are favored by criminals and recently, dynamic DNS providers have been the fastest growing target for malware hosting. 87% of the domains supported by one of the top 3 dynamic DNS providers hosted malicious content. Think – 87%! Cannot be very good for the DNS provider’s reputation…

Wouldn’t you want to stay on top of this all 24/7, but effortlessly? For that, you need a central, holistic security management tool. Without it, this can all be too hard and time-consuming and you would need a lot of resources to take care of the security issues.

Luckily, this can all be very easy with the right tool. F-Secure Policy Manager is a security management tool that lets you shift your security to autopilot. As Yoshito Sato from Green House company puts it: ”We do not have to worry if each computer is secure or not anymore”.

Cheers, Eija

Share this

What do you think about them? Do you pass them on? Does this kind of messages play on your emotions? Do you like the feeling of helping a poor child somewhere in the word by clicking share? Have you ever tried to verify if the sad story is true? Or do you want to hold on to the dream that you are helping, and avoid checking the background even if there is a grain of doubt? Or are you one of the skeptics who dislike chain letters and write an angry reply instead?

Chain letter may be an old-fashion term from the snail-mail era. But that is really what we are talking about here. They are also called hoaxes, which refer to the content rather than the spreading mechanism. Our modern communities on the net provide an ideal environment for them. It has never before been so easy to share information with a large number of friends globally, just by a click. The content might be anything, but there are some easy ways to identify them.

• They play on your emotions, often empathy or fear.
• They tell you to share it with all your friends.
• There’s often a shocking picture of a claimed victim. (The same picture is often reused in many different chain letters.)
• It may claim that the victim gets money for each share. (This is never true.)
• There’s no or very little details of the claimed victim to make it harder to debunk the story.
• There’s no reference to news articles or other reliable sources, or the article is fake if there is one.

Here comes a couple of examples from different categories.

Help save baby with cancer is a really classical example. Who can resist a sick child? And that thing on the little boy’s face. OMG! In reality, this story is just made up and the boy doesn’t exist. Or the baby in the picture certainly exists, but he has appeared in many different chain letters and nobody knows where the picture comes from or if that thing is fake or real. The promise of one dollar per share is also just made up, there is no such commitment in reality.

YOU COULD SAVE A LOVED ONES LIFE BY KNOWING THIS SIMPLE INFORMATION!!! First aid and medical advice is another common chain letter category. I have attended a number of first aid courses at different levels, and this example is legit as far as I can tell. The described STR-rule is also well known and used elsewhere too. But how do you know that? If you can assess that, you don’t need the advice. And if you can’t, you have no clue if the advice is reliable and accurate. This one might be legit, but that can’t be said about all the other messages of this kind. They can in the worst case be directly harmful! (I have selected to not share one of those here.)

Facebook is not a good info source for matters of life and death. If you truly care about your loved ones and want to be able to help, then there is no substitute for professional first aid training. Trash all chain letters of this kind and sign up for a course today!

[Insert celebrity of your choice] found dead at Dominican Republic resort. This is really a sick form of humor. There’s a web-based generator that can generate hoaxes like this. It even creates fake news pages that can be passed around with the chain letter. I’m including the link to the generator here. I trust that you use it only to learn how to spot these hoaxes, not to make one yourself.

If you see some shocking news like this and the source isn’t one of the big news networks that you recognize, then turn to Google and get a second opinion before you hit share. Well, sites can be faked so Google is a good idea even if you recognize the news source.

But these chain letters are mostly harmless, you might think. Is it really that bad to pass one on? Well, they don’t harm the reader directly. Messages that trick you into downloading a file or opening a site that can contain malware is a different cup of tea. Phishing scams that trick you into entering secret data at a faked site are also truly harmful. Chain letters and hoaxes are not harmful in this way.

But that’s not the full story. There are still several reasons to avoid them:

• Your own reputation. You may feel good when “helping a sick child”, but do your friends think the same way? Some of them may think you are gullible and easily fooled.
• You create unnecessary noise on Facebook, or whatever community you are on. It may already be hard enough to spot the relevant posts from 500+ friends and a load of groups. Your friends do not need more junk to cover the valuable posts.
• Things seem to replicate, especially problems. If you have a habit of sharing chain letters and hoaxes, you contribute to the culture among your friends. You signal that it is OK to share hoaxes and your habit will spread to some of them.
• If you forward a message with some advice about first aid, a friend uses it and it tunes out to be bad advice. How would you feel? If you share info like this, you also carry responsibility for it.
• Passing on jokes about someone killed in an accident is really sick humor, even if you might be in shock and believe it when you press share. Double-check before sharing and spare your friends that unnecessary shock.
• If your account is compromised and misused to spread truly harmful content, it will blend in better in a stream of chain letters. Your friends are less likely to notice any difference and more likely to click on the malicious link from “you”.  Such post will however stick out if your normal posts are strictly no-nonsense.
• A historical note. Old-school computer folks dislike chain letters because they were seen as a bad thing in the early days of e-mail. This was based on the limited capacity of the computers and telecommunications at that time. Technical capacity is not a problem anymore, today’s bottleneck is our capacity to process all the messages we get. But as said above, even if the technical capacity is there, it is still a bad idea to circulate chain letters.

And by the way. Why should you support this particular child? Just because you got a picture of him? There are probably thousands of real children with the same disease. You feel emotionally involved, that’s good. Let’s use your emotions for something more productive than just passing hoaxes around. Look up a local charity organization that work with children and make a donation while watching the picture. That really matters!

So, to summarize. Don’t feel bad if you have shared chain letters like this. As said, they do no direct harm. But I hope that as many as possible become aware of the downsides and start ignoring them. Our Facebook experience would be tidier.

So now you know how to spot a chain letter. Just click the share button and make sure all your friends on Facebook also know. Hey, wait…

Safe surfing,
Micke

Image from About.com Urban legends

Share this

- (phone rings) Hello.
- Hello, I’m calling from American Express. Are you Mr. *****  ******?
- Yes, great that someone finally reacts to my reclamation.
- First I need to verify your identity. What’s your social security number?
- Excuse me but you are calling me on a number that you have in your register, so you can be pretty confident that you are talking to the right person. But I have no way of knowing that you really are from Amex. So YOU tell ME what my social security number is. I know you have it on file.
- (silence) Well, eh … we must identify our customers to be able to serve them by phone. It’s company policy.
- Yes, I know that. But I’m certainly NOT going to give out my number to a stranger who calls and asks for it. I really need some kind of identification from you first.

It went on like that for a while until I proposed a compromise. I told her the first part of my number and she told me the last digits. It all matched and we were able to proceed.

This post is not about American Express, it is about a severe and widespread problem that is visible in this case. The problem is these Social Security Numbers, SSNs, or National Identification Numbers which is a proper global term. They appear in most countries, in many forms and under many names. But they all have two things in common. They were designed to be unique and distinguish persons with the same name. And they are misused for identification.

The practice of using the SSN as proof of identity is really fundamentally flawed. They are used in the same way as a password, knowledge of the “secret” is supposed to prove who you are. The problem is just that the SSN isn’t designed to be secret. If you are a little bit Internet savvy, you know the basic rules for safe passwords. Think of your SSN as a password. It’s assigned once for your whole lifetime and you can’t change it. You are forced to use the same SSN on all services you use. It’s printed on various documents, depending on what country you live in. It’s recorded in numerous registers, and you don’t even know where all those registers are and who’s got access to them. Would you handle the password to your favorite net service this way? Hell, no! Still knowledge of this fundamentally flawed “password” may enable anyone to get credit, order goods, close accounts, etc. in someone else’s name. Scary!

But what can we do about it? Let’s refresh the memory with some practical advice about how to handle your SSN.

• Do some googling and look for national advice about SSN security in your country. Laws and practices vary and a local source is typically more accurate. But here comes some generic advice.
• Do not give out your SSN unless you know who he other part is.
• Verify that the other part has a valid reason to use your SSN before you reveal it.
• If a business demands your SSN, you can refuse to give it but the business can refuse to serve you. You can either comply or spend your money elsewhere.
• Some try to phish for SSNs, look out for fraudulent web forms that ask for it.
• Check what documents you carry in your wallet that have the SSN printed. Avoid carrying those documents daily, if possible, as your wallet may get stolen.
• Invoices, tax documents etc. may have the SSN printed. Think about how you dispose those papers. If you have a shredder, use it.
• Needless to say, don’t post the SSN on the net in any context.

This will help a bit, but not cure the fundamental problem. Your SSN is still used and stored so widely that you may be the victim of identity theft even if you do all this.

The problem is really the misuse of SSNs as proof of identity. And the next question is obvious, what should we use instead? Yes, that’s right. There is no common, safe and reliable method for identifying a caller. Some companies have their own methods to improve security. They may require both your SSN and for example a customer number or invoice number. Better, but still not good as those additional numbers aren’t protected very well either. The banks have good systems with sheets of one-time passwords, or similar. These system have been developed with security in mind and are typically reliable enough. They are developed for on-line access but often work for identifying a caller as well.

Banks have good systems, but they are unique for each bank. We would really need national systems, or even better, a global system for reliable identification of persons both on-line and over the phone. More and more of our transactions cross borders and national systems do not help if you are dealing with someone overseas, like in this case. The problem is not technical, public key cryptography and digital signatures could be deployed to achieve this. But agreeing on a reliable global identification standard that won’t become a privacy threat would certainly be a significant political achievement.

So we probably have to live with this flaw for quite a long time. National solutions will no doubt become available in some countries. Estonia is usually quick to utilize new technology and this is no exception, An electronic ID is a good fundament even if reliable identification over the phone still would require some additional technology. But the rest of us just have to acknowledge the risk, keep our non-secret SSNs as secret as possible and hope for the best.

Safe surfing,
Micke

Image by DonkeyHotey @ Flickr.

Share this

Having a camera in your phone has lowered the threshold to take photos tremendously. It’s always with you and ready to snap. But you still have to take it out of the pocket and aim it at your object. The “victim” has a fair chance to notice that you are taking photos, especially if you are working at close distance.

Google Glass is a smartphone-like device that is integrated in a piece of headgear. You wear it all the time just like ordinary glasses. The screen is a transparent piece in your field of view that show output as an overlay layer on top of what’s in front of you. No keyboard, mouse or touchscreen. You control it by voice commands. Cool, but here comes the privacy concern. Two of the voice commands are “ok, glass, take a picture” and “ok, glass, record a video”. Yes, that’s right. It has a camera too.

Imagine a world where Google Glasses are as common as mobile phones today. You know that every time you talk to someone, you have a camera and microphone pointed at you. You have no way of knowing if it is recording or not. You have to take this into account when deciding what you say, or run the risk of having an embarrassing video on YouTube in minutes. A little bit like in the old movie RoboCop, where the metallic law enforcement officer was recording constantly and the material was good to use as evidence in court. Do we want a world like that? A world where we all are RoboCops?

We have a fairly clear and good legislation about the rules for taking photos. It is in most countries OK to take photos in public places, and people who show up there must accept to be photographed. Private places have more strict rules and there are also separate rules about publishing and commercial use of a photo. This is all fine and it applies to any device, also the Google Glass. The other side of the coin is peoples’ awareness of these laws, or actually lack thereof. In practice we have a law that very few care about, and a varying degree of common sense. People’s common sense do indeed prevent many problems, but not all. It may work fairly OK today, but will it be enough if the glasses become common?

I think that if Google Glass become a hit, then it will force us to rethink our relationship to photo privacy. Both as individuals and as a society. There will certainly be problems if 90% of the population have glasses and still walk around with only a rudimentary understanding about how the law restricts photography. Some would suffer because they broke the law unintentionally, and many would suffer because of the published content.

I hope that our final way to deal with the glasses isn’t the solution that 5 Point Cafe in Seattle came up with. They became the first to ban the Google Glass. It is just the same old primitive reaction that has followed so many new technologies. Needless to say, much fine technology would be unavailable if that was our only way to deal with new things.

But what will happen? That is no doubt an interesting question. My guess is that there will be a compromise. Camera users will gradually become more aware of what boundaries the law sets. Many people also need to redefine their privacy expectation, as we have to adopt to a world with more cameras. That might be a good thing if the fear of being recorded makes us more thoughtful and polite against others. It’s very bad if it makes it harder to mingle in a relaxed way. Many questions remain to be answered, but one thing is clear. Google Glass will definitively be a hot topic when discussing privacy.

Micke

PS. I have an app idea for the Glass. You remember the meteorite in Russia in February 2013? It was captured by numerous car cameras, as drivers in Russia commonly use constantly recording cameras as measure against fraudulent accusations. What if you had the same functionality on your head all the time? There would always be a video with the last hour of your life. Automatically on all the time and ready to get you out of tricky situations. Or to make sure you don’t miss any juicy moments…

Photo by zugaldia @ Flickr

Share this

UPDATE: You can now watch a recording of this event here.

Want to hear our cyber security rock star/guru Mikko Hypponen, live? Our upcoming free lab webinar is your chance! He’ll speak about the hot topics in the world of fighting malware. You’ll even have an opportunity to ask him your most burning questions.

Topics Mikko will cover:

• Mobile Threat Report – Be the first to know what’s in our brand-new report, coming out the same day. Hear the latest on Android and Symbian, mobile banking Trojans and more – and get Mikko’s perspective.
• Click Fraud Business – Advertising is big business. Click-fraud is complex and is an innovative crime. What does it involve and how did it get this way?
• Fighting bots on your computers and your phone – Windows-based botnets are a major problem. What can we do to fight them? And how can we prevent our phones from becoming the next battleground?
• Apple, FB hacks and its implications for the rest of the world – Facebook and Apple employees were compromised. How did it happen? What are the issues and who else may be affected? And what does it mean for the rest of us?

Hear it straight from the labs, live and unplugged – click here to sign up now.

Share this

Some days you will remember forever. In your personal life, these irreplaceable days include the birth of your child, your wedding or visiting a new country. In business, it could be a promotion to new job, meeting an important business partner or speaking at a conference.

Last Tuesday is definitely a day I know I’ll remember forever.

When I woke up at 5am to catch my flight to Berlin, I had a little smile on face. I was heading to a ceremony where F-Secure would be given the prestigious BEST PROTECTION 2012 AWARD from AV-TEST.

Winning feels always great. Working in a software security company, you really don’t concentrate on winning a certain award or nomination. Our focus is on providing best possible product and service to our customers.

We know it’s not easy to select security software to protect your PC. Each vendor claims to provide the best protection, most features and the simplest interface.

Testing security software is not easy either. It’s especially difficult to prove how good protection is against modern, sophisticated malware. It requires deep knowledge of malware and state-of-the-art testing facilities. AV TEST is one of the most respected independent testing organizations in the antivirus industry.

Being recognized by AV-TEST as the best product to protect consumers feels even better than great. It feels awesome.

Of course, this award would not have been possible without huge effort from hundreds individuals within our Labs. It’s their skills, hard work and determination to be the best that has made all this possible. They analyze sophisticated threats, provide detection mechanisms against them and develop new technologies to protect against new, unknown malware.

It’s really they who receive this award. For me, it’s my honor to work with them.

After the  award ceremony and photos, AV-TEST arranged for a trolley car tour around Magdeburg, where our guide George gave us a history of the city. A gala dinner followed. It was an excellent time and unique opportunity talk with Andreas Marx, Guido Habicht and Maik Morgenstern about latest trends in computer security.

Tomorrow, I’ll head back to Finland. My colleagues are anxiously waiting to celebrate this award in our own special way. At F-Secure we have a tradition. We take our trophies out on the town and pose them for pictures around Helsinki so we can post them online. And we never forget to get a picture in the sauna.

Great tradition. Great times.

—
Sami enjoys his freetime with his family and friends. He is a long distance runner who participates in 2-3 marathons every year. He never travels without his running gear.

Share this

Mikko Hypponen and Sean Sullivan from the F-Secure Labs recently sat down to answer some questions on online banking security from our F-Secure Community. The first question dealt with remembering strong passwords. They recommended a password manager, pass-phrases and simpler passwords for less critical accounts.

Here’s a system we recommend to create strong passwords you can remember for you most critical accounts.

More answers are coming soon or you can treat yourself to them all now.

Share this

We stopped and I took a photo of my husband and son with him. That done, we proceeded along to the supermarket to do our Saturday grocery shopping.

Some minutes later it hit me. We had just met the prime minister, the most powerful man in Finland. I should have shaken his hand. And why hadn’t I gotten in the photo too? The significance of meeting this dignitary had been completely lost on me!

The thing was, it was so low key. There was no big fuss about it. People were mostly going about their business. There was no heavy security detail, no men in black suits and sunglasses. And the prime minister himself, Jyrki Katainen, had looked so ordinary. Casually dressed, he could have been any other shopper that day.

But he wasn’t any other shopper. He was the head of the Republic of Finland, out campaigning for his party (municipal elections were the following day).

It was a completely different experience from the other time I saw a head of government. In 1996 President Clinton came through my hometown on his re-election campaign. I remember the excitement. Thousands of people stood thronged around the stage. It took quite a while for my cousins and I to weave our way to the front of the crowd, where a rope separated the mass of people from the president. My cousin, who was bolder than I, stretched out far enough to shake his hand. And you can bet there was security.

The laid-back encounter with Prime Minister Katainen got me thinking about security in the real world versus the online world. In the real world, the need for security varies depending on the population, economics, social problems, et cetera, of where you are. It’s apparently pretty easy for Katainen to get around in this quiet northern country of 5.4 million people. But in many countries with higher populations and less egalitarianism than Finland, top government officials must travel with an elaborate entourage.

In the online world however, threats are not bound by geography. Hackers use the information superhighway to get them anywhere in the world they want to go, in milliseconds. They can, for example, steal personal data, spread viruses, infiltrate bank accounts, and turn computers into robots that do their bidding, all from the comfort of their own home. So hackers in Wherever-ia aren’t just that country’s problem – they’re everyone’s problem.

Comprehensive Internet security is a must, whether you’re in a small, relatively safe country like Finland, a populous nation like the USA, or whether you use a Mac or a PC. And wherever, whoever you are, there’s protection for you.

Share this

This Saturday, he used his feed to explain in just a few tweets why Internet security is so crucial.

A fellow Twitter user asked Mikko for evidence that people who use antivirus are less likely to be infected than people who do not.

Mikko picked a random sample that F-Secure blocks: 13ddbd794464b9dd47fdd5ad2cdc329f. He explained that it’s a version of the trojan Zeroaccess that’s blocked by nearly all major antiviruses.

And here’s what he found:

His next tweet was “We just saved 452 users whose computer would have been infected otherwise. Feels good man.”

That’s one day, one sample of the hundreds of thousands of malicious files we block. In just a few tweets, Mikko showed why what we do at F-Secure is so important and why following him on Twitter is such a constant treat.

Cheers,

Jason

Share this

As Facebook’s new Timeline is being introduced now is the perfect time to think about how you use Facebook. We have given you 3 things to do before you activate Facebook’s new Timeline. We hope you’ll take those steps to review what you have and will be sharing and with whom. What more can you do?

You use smart passwords and have your PC patched and protected. You know, of course, the most important privacy feature on Facebook is the ‘Post’ button. If you make a point of NEVER sharing anything that you wouldn’t want your grandmother or your worst enemy to see publicly, you’re off to a good start.

 But what extra step can you take prevent invasive tracking and protect the private data on your computer?

Here’s what Sean from F-Secure Labs recommends: Do all of your social networking in a one browser. Use one browser exclusively for “public” behavior. Then use a separate browser for all of your private banking, shopping and viewing. This strategy helps you avoid worries about tracking and information bleeding between your private and public lives.

Want to be even safer? Use a dedicated machine for your social activity. This is an extremely wise strategy if you use your PC to manage your finances and or business.

An added advantage to using a ‘public’ browser or PC for your social networking is that you’ll constantly remind yourself that what you share online stays online.

So we want to know. What do you think of Facebook’s new Timeline?

Cheers,

Jason

Share this

1. ‘Tis the season to change your passwords.
Especially if you haven’t yet in 2011, now is the time change the passwords of you most important accounts.  F-Secure’s Chief Research Officer Mikko Hypponen says, “Focus your password efforts to services that actually matter to you. Lousy passwords are not a sin on a site you don’t really care about.” Here’s a system we recommend to create and remember strong passwords. Also keep in mind that you want to limit the private information you share on public machines or over free Wi-Fi networks. If you must do banking or shopping from a machine or network you do not trust, use one-time passwords, if at all possible.

2. Plan ahead but don’t post ahead.
Decide which devices you need on your travels, back up your data, and hit the road. But wait till you get home to post your travel plans on social network. If you would like to make your whereabouts known to a group of people, consider email. If you must use Facebook, make sure you’re a privacy settings master. The general rule is, “Don’t tell anyone online that you’re going out of town who wouldn’t in real life.” After you return home is the best time to share your photos and memories with your social circle.

3. Take the geo-tagging data off your images.
Every few months there is a major news story about how thousands of people are sharing their location unintentionally via the pictures that they take on their mobile devices. Even if you don’t tell your social network that you’re out of town, they already may know from the metadata on the photos you share.  Here’s how to turn off geo-tagging on your phone.

4. Shop smart and monitor your credit cards.
Make sure you’re on a secure “https” site when you make any online financial transaction. Use retailers that you trust and search on their sites rather through search engines, if possible. Use one-time use credit cards if your bank offers them.  If not use the same card for all online transactions and keep an eye on your credit card account at least weekly to report any suspicious transactions.

5. If possible, put a remote lock software on your smartphone.
Smartphones often contain the keys to our online lives. If you’re out traveling celebrating, you’re much more likely to misplace it. A remote lock software like our free Anti-Theft for Mobile makes it easy to lock your phone from anywhere. It can help you locate your device and, in the worst case scenario, you can remotely wipe it and protect all your sensitive data and private images.

–

Nothing is more irreplaceable than the time you spend with the people you love. Hopefully these tips will help you safely create memories that last a lifetime.

Cheers,

Jason

 CC image by Beverly & Pack.

Share this

F-Secure Labs offers a look at some of the most ghoulish threats  your PC and mobile devices are facing this Halloween and a few tricks to keep evil spirits at bay.

Jobs is Not Forgotten
More disturbing than zombies, this one is just sickening. Before Steve Jobs even passed away, affiliate marketers were using the Apple founder’s funeral to rack up sales. Emails are already circulating with supposed links to Steve Jobs’  funeral video, as well as an option to “Pay Tribute to Steve.” Whenever a news story captures the world’s attention, it can be used as bait for scams on everywhere from Facebook to Google search.

The antidote? Use our free ShareSafe app to protect your Facebook friends and always use Google News to search for breaking news.

One Bad App Can Spoil the Bunch
Bad apps are like Vampires that need your permission to enter your house. Bad apps may first appear harmless, then dig into your private information. Mobile banking trojans can now install themselves with the help of phishing sites that ask for your phone’s identifying information. Other apps can even act as a fake installer to get access to send premium SMS messages from your phone. Most of these threats are limited to mainland China, Russia and Eastern Europe. But if you let it in, you’ve been bitten.

The antidote? The same defense of this dark art applies wherever you are in the world: Only download software from official marketplaces or vendors you trust.

Mac Users Forced to Admit the Existence of Mac Malware
For the first time Mac owners are finding that even their fancy dwellings may become haunted. These attacks are like a Ghost of Halloween future as it lays the groundwork for creepy crawlies to come. A new trojan attempts to put a trance on Mac users and convinces them to disable the updater in Mac’s built-in Anti-virus. Another trojan acts as an Adobe Flash update to get users to click install.

The antidote? Now, even Mac users need to learn what all smart trick or treaters know: only take treats from houses you trust. Go to Adobe.com for all official Flash updates.

Bank Robbers Go Mobile
F-Secure Labs has already seen next-generation phishing attacks targeting Eurpoean banks. Phishing scams have given a new life on smartphones, where users expect pages to look odd and unprofessional. Online criminals have seized on this opportunity to launch man-in-the-middle phishing attacks, which allow the attacker to intercept messages between you and your bank.

The antidote? Don’t click on links in emails from your bank, especially on your phone. If your bank has an official mobile app, use it!

Tag You’re Tricked
Facebook now allows anyone to tag anyone. If your friend tags you in a ridiculous picture, that image could pop up on your Facebook profile right as a potential employer or date is checking you out.

The antidote? Go to the arrow in your upper right corner of your Facebook profile > Privacy Settings> Under “How Tags Work” click “Edit Settings.” Then turn “Tag Review” or “Timeline Review” on. This means you get to approve any tagged content before it’s displayed on your profile.

Have a safe and wonderful Halloween,

Anna

CC image by SpindlierHades

Share this

If you love the Internet

The US government declares every October Cyber Security Awareness Month (NCSAM). Of course, around F-Secure every month is cyber security awareness month, but we appreciate the opportunity to join with millions of other people to spread the information we all need to stay safe online.

For safety tips from the organizers of NCSAM go to StaySafeOnline.org and for the government’s official cyber security site visit OnGuardOnline.gov.

We also want to share some of our favorite awareness posts from the last few months. Check them out then let us know in the comments of this post if you have any cyber security questions you would like us to answer.

What Credit Card Fraud Taught Me

How to Use the Internet Safely—Before, During and After Your Next Vacation

3 Things You Need to Know if You Use Online Banking

An Introduction to LinkedIn Privacy and Security

How to Protect Your Privacy if You Use Facebook

Cheers,

Anna

CC image by br1dotcom

Share this

With Facebook’s new subscription feature, you can follow your boss’s public posts without unintentionally revealing your personal life. And since your boss has most of the power in your relationship, we feel s/he should enable his or her account for a more appropriate relationship.

Here’s how to properly fire your boss on Facebook. (This is option 1 for nice bosses. See below for less-nice bosses.)

1. Unfriend your boss now.
2. Ask your boss to activate Facebook subscriptions by going to this page.
3. Encourage your boss to open his/her public posts to comments, so you can respond to his/her posts.
4. Subscribe to the feeds of your boss you’re interested in.

Making these changes will avoid crossing work with play. It also keeps open a channel of communication if, say, your boss has additional shifts or projects for you to take on. Plus your boss won’t know that you turned down extra work to go to a concert—unless you make that post public and open your profile to subscribers.

The “Subscribe” button brings “asymmetrical relationships” to Facebook profiles for the first time. Asymmetrical relationships exist when one side enjoys some privilege over another as an employer, teacher or supervisor might. And these asymmetrical online relationships create are sparking controversy.

Some union leaders have advised teachers to limit their social networking in general to shield them from claims of abuse. And the US government recently restored the jobs of four employees who used Facebook to discuss the workplace in a harsh but appropriate manner. But the line between appropriate and inappropriate discussion is fine and evolving.

Missouri recently passed a law restricting teachers from Facebook friending any children, including their own. It’s currently being blocked by a judge but a law like this suggests that many people are at a loss on how to relate asymmetrically on Facebook.

By unfriending your boss and subscribing, you’re setting up clear boundaries that are less likely create complications in the workplace.

Now, if you’re already friends with your boss and you’re not comfortable “bossing” them around online, you have another way to stop your private and work lives bleeding together. Here’s option 2 for less-nice bosses.

1. Wait till “smart lists” are active for you on Facebook. (If you open your page to subscriptions, you’ll likely get smart lists soon if not immediately.)
2. Add your boss to your “Restricted list”, which means they’ll only have access to your public posts.
3. Consider using a List or Group for co-workers/work related discussions.

Using Facebook responsibly requires us to turn on the good features Facebook offers—like Profile Review. And changing your online relationship with your boss/“friend” to more closely resemble real life is a smart way to protect your job and your future.

Share this

Yes. Facebook opts you into to almost every new feature, including using your name and image in Facebook “social” ads. Facebook isn’t alone in this. LinkedIn also recently decided that it can use your name and image in ads. Fortunately, this feature is easy to opt out of.

Facebook only uses your image in ads shown to your friends and only to promote things you’ve already “liked.” That’s the good news.

The bad news is that the average Facebook user has 120 friends and likes 100 more pages or groups. Do you remember everything you’ve liked? Might you end up endorsing something you don’t believe in? Would you rather not endorse anything? Turn it off now. Here’s how:

Go to Account> Account Settings. On the left navigation click Facebook Ads.

Under “Ads and friends” click “Edit social ads setting”. At the bottom of the screen you’ll see this:

In that pulldown menu, select “No one”. Click Save Changes.

Facebook does not give third parties the right to use your name or picture in ads. But they might. How do I know? Am I psychic. No. They already have a setting for it.

To opt out of giving Facebook the right to use your name and image in ads, click on Facebook Ads again. Under “Ads shown by third parties” click “Edit third party ad settings”.

At the bottom of that screen, you’ll see this:

In that pulldown menu, select “No one”. Click Save Changes.

You’re done.

The 8 Most Important Ways to Protect Your Identity and Privacy on Facebook

1. Unless you have a good reason not to, use the “Friends Only” privacy setting.
2. Turn on Secure Browsing.
3. Secure your account.
4. Control how the world sees you via Facebook.
5. Turn off Instant Personalization and audit your apps.
6. Watch where you click.
7. Tell Facebook not to use your name and image in Facebook ads.
8. Start using Facebook lists.

Cheers,

Jason

Share this

Several of the men around F-Secure discovered Facebook did so by looking over their wives’ or girlfriends’ shoulders. This anecdotally confirms what Comscore found in July of 2010: social networks reach more women than men and women spend 30% more time on social networks than men do.

In 2004, I was working at a company that was building a social network to compete with MySpace, which had quickly replaced Friendster as the most popular social network in the world. Our team saw how MySpace courted club culture and built celebrities up as they lured bigger celebrities in. We wanted to replicate this feeling of digital nightlife.

Of course, the theory that women attract men to real life social events has motivated nightclubs around the world to offer discounts to females through various promotions for generations. Thus we decided that it was women who drive the growth of social networks, most effectively recruiting others. Sadly, for business reasons, we never got to test that theory out.

But now it seems Google+ may be employing a strategy that is having an opposite effect: men are clearly growing the network. Based on a 46,573 sample of users, SocialStatistics.com finds 86% of Google+ users are male. That’s probably an overestimation, but an abundance of males is a very familiar statistic to those of us who have targeted beta audiences and early adopters.

When you look at total users, there’s no doubt that Google+’s beta is successful. Some have called it the fastest growing social network ever. And Google definitely has not repeated the privacy gaffes in the launch of its Buzz network, which immediately connected users to Gmail contacts.

By only launching a limited field trial, Google has made Plus exclusive, attracting, as F-Secure Security Advisor Sean Sullivan points out, “…just the type of folks that you want as beta testers.”

But will this beta tester population grow a network big enough to compete with Facebook, the largest social network in human history? This privacy-sensitive decision could end up hurting Google+’s bottom line. And it seems that the search giant is beginning to recognize this.

Google+ has now extended 150 invites to all users of the site, a variation on the strategy that made Gmail a global powerhouse. And users can now invite friends via Twitter links.

But the question remains, since you can’t advertise on Facebook, how do you reach those non-beta users who will make your network social? Ask Tom Anderson your friend from MySpace. He’s advising Google+ to court the influencers that made MySpace such a juggernaut and to do so quickly.

Cheers,

Jason

CC image by: Sean MacEntee

Share this

Why (should I be worried)?

Worm:iOS/Ikee.A changed the phone's wallpaper

Last week I gave a brief summary of the kinds of threats a user might encounter on the smartphones of today. This week’s article is supposed to cover the reasons why a user would worry about mobile malware, so let me give the short answer now:

Usually, mobile malware attacks are motivated by: Bragging rights; money; stealing personal information that can be sold for money. For the user that gets hit by the malware, it means: Losing control over your phone; losing your money; someone else might be using your personal details for who-knows-what.

So let’s assume your phone’s been infected. Just how much should you be worried? Well, that kind of depends on your luck and what kind of malware you’re dealing with.

“Hey folks! Look what I can do!”

Like PC-based malware, the first threats to appear on the phone are often the product of some technically-minded person finding a loophole in the phone’s operating system, writing a program to exploit it, then releasing it to the general public to, basically, prove that it can be done. A prank for bragging rights, more or less. There may also be more subtle motivations involved, but if your phone is on the receiving end, you probably wouldn’t care.

Sometimes, if you’re lucky, that first malicious program doesn’t do anything worse than changing the phone’s wallpaper (Worm:iOS/Ikee.A is a good example here). So, for the user, the cost for the malware creator’s bragging rights is: time spent dealing with the problem and probably a massive headache.

Not a good loss, but bearable. Unfortunately, the next two potential losses for a user hit by mobile malware – money and/or personal data – are more serious.

“Give me back my phone!”

As other attackers get hold of that pioneer program and modify it to be more malicious, the next few versions (or variants) of it usually get more ‘risky’ to the user. If the malware is really malicious, it can alter the phone’s functionality to the point that the device is basically ‘bricked’ – it can’t be used for anything other than a paperweight.

Some examples we saw on the Symbian platform – which, by virtue of being the first widely used smartphone platform, also suffered the most threats – were Cardtrap, Skulls, Romride and Locknut. At this point, if the damage isn’t recoverable, the user is also out by the price of the phone and loss of the data stored on the phone itself. Ouch.

SMSes = $$$

Still, not everyone has to be concerned about data loss, if they have their contacts backed up elsewhere and they don’t keep financial or confidential details on their phone. What if you do, though? Say, you do mobile bank transactions, or store your PINs or account log-in details on the phone? Can an attacker find a way to pull confidential data off the phone?

‘Early generation’ smartphones – for the sake of this article, let’s say they’re the ones that sent data out by WAP  – didn’t give crooks a lot of options for getting hold of data they could make money from.  On these phones, the ‘traditional’ way for crooks to make money was through what amounts to SMS fraud (an example is the Redoc trojan family).

In this kind of scheme, the attackers has to plant a trojan on the device that forces it to send SMS messages to a premium phone number, which can wrack up a high phone bill for the user. Though effective, these attacks tend not to be very widespread, as they are limited by the geographical location and size of the telecom networks and target-able users. If you’re not in the target group, the threat is almost nonexistent.

Stealing data

Nowadays though, ‘new generation’ smartphones – as in ones with fast data connections back up by unlimited or cheap data packages from telco providers, making it convenient for a user to just leave the data connection open – offer a crook more options. Instead of bothering with SMS fraud, they can create malware that find and retrieve specific information stored on the device, which could potentially give far greater returns. Case in point is the very next Ikee variant, Ikee.B, which stole financially-sensitive information stored on the phone.

In this case, the loss is hard to estimate as fortunately, this type of malware isn’t common and the risk they pose is highly individual, depending on what details you store on your phone. It would probably also depend on how the attacker would be able to convert the details stolen into hard cash – sell it off in bulk together with details stolen from others? Find a way to log into a compromised account and withdraw the money?

There’s no ‘standard scenario’ here, so it’s hard for a user to realistically evaluate the fallout of having data stolen off their phone. All that can be reliably said is that personal and financial details are major targets on a PC and they’re probably no less attractive on mobile devices; it’s just that up until now, attackers didn’t have a way to scam these details out of someone on a mobile device.

Going straight for the money

As with PC threats, the main motivation for mobile threats seems to have transitioned from bragging rights to making money. And in a totally unscientific personal observation, it sure seems like mobile malware made that transition much faster than PC threats did. As a very rough comparison:

• Brain, the first PC-based malware, came out in 1986; it was only in the early 2000′s that profit-motivated malwares became prevalent (though there doesn’t seem to be any agreement on which was the first).
• By comparison, the iOS was launched in early 2007; its first trojan (of the bragging rights variety) came out almost exactly a year later; and shortly thereafter came Ikee.B, which was more malicious (but only on jailbroken iPhones).
• The Android OS was launched in late 2007; its first trojan was also the first to try an SMS fraud scam, and it appeared in August of 2010.

It’s early days yet for mobile threats so we really don’t know how they are going to evolve.

It would probably be a safe bet to say that there are going to be more new threats though, and not all of them are going to be as benign as a plastering on a Rick Astley wallpaper.

Next week, the last in this series – How (can I protect myself)?

Share this

Whether you are currently an F-Secure customer or not, you can post questions in the community and get an answer ASAP. Or you ask a question in the app on our Facebook page and your answer will be posted directly to your profile, thanks to the industry-leading technology of the Lithium Community Platform. Either way you’re participating in the creation of a wealth of knowledge that will be appreciated by people all over the world.

The F-Secure Community continues our efforts to support you using the tools you use most. Just last year our Customer Care team launched chat support that has already become the choice of 45% of our English-speaking users. Chat services are now available during most of the day in 7 languages and around the clock in English.

We’re just getting started and invite you to come along for the ride. The most active participants will be recognized and rewarded. We’re looking forward to adding additional language coverage and Twitter integration. Check it out and let us know how it works for you.

Cheers,
Sandra

Share this

Mikko told the BBC, “One of the reasons spammers are moving to the web is that email filtering is getting better and better. Spam is being sent more than ever in history. Yet people see less of it.”

It’s three minutes and three seconds and manages to include a little Monty Python and lots of surprising information. You can listen to it now: Click here, you’ll be linked to a MP3 of the segment.

CC image by pandemia

Share this

In fact, your name might be appearing in Facebeook ad now saying that you like a certain brand. Facebook opts everyone into Facebook Ads. And you probably know that because you’ve read Facebook’s Statement of Rights and Responsibilities so carefully

You can opt-out of letting Facebook use your name or profile picture  in ads served to your friends by going to Account.

Then Account Settings.

Click Facebook Ads.

Scroll all the way to the bottom and for “Show my social actions in Facebook Ads to”, select “No one”.

What do these ads look like?

Usually they look like this:

Your name and picture can also appear in Sponsored Stories.

According to Facebook, “Sponsored Stories are stories that your friends published into your News Feed. These show up on the right hand side of pages on Facebook. The types of stories that can be surfaced include: Page Likes, App interactions, Place check-ins and Page posts.”

TL;DR? You’ll only appear in a Sponsored Story if you mention a Facebook page using Facebook’s mention tool (which works like a Twitter mention: you type @username.)

You probably haven’t seen too many Sponsored Stories because the mention took isn’t used all that often. And when it is, it might be used sarcastically to make a point. Like: @Starbucks parking lot is full again. I may have to go back to @No-Doz. You can only mention a page or profile you like using this method, which is good because that means you’ve, in a way, opted in twice to any brand that can use your image in Sponsored Stories.

Background

Facebook has used users’ names in ads for a while. Sponsored Stories launched  in early 2011. This seemed to rekindle a Facebook meme where Facebook users complain to each other about how Facebook uses our name and image in ads.

We recently shared a link that stirred some controversy: “How to Stop Facebook from Using Your Name and Profile Photo in Facebook Ads.” From the reaction we saw, it seemed that many people needed a reminder about Facebook’s ad policies. However, one user suggested that we were being alarmist and participating in a meme that could be use to drive spam or even spam apps.

To be clear: Facebook isn’t allowing third-parties to use your name and picture in your ad.

But they may soon, which is why this setting already exists.

To change that setting now, go to

Account.

Then Account Settings.

Click Facebook Ads.

At the top of the page in the section “Ads shown by third-party applications” where is says “Allow ads on platform pages to show my information to” select “No one”.

Now if Facebook starts letting third-parties use our names and images in ads, your name and image will not be used.

Why should I turn Facebook Ads off?

In a sense, Facebook is already allowing third-parties access to your life and identity. You pick who you advertise–the pages you like—and to whom—your friends. But you can’t exclude certain pages or friends. Nor do you share in any of the ad revenue.

A good and bad thing is that only your friends will ever see you in ads. But do you want your boss to see you endorsing an alcohol product in the middle of a work day? Do you want your mother-in-law to know you ‘liked’ Justin Bieber as a joke? It could happen if you don’t opt out.

Why should I leave Facebook ads on?

Do you love Facebook and want to support their revenue growth?

Or maybe you love the pages you interact with and appreciate a subtle way to spread the word. You could enjoy being exposed what your friends like and see this as a new way to interact. Or do you just not care very much about what your Facebook activity says about you?

Leave it on!

The fact is Tivo and ad-blockers have given us a way to avoid many of the advertisements that subsidize free content and services. Yet millions of us like brands on Facebook or follow them on Twitter. It seems many people don’t mind getting information from a brand, they just want control over what they see and how their identity can be used to market  a product.

It doesn’t matter if you opt in or Facebook ads, what matters is that you make a conscious choice.

And when it comes to your image being used to endorse products to your friends, Facebook has made that choice for you. Is this another feature that one should have to opt-in to? I think so. Is it annoying enough to make me quit Facebook? I think Facebook is well aware that the answer to that question is “No.”

Cheers,

Jason

Share this

Here are the 5 dumbest things you can do online. There’s so dumb that you’re probably not doing any them. But you might want to check just to make sure.

1. Believing it can’t happen to you
   I’ll admit it. I’ve fallen for quite a few of the scams that are out there. I’ve clicked on a bad attachment, once. I clicked a bad link in an email, in an IM, on a MySpace page, once. I got phished on Twitter, once. If I didn’t have Internet security software and some good luck, I would have suffered some lasting consequences or embarrassment for those mistakes. Fortunately, the only harm was being reminded how scammers and spammers will find a way to user any new communication technology. That’s a lesson I learn whenever I get cocky online and forget to think before I click.
2. Use the same key for every door
   61% of targeted attacks in 2010 relied on malicious PDF documents. Almost every PC user with a credit has a PDF reader on their PC, so cyber criminals are looking for was to make PDF’s profitable. So why use the most popular PDF Reader in the world if will suffer the brunt of the attacks? Why use the most popular anything? Seek out alternatives, especially when it comes to creating passwords and security questions. Make sure your password isn’t the world’s most popular password, which is “password”. Make the passwords for all of your most important accounts unique and strong. And make sure the answers to your security questions cannot be guessed by Googling you or looking at your Facebook profile.
3. Ignore your  browser bar
   Do you check your browser bar to see what URL you are really on before you login to your Facebook, Twitter or bank accounts? Criminals can fake the look of almost website in the world. But they can’t fake the URL. Whenever you’re entering login information or buying anything, give that browser bar a check to make sure you haven’t landed on a site you don’t know or trust.
4. Confuse links with your friends
   Social spam exploits the trust we have for our online friends. I’m not likely to open a spam email from a stranger. But whatever my mom or wife send me catches my eye. Thus, I’m more likely to click a bad link in an email from my wife and continue the outbreak. Spam is contagious. Click the wrong link on Facebook and you could end up spamming all of your friends and you may continue spamming them until you remove the spam app from your account. Most of your friends are probably on Facebook and they all are making the same mistakes at least once. New studies show that bad links on social sites are as common as they are on porn sites. So never forget, links are not your friend. Pause before you click on a link in you Facebook News Feed. If you see a link that includes OMG! or LOL or something inappropriately sexual or shocking, copy it and check it with our free Browsing Protection.
5. Expect free to be “free”
   In Silicon Valley, there’s a saying: If you aren’t paying for a product, you are the product. That means Facebook’s product isn’t a set of tools that makes it easier for friends to connect. Facebook’s product is the 650 million people it can market to using the trust we all have for our friends. Gmail scans your email to deliver ads based on your intimate communication. That’s the cost of using the site. Sites that share free movies and music may also be sharing free malware. On the Internet, “free” is just another word for “Watch out!” Facebook definitely has some privacy problems. It will continually push you to share more and more without ever telling you what not to share. Sharing is their business; encouraging shyness isn’t. So always remember the mantra: never expect anyone else to protect your privacy.

Being savvy doesn’t mean being paranoid. Just know that criminals will use anything—including the trust you have for your friends and your favorite Internet companies—to trick you. So you think before you click. If you don’t have time to think, wait to click.

And just in case, make sure that your system is secure and your software is patched and protected. Our free Health Check makes that easy.

Cheers,

Jason



Share this

F-Secure has won the Whole Product Test from AV-Comparatives while achieving another Advanced+ award — our seventh this year! That makes us the security vendor with most awards from AV-Comparatives in 2010.

The Whole Product Dynamic Test is conducted by AV-Comparatives and the University of Innsbruck. It looks at all the features in a security product that contribute to protection.

We’re proud that in this test F-Secure blocked more malware than any vendor. It shows that we’re living up to our commitment to protecting the irreplaceable on your PC. If you are not yet protected by F-Secure, we invite you to try out our award-winning protection for free.

Cheers,

Sandra

Share this

In addition to updated internet security, there are a number of simple methods you can use to protect yourself from credit card fraud, and avoid others using your details for their own benefit. Keep your card in a secure place, don’t forget it at every bar you go to, don’t shout out your number while waiting for a subway. Basically, think of everything John does, and do the opposite.

Here are three credit card safety tips that John would definitely ignore.

1. Only make online purchases when you’re on a protected PC in a secure network. And only enter your credit card info at reputable, secured websites. (Look for the “s” in the https://.)
2. Ask your card provider or bank if they offer one-time use credit card numbers for online purchases.
3. Review your credit card monthly statements and check your account online sporadically. Contact your provider immediately if you notice any purchases you did not make.

To help protect your credit history and your peace of mind, you can try F-Secure Internet Security 2011 for free today.

Tell us about your experience! How do you prevent your precious card information getting into the wrong hands?

Share this

A dialogue screen shown by Virus:W32/Duts.A

This is the second posting in a three-part series covering common threats a user may encounter.

This series serves as a rough and ready guide, highlighting key features and trends relevant to most users.

The One That Left

Last week I spoke of Trojans, Viruses and Worms as The Big Three. I lied a bit, though. Viruses – as a distinct malware type – probably shouldn’t be on that list any more.

Viruses have always loomed large in users’ minds as the poster child of malicious programs – heck, we even call it the anti-virus industry. In the last 10 years or so however, the number of virus infections has nosedived; our Labs, which once dealt with viruses routinely, now sees a proper virus infection about once or twice a month. Today when people talk of ‘viruses’, more often than not what they’re describing is technically a trojan or a worm, and they’re using the term in a general, ‘any malware will do’ kind of way.

That’s not to say viruses are extinct; we still receive a small, if persistent, number of queries about viruses. This may be because many businesses, households and users (both in developed countries and in recently connected developing ones) still use old, out-dated, unpatched machines or programs, or haven’t yet developed a security-conscious habits.

Whatever the case, virus infections will probably still cling on to life for a weary day after, so let’s take a look at them.

Highlights of a virus

Definition of a virus given by Merriam-Webster online dictionary

The Merriam-Webster online dictionary’s bare-bones definition of a computer virus touches on important elements most users should know, so I’ll just elaborate a bit more on some key concepts:

“usually hidden within another seemingly innocuous program”

Last week I compared a virus to a parasite, because not only does it ‘hide’ in another program, but also depends on its host to function. For the virus to run, the unsuspecting user must actively launch the infected program, which in turn launches the virus.

For this reason, virus writers usually create viruses that infect executable files (especially popular programs such as word processors or media files), which have a higher chance of being run; programs with files that get passed around a lot are extra attractive, since they can affect even more potential victims.

A good example is the Microsoft Office suite which, with their huge community of business and personal users, used to be a popular target for macro viruses. We still see queries related to this virus type, though thankfully far less than previously.

“Produces copies of itself and inserts them into other programs”

If you think of the common cold virus spreading from one person to another, you’ll have a pretty good idea of why this behavior can be so damaging. When a infected file is executed, it searches for and infects new files; if the newly infected files are launched, they find and infect new files in turn, like some evil Multi-Level Marketing operation. At worst, this pattern can lead to every targeted file on the system being infected.

“Usually performs a malicious action”

The damage a virus can do by replicating and infecting new files is bad enough; its payload, a completely separate set of nasty actions, can be worse. The range of actions a virus can take is huge – connecting to a remote site, changing the desktop wallpaper, displaying silly notification messages, deleting data files…it really just depends on the virus author’s imagination and programming skills.

If you’re lucky, they’re not that good and you get failed viruses like Virus:W32/Stardust; if they’re good, then you get really nasty beasts like Virus:W32/Virut or Virus:W32/Sality.AA (one of the few viruses we still find regularly active).

Appending, prepending, cavity…who cares?

A dialogue screen shown by Virus:W32/ZMK

With thousands of unique viruses out in the wild, antivirus companies find it necessary to divide them into sub-types. Unlike trojans though, viruses don’t fall into neat categories reflecting their actions; instead, they naturally fall into groupings based on technical differences in the way they infect a file – which is  basically gobbledeegook to a user not interested in detailed analysis.

Gnerally, viruses can be divided into two groups – system infectors and file infectors. The majority of viruses are the latter and infect programs or data files. System infectors on the other hand write their malicious code to specific, critical sections of the hard disk containing the operating system, so that while the OS is running its normal routines, it’s also unintentionally executing the virus code.

Fortunately, for most users a virus’s classification is largely academic. For better or for worse, the sheer variety of possible effects each unique virus can have on a file or system makes it more practical to take each virus on a case by case basis.

Back to what’s important – why should the user  care?

So let’s go back to the original question that sparked off this series: do you really need to know if it’s a virus – as opposed to, say, a trojan or worm – infecting your computer?

Well, it helps to know because the two malware types tend affect your data and computer in different ways. As a (very) general rule, trojan infections is more about data theft and loss of control over the computer; virus infections tend to result in software disruptions or damage.

Trojans may copy and steal your data, but they don’t usually destroy the data file itself; they may stop programs from running but they don’t destroy the program. A virus on the other hand, insert its own code into a program or data file, and depending on how it does so, may either leave the host completely unharmed and functional, slightly disrupted, or completely non-functional.

Another difference between trojans and viruses that really affects the user involves disinfection. For one thing, a trojan is usually a single, discrete program – getting rid of it tends to be fairly simple, a matter of removing the malicious file and its residuals (registry keys, processes, icons, etc). Removing the trojan also generally doesn’t affect the integrity of other files on the computer.

Viruses are far more nebulous by design – they can be present in multiple files, in different locations. Identifying a virus-infected file may require scanning the entire computer to be sure every affected file is caught. Removing malicious code from an infected file or – if it can’t be saved, deleting the infected file entirely – can also be problematic if the damaged data is important or the program is a critical system component.

And this doesn’t even take into account the virus’s payload, which can produce a whole other set of worries.

If you’re still interested

Still, there is a ray of hope. If current malware trends persist, we may soon see adware or backdoors promoted to being the newest member of The Big Three, and viruses – as a distinct malware type – can finally be relegated to joining 3½” floppy disks in Computer Hell.

In the meantime, here’s some links to other, more in-depth resources on viruses:

• How to tell if a malfunctioning PC has a virus by TechRepublic
• Computer viruses: description, prevention, and recovery by Microsoft Support
• Trends in Viruses and Wormsby Thomas M. Chen (Cisco)

Or partially available on Google Books:

• “Elements of Computer Security” by David Salomon
• “Cybercrimes: A Multidisciplinary Analysis” by Sumit Ghosh

Next

Coming soon – Worms!

Share this

UPDATE: This sweepstakes is now closed. The winner will be contacted and then announced. Like our Facebook page for more giveaways and online safety tips.

We’re happy to say that Safe and Savvy has been named a winner of a 2010 Top Blog Award.

We’ve been blogging for less than a year. In that time, we’ve talked about quitting Facebook and what to do if you stay. We’ve covered the best methods for backing up your content and how to make sure your web cam isn’t spying on you. And we’ve told you about what happens when you get robbed in the World of Warcraft and how to find out if you have a cyberstalker.

And we always want to hear from you, which leads to…

This week’s question is: What online safety or security question would you like see us blog about? If you can’t think of one, you can just tell us about a Safe and Savvy post that you’ve appreciated.

Just read the rules and post your answer in the comments. This week’s winner will receive an iPod touch 8 GB plus F-Secure Internet Security for your whole family (up to 5 members).

HomeSecuritySystems.net

Cheers,

Sandra

CC image by takomabibelot

F-Secure Internet Security 2011
GET REAL SWEEPSTAKES WEEK #7- COMPETITION RULES AND PRIZES

By entering the Get Real promotion you accept the Official Competition Rules and the Privacy Policy (http://www.f-secure.com/en_US/privacy.html).

If you do not accept these rules, please do not enter this promotion.

1. The sponsor of this promotion is F-Secure Corporation, located at Tammasaarenkatu 7, Po. Box 24, 00181 Helsinki, Finland (“Sponsor”).
2. The promotion will begin at 6:00 PM PDT on October 31, 2010 and end at 6:00 PM PDT November 7, 2010.
3. This promotion is void where prohibited or restricted by law. No purchase is necessary to enter.
4. 6 prizes a iPod touch with a retail value of $229.99 and 5 F-Secure Internet Security licenses with a retail value of $299.95 will be given as prizes in this promotion at the close of the competition.
5. Only two (2) entries, per person per Sweepstakes will be accepted.  Each comment posted constitutes an entry. Further attempts made by the same person and entries generated by a script, computer programs, macro, programmed, robotic or other automated means will be disqualified.
6. The winner will be chosen randomly from the people who participated in the competition by commenting on the “Get Real Sweepstakes: Week #7“. Sponsor will notify the winner via email. If the winner does not respond within seven (7) days, he or she will forfeit the prize and another winner will be randomly chosen. This prize is shipped to the winner within 30 days of the promotion closing date.
7. The winners are responsible for any taxes associated with receipt of the prizes. Sponsor reserves the right to substitute the prizes with other prizes of equal or greater value if the prize is not available for any reason.
8. Odds of winning the prizes depend upon the total number of eligible entries received.
9. No purchase or software download is necessary to enter or win. Purchase or software download will not increase your chances of winning.
10. To enter, visit http://safeandsavvy.f-secure.com/2010/10/23/get-real-sweepstakes-week-7/ and comment on the post once or twice. To comment you must provide your email address, which will not be made public. Entries are the property of Sponsor and will not be acknowledged or returned. Comments made be edited by F-Secure without explanation.
11. Any entrant who attempts to cheat or tamper with the Get Real Sweepstakes shall be disqualified by the Sponsor’s sole discretion.
12. The name of the winner will be announced via the F-Secure Twitter channel http://twitter.com/FSecure, F-Secure Facebook page http://www.facebook.com/FSecure and F-Secure’s Safe and Savvy blog http://safeandsavvy.f-secure.com/ once the winner has been contacted. By entering, the entrant agrees that his/her name, country and/or picture can be published at F-Secure’s aforementioned channels if he/she wins.
13. By entering, entrants agree to release and hold harmless Sponsor and all of its representatives from and against any and all costs, expenses, claims, demands, proceedings, suits, actions and/or liabilities for any injuries, death, loss or damage of any kind arising from or in connection with accidents, terrorism, theft, natural disaster, the promotion of the Get Real Sweepstakes, the distribution of any prize, entrants’ participation in and/or entry into the Get Real Sweepstakes, acceptance or use of any prize or unavailability of any prize. Prizes are provided “AS IS” without warranty of any kind from the sponsor.
14.  Employees of Sponsor and family members of such employees are not eligible to enter.

© 2010 F-SECURE CORPORATION. ALL RIGHTS RESERVED.

Share this

To hide your friends list on Facebook, you’ll need to do the following:

1. Go to the “Account” tab and select “Privacy Settings”

2. Under “Basic Directory Information” click “View Settings”

3. In the “See my friends” setting select “Customize”

4.Below “Make this visible to” select “Only Me”

You can also go to your “Profile” and click on the little pencil above your friends.  You can select how many friends to show. But you can’t select 0.

To hide your list entirely you have to click “Change Visibility Settings” and end up at step 3 above.

Facebook makes it far too difficult to hide your friends. In the site’s defense, it’s not as hard to find as some of the site’s other opt-in features. And you’re probably not going on a social network to be anti-social. And if you need to hide your friends from even your friends, you’re adding the wrong people as friends.

But still, Facebook, c’mon! Put 0 as an option right on my profile. I may want to be social in different ways than the 550,000,000 other people on your site. Or maybe I want to protect my friends with intriguing politics. Or maybe I’m neurotic about the karma in connecting the wrong people. But give me the choice.

I admit it: I just can’t quit you, Facebook. But if you keep pushing me away, you’re eventually going to succeed. So every once in a while, surprise me! Error on the side of making it easy to control my privacy.

Still your friend,

Jason

Share this

Her choice alarmed me, but not because I think that it is wrong to begin dating via the internet; I’ve tried it myself and I know of many success stories. The thing that worries me about my friend is that she goes about it the wrong way and has an oblivious attitude to the pitfalls of looking for a partner online.

I tried to warn her, but she’s so romance struck that she doesn’t care. That’s bad news.

My friend has discovered that there are an awful lot of people seeking romance and flirtation online and that some of them are very forward indeed. First she was contacted by a very nice, interested man, who turned out to be married. ( It’s a good thing she searched for him on Facebook.) Yet this hasn’t  discouraged her from trusting people. She still responds to messages from ‘friendly’ strangers on her instant messaging client or unsolicited Facebook friend requests, particularly when the messages seem to be from young men who cannot flatter her enough.

No, no, no.

I’m happy for her to have as much fun online as she wants to, but I really wish she would be more savvy about the risks.

The main issue with online dating is the scams that target the love-struck victims. I found a good list of these on Hot Scams.

(As an aside, the dubious-looking Google Ads for dating sites that show on the Hot Scams pages both disturb and amuse me. They are exactly the kinds of link that you should run through F-Secure’s online link checker before you click on them).

Dating scams are getting more and more common. Your new ‘love’ will try to get you to call them (on a premium rate number), to bail them out of trouble, to share your bank details, to send them a phone (so that they can call you) and so on. They won’t do it immediately. They will get you hooked first. Once you are hooked, they can convince you to help them rob you.

Next up, there is a small chance that by giving your details away to a stranger online you could put yourself at risk. Perhaps you would make a good target for bribery. For example,  you are flirting while married or have a job that requires you to maintain a spotless reputation. Or else, perhaps things will go too far and what you thought was just internet flirting leads to your having a stalker who tracks you down and tries to advance the relationship offline beyond what you could have expected .

In addition to the financial threats and the small chance that you will put yourself in physical danger, falling prey to many of these dating scams can be embarrassing. Imagine your friends finding out you were one of the women who fell for the US Army scam; or having to be as brave as the woman who admitted to losing 10,000 dollars because she fell in love online; or having to tell your boss that the intimate conversations that were e-mailed to him were part of a bribery attempt. It’s easy to assume that you would never be that unwise, but things look different when you are falling in love.

On a more positive note, as I mentioned, I do know of online romance success stories – romances started through games, interest groups and even local dating sites. These are examples of people who did things right. They took their time getting to know one another, met in a safe public place and built their trust and relationship over time.

I’m still going to suggest that my friend goes to the pub or joins a group offline. I’m sure her self-confidence will increase soon. Then she’ll be able to enjoy the benefits of dating in-person, where she has more experience and is a bit more savvy.

CC image by slettvet.

Share this

It was a dark and stormy night. The only light in my room is the soft glow of my PC monitor. The wind howls against the window sill as I wait for the auction to close. Suddenly an email pops up from my Outlook. I try to shut it but instead I accidentally open Windows Media Player.“Close! Close! Close!” I command, as press Ctrl + Alt + Delete. Task Manager. End task on everything but Firefox!

And there they are, again—the perfect color, the perfect addition to my vast collection. I breathe out. Thirty seconds left. I move my cursor to the “Buy” button. “These Christian Louboutins will be mine,” I promise myself aloud. Suddenly a scream, a horrible, screeching scream. And it’s coming from my own mouth!

My PC crashed—another victim of the dreaded “Blue Screen of Death.”

As much as I love my computer, I will never forget my horror when I saw that screen and lost those shoes at THAT price. Oh, the horror.

PCs are, of course, generally wonderful, but sometimes they can be absolutely frightening.

Viruses, malware and phish. Oh my. And then there’s the pop-ups, the bad links, the evil attachments.

If your PC is protected and you’re smarter than John, you can avoid nearly all of the dark spirits who want to haunt your PC. But still, even the best of us end up with our hands around the base of our monitor, attempting to choke it.

So in celebration of Halloween, we have to ask: What’s the scariest thing you’ve ever seen on your PC?

Just read the rules and post your answer as a comment on this page for your chance to win a PlayStation 3 160 GB and F-Secure Internet Security 2011.

We’re about halfway to the number of entrants we need to complete our Facebook survey—so we’d appreciate if you’d let your friends and family know about this giveaway. If they win, they’ll almost definitely invite you over for some fun on the PlayStation 3.

Good luck,
Sandra

CC image by Michael.

F-Secure Internet Security 2011
GET REAL SWEEPSTAKES WEEK #6- COMPETITION RULES AND PRIZES

By entering the Get Real promotion you accept the Official Competition Rules and the Privacy Policy (http://www.f-secure.com/en_US/privacy.html).

If you do not accept these rules, please do not enter this promotion.

1. The sponsor of this promotion is F-Secure Corporation, located at Tammasaarenkatu 7, Po. Box 24, 00181 Helsinki, Finland (“Sponsor”).
2. The promotion will begin at 6:00 PM PDT on October 24, 2010 and end at 6:00 PM PDT October 31, 2010.
3. This promotion is void where prohibited or restricted by law. No purchase is necessary to enter.
4. 3 prizes a PlayStation 3 with a retail value of $299.99 and 1 F-Secure Internet Security license with a retail value of $59.99 will be given as prizes in this promotion at the close of the competition.
5. Only two (2) entries, per person per Sweepstakes will be accepted.  Each comment posted constitutes an entry. Further attempts made by the same person and entries generated by a script, computer programs, macro, programmed, robotic or other automated means will be disqualified.
6. The winner will be chosen randomly from the people who participated in the competition by commenting on the “Get Real Sweepstakes: Week #6“. Sponsor will notify the winner via email. If the winner does not respond within seven (7) days, he or she will forfeit the prize and another winner will be randomly chosen. This prize is shipped to the winner within 30 days of the promotion closing date.
7. The winners are responsible for any taxes associated with receipt of the prizes. Sponsor reserves the right to substitute the prizes with other prizes of equal or greater value if the prize is not available for any reason.
8. Odds of winning the prizes depend upon the total number of eligible entries received.
9. No purchase or software download is necessary to enter or win. Purchase or software download will not increase your chances of winning.
10. To enter, visit http://safeandsavvy.f-secure.com/2010/10/22/get-real-sweepstakes-week-6/ and comment on the post once or twice. To comment you must provide your email address, which will not be made public. Entries are the property of Sponsor and will not be acknowledged or returned. Comments made be edited by F-Secure without explanation.
11. Any entrant who attempts to cheat or tamper with the Get Real Sweepstakes shall be disqualified by the Sponsor’s sole discretion.
12. The name of the winner will be announced via the F-Secure Twitter channel http://twitter.com/FSecure, F-Secure Facebook page http://www.facebook.com/FSecure and F-Secure’s Safe and Savvy blog http://safeandsavvy.f-secure.com/ once the winner has been contacted. By entering, the entrant agrees that his/her name, country and/or picture can be published at F-Secure’s aforementioned channels if he/she wins.
13. By entering, entrants agree to release and hold harmless Sponsor and all of its representatives from and against any and all costs, expenses, claims, demands, proceedings, suits, actions and/or liabilities for any injuries, death, loss or damage of any kind arising from or in connection with accidents, terrorism, theft, natural disaster, the promotion of the Get Real Sweepstakes, the distribution of any prize, entrants’ participation in and/or entry into the Get Real Sweepstakes, acceptance or use of any prize or unavailability of any prize. Prizes are provided “AS IS” without warranty of any kind from the sponsor.
14.  Employees of Sponsor and family members of such employees are not eligible to enter.

© 2010 F-SECURE CORPORATION. ALL RIGHTS RESERVED.

Share this

UPDATE: This sweepstakes is now closed. The winner will be contacted and then announced via our Facebook page.

Facebook recently announced a new feature: One-time passwords sent to users via text message.

[To use this feature, go to “Account “> “Account Settings”. Under “My Account”, click “Mobile”. If you already have a mobile activated, you’re ready to go. If not, you need to “Sign up for Facebook Mobile.” Facebook will text you a code to activate your phone.  Now, whenever you need a One-time password, just text “otp” to 32665 (FBOOK).]

Does Facebook just want access to more mobile phones, as security expert Larry Zeltser has suggested? Probably.  But Facebook has looked at its user base and attempted to solve a serious security problem.

If you’ve ever taken a look at the screen on the public computers in libraries, Internet cafes and schools, you see that nearly everyone has Facebook open. And the problem with public computers is that you have no idea what has been installed on them—including a keylogger.

A keylogger can track every key you hit, possibly revealing your most intimate credentials to a cybercriminal. That’s why entering your Facebook password on an unsecured public PC is risky. And shopping or banking on an unsecured PC is like shouting your credit card number through a megaphone. You would never do that. People do things online that they would never in the real world.

So here’s this week’s question. Have you ever shopped or banked on a public computer? Yes or no will do. But we’d love to hear your story.

Read the rules and post your answer in the comments for your chance to win a brand new Nokia N8 plus F-Secure Internet Security 2011.

Cheers,

Sandra

F-Secure Internet Security 2011
GET REAL SWEEPSTAKES WEEK #5- COMPETITION RULES AND PRIZES

By entering the Get Real promotion you accept the Official Competition Rules and the Privacy Policy (http://www.f-secure.com/en_US/privacy.html).

If you do not accept these rules, please do not enter this promotion.

1. The sponsor of this promotion is F-Secure Corporation, located at Tammasaarenkatu 7, Po. Box 24, 00181 Helsinki, Finland (“Sponsor”).
2. The promotion will begin at 6:00 PM PDT on October 17, 2010 and end at 6:00 PM PDT October 24, 2010.
3. This promotion is void where prohibited or restricted by law. No purchase is necessary to enter.
4. 3 prizes a Nokia N8 with a retail value of $549 and 2 F-Secure Internet Security licenses with a retail value of $119.98 will be given as prizes in this promotion at the close of the competition.
5. Only one (1) entry, per person per Sweepstakes will be accepted.  Each comment posted constitutes an entry. Further attempts made by the same person and entries generated by a script, computer programs, macro, programmed, robotic or other automated means will be disqualified.
6. The winner will be chosen randomly from the people who participated in the competition by commenting on the “Get Real Sweepstakes Week #5“. Sponsor will notify the winner via email. If the winner does not respond within seven (7) days, he or she will forfeit the prize and another winner will be randomly chosen. This prize is shipped to the winner within 30 days of the promotion closing date.
7. The winners are responsible for any taxes associated with receipt of the prizes. Sponsor reserves the right to substitute the prizes with other prizes of equal or greater value if the prize is not available for any reason.
8. Odds of winning the prizes depend upon the total number of eligible entries received.
9. No purchase or software download is necessary to enter or win. Purchase or software download will not increase your chances of winning.
10. To enter, visit http://safeandsavvy.f-secure.com/2010/10/15/get-sweepstakes-week-5/ and comment on the post. To comment you must provide your email address, which will not be made public. Entries are the property of Sponsor and will not be acknowledged or returned. Comments made be edited by F-Secure without explanation.
11. Any entrant who attempts to cheat or tamper with the Get Real Sweepstakes shall be disqualified by the Sponsor’s sole discretion.
12. The name of the winner will be announced via the F-Secure Twitter channel http://twitter.com/FSecure, F-Secure Facebook page http://www.facebook.com/FSecure and F-Secure’s Safe and Savvy blog http://safeandsavvy.f-secure.com/ once the winner has been contacted. By entering, the entrant agrees that his/her name, country and/or picture can be published at F-Secure’s aforementioned channels if he/she wins.
13. By entering, entrants agree to release and hold harmless Sponsor and all of its representatives from and against any and all costs, expenses, claims, demands, proceedings, suits, actions and/or liabilities for any injuries, death, loss or damage of any kind arising from or in connection with accidents, terrorism, theft, natural disaster, the promotion of the Get Real Sweepstakes, the distribution of any prize, entrants’ participation in and/or entry into the Get Real Sweepstakes, acceptance or use of any prize or unavailability of any prize. Prizes are provided “AS IS” without warranty of any kind from the sponsor.
14.  Employees of Sponsor and family members of such employees are not eligible to enter.

© 2010 F-SECURE CORPORATION. ALL RIGHTS RESERVED.

CC image by Andres Rueda.

Share this

All of these things put me at risk of being exploited by cybercriminals. So I just don’t do them. Yet I have to admit that I’ve needlessly put myself (and others) in danger while on the Internet.

Yes, I used to text and email while driving. Since texting while driving became illegal in my state this summer, I stopped (with one or two exceptions). But until yesterday, I had no idea how dangerous poking at my little phone with my thumbs truly is.

According to a new study, drivers distracted by their cell phones killed 16,000 people in the United States from 2001-2007. Even as traffic deaths have fallen to the lowest levels since the 1950s, deaths caused by distracted drivers have risen by 4.1%. And distracted driving fatalities increased dramatically starting in 2005—right around the time texting became a mainstream activity in America.

Statistics show that if I text while driving, I am 23 times more likely to get in an accident. Texting makes my reaction times as slow as a man twice my age. And what’s scariest of all is that reading texts is more harmful to my driving than writing them. This suggests that as our phones become increasingly connected to Facebook walls and Twitter and YouTube, they become increasingly dangerous in the hands of a driver.

And the problem is only getting worse. The researchers behind this study predict that distracted driving will increase 19% for every 1,000,000 new cell phone users.

These numbers may be too optimistic. Our cell phones are becoming more intelligent, more addictive and more distracting all the time. And as features like video chat become standard, the potential for distraction multiplies exponentially.

I love my phone. I admit it. But now that I’m aware of how negatively it impacts me, I’d be a fool to use it while driving.

Stay safe,

Jason

CC image by Jason Weaver

Share this

One of the stranger perils of being a technical writer involves being ambushed at odd moments by people demanding on-the-spot explanations of complex technical concepts.  I was out on the town one night and somehow found myself having to explain to a not-too-tech-savvy friend how to differentiate between a virus, a trojan and a worm.

After patiently listening to a lengthy, rambling answer, my friend thought it over for a minute and then asked, “So, why should I care? Why is this important to me? Do I really need to know the difference between different types of malwares?“

My automatic reaction was to say, “Of course you need to!” – but to my surprise,  I couldn’t coherently express why I felt that way (though to be fair,  I was having trouble thinking clearly about anything that night).

Thinking it over in the sober light of day,  I realized that he’d actually asked a pretty good question. For most computer users, the difference between malware types is academic and irrelevant – at least,  right up until their computer gets infected. If everything’s working just fine, why in the world should they be able to distinguish between an exploit and a backdoor?

A Technical Person’s Answer

To get a expert’s opinion on this,  I relayed my friend’s question to an Analyst in our Response Lab. His reply was (and I’m paraphrasing here):

“Yes,  so that if anything happens, you’d know how the computer got infected, how to deal with the infection, and how to prevent it from spreading.”

Now, that’s the condensed version of a technical person’s answer. The real answer was actually a long, in-depth and detailed explanation covering how certain malware types had specific behaviors and particular vectors for distribution, as well as recommendations for dealing with particular types of infection.

And that there was the problem in a nutshell – it’s a lot of information to absorb. It was a thorough answer, but not an easy one to communicate to people with little interest in technicalities.  Some parts of the explanation also assumed more computer knowledge than most users would probably have or want.

Having said that, I thought the condensed version of our Analyst’s answer seemed like a helpful, ‘user-friendly’ answer. It summarizes all the main points effectively, puts it in a context most users would understand  and – this is important – it isn’t long-winded. I’ll come back to this again a little later.

Why A User Doesn’t Need To Know Malware Types

Trying to find a simple, all-encompassing answer to my friend’s question made me wonder if he really had a point and that users didn’t really need to know something as technical as malware types. So I decided to turn the question around and ask:

“Are there any cases in which ‘the average user’ doesn’t need to know the difference between malware types?”

The following four scenarios were the only ones I could think of where knowing malware types wouldn’t be helpful (if you can think of others, feel free to leave a comment). Of course,  I included some reasons why I think knowing malware types would be helpful even in these situations.

1. I don’t do anything that might harm my computer.

   If you can honestly claim this, you’re probably what I’d call an Exemplary User: someone who diligently updates the operating system and programs, never installs programs or uses removable media without thoroughly vetting it first, doesn’t download from untrusted sources and basically, just does computer security right.

   An Exemplary User can laugh with scorn at looming malware outbreaks.  If this describes you, great! You can stop reading now. (Heck, you probably know the malware types already, anyway).

   Since the vast majority of users will never qualify for Exemplary Userhood however (myself included), the second best scenario is:

2. MY computer can’t be infected.

   No, I’m not starting a PC versus Mac debate. What I mean is that even if malware does get onto your computer, it needs to find a suitable environment before it can have an effect. A Linux virus that somehow manages to get onto a Windows machine usually can’t do anything except blush sheepishly. Ditto for a backdoor that uses HTTP to connect to a remote site but ends up on a standalone computer without Internet acess.

   If your computer happens to be set up so that the majority of malware doesn’t target it or affect it (now you can start the PC/Mac debate), then our query becomes moot. Again, congratulations!

   Of course, most people have very little choice in the kind of operating system or programs they have on their computer, particularly business users. Even home users usually have to consider familiarity and affordability over specifically tailoring their computer to be malware resistant. To fix that, most users use antivirus protection. Which leads to reason 3:

3. Why worry? My antivirus will remove it.

   Actually, since I work for a computer security company, I’d reeeaaally like it if more people could claim this. And hey – shameless plug – our Internet Security is doing pretty well in independent tests!

   Unfortunately, this solution isn’t 100% bulletproof, especially if you’re not an Exemplary User or are just plain unlucky.  Sometimes, the antivirus doesn’t catch the malware. Or it makes an error and the wrong file get fingered, causing all sorts of mayhem. Worse still, the antivirus turns out to be rogueware.

   In other words, the program you’re depending on to sort out all the problems….doesn’t. What then? Ah, then we move on to reason 4:

4. Not my department. (IT/Tech Support/the computer guy) will just clean out any infection for me.

   OK, so the person fixing an infected computer should be the one with the technical knowledge, true. That person may not be the user, true. If you have someone dependable, willing and trustworthy, who can fix anything that goes wrong…can I have their number? Such a person is a godsend. Treasure him/her.

   Still, even if you’re that lucky, it’s often a great help to the actual technician if the user can pinpoint the probable cause. Knowing what type of dastardly program is screwing around with the computer gives the technician a good place to start investigating, and maybe also some idea of how to fix it.

   Or, to use an analogy, it’s the difference between driving to a workshop and telling the mechanic, “My car’s making a funny sound”, and saying, “The fan belt’s busted.”‘

And the Conclusion Is…

If you’re not in one of the 4 ‘Ideal Situations’ listed above, then it would probably be helpful for you to know the different kinds of malicious programs that can damage your computer, because…well, refer to condensed Analyst’s answer above.

Realistically though, learning about malware types, even superficially, requires investing time and energy that not every user can spare – which is why technical writers (ahem) have to find ways of communicating these concepts in ways that are interesting and easily accessible for everyone. Which brings us back to the condensed Analyst’s answer. It’s short, to the point and gives just enough information without being overwhelming. And if more information is asked for, well that’s the time to start going in-depth.

Personally, I like it – but since my part of my work deals with malware types anyway, I freely admit to being biased about this. So really, the best people to evaluate how useful that answer is – You, dear reader. So how about it? Do you think the condensed Analyst’s answer is a helpful, informative reply?

——

Oh and since we’re on the topic, here are the Types F-Secure uses to classify the samples – the good, the bad and the merely suspicious. You can also find plenty of other sites with excellent information on this topic – for example, HowStuffWorks.com has great articles explaining how trojans, viruses and worms work.

Share this

In a battery of tests that used 200 client and server systems, AV-Tests found that Internet Security delivered when it came to defending and restoring your system. Andreas Marx, CEO AV-Test, said, “It’s good to see that F-Secure Internet Security does not only offer a high protection and a good repair, but at the same time, it has less impact on the system from the usability point of view.”

And we’re especially proud of our Usability score — 5.5 out of 6.0 possible points,  the highest score archived during this review. It’s our goal to protect you in a way that has almost no impact on your PC. AV-Test says that we’re doing a pretty nice job of this.

AV-Test also gave us credit for one of our strengths—keeping your computer from turning into zombie that can be exploited by cybercriminals. Marx said, “The detection and removal of actively running stealth malware such as rootkits was no problem for F-Secure Internet Security, but for many other reviewed products.”

We promise not to strain our arm patting ourselves on the back. And we won’t rest on our laurels. The bad guys never give up so we work hard every day to give you the kind of security that makes it so you don’t have to worry about your security.

Cheers,

Sandra

Share this

The F-Secure Theater Group and Sean Sullivan have put together a quick look at F-Secure Internet Security 2011. Check it out and we hope you’ll see why we’re so excited about the latest version of our award-winning software. It was made just for you.

When you’re done with the video, you can try the beta version of Internet Security 2011 for free and get your chance to win an iPod touch. We look forward to protecting you.

Cheers,

Sandra

Share this

An ATM skimming device is used by crooks to steal a person’s bank card information and pin number when a victim uses a targeted ATM. And while they are rarely used, you should always be on the look out for this threat to your financial security.

There are usually two pieces to the thief’s equipment. One involves the skimming device itself, which can be very hard to spot. The ATM skimming device is usually designed to look like it belongs on the machine and is fitted over the actual card reader slot.

While some skimmers are much bulkier than the real card reader, others are extremely slim and barely noticeable. Some people will jiggle a card slot reader to see if it is loose or comes off before using an ATM.

Once you enter your ATM card into one of these skimmers, it will capture your card’s information, which will allow a thief to create a fake card with your information on it.

The second part of the ATM skimming equipment is a device or camera to capture a victim’s pin number. A strategically placed camera is the most commonly used device.

Tiny cameras can be hidden almost anywhere on the ATM machine and are very hard to spot. The most common location for a camera is affixed to the inside of the top of the machine so that it is looking down onto the keypad. In this manner, the camera can capture images of the victims’ pin numbers as they punch them in. However, a camera can be located almost anywhere on the machine where it will have a good view of the keypad.

Occasionally, a more sophisticated skimming device will actually capture the numbers, usually by means of a false keypad that can electronically capture the numbers.

For more information on how to detect ATM skimmers, check out this slideshow:

About the author: James Mowery is a computer geek that writes about technology and related topics. To read more blog posts by him, go to monitors.

CC image by Angus Fraser

Share this

Generally, Twitter phishing looks like this: First, you get a direct message linking you to some site for some reason. Next, you login into this third-party site using your Twitter credentials. Finally, everyone in your Twitter stream gets sent the same message you got spreading the scam into infinity.

These scams were enabled by the fact that Twitter users have grown comfortable logging into other sites and tools using their Twitter credentials. This is because, in an effort to make its service more useful, Twitter has had a very open policy for third-party developers.

Thankfully, most of these scams have not result into much direct harm for users. Sean in the F-Secure Labs suggested that the main purpose of phishing was to create trending topics/trending terms to improve SEO attacks.

Back in April, I suggested a draconian way of avoiding Twitter phishing: never click on any links. Thankfully, that became less necessary as Twitter’s increasingly effective filtering of shortened links has helped to minimize these attacks.

And here comes a real change for the better.  As of August 16, 2010, you will not be able to use your login and password to login into Twitter using any site but Twitter.com. Any third-party site that you want to use has to connect to your Twitter account directly using the OAuth procedure.

This means Twitter can say to the world, don’t log into Twitter unless you’re on Twitter. And if users listen, Twitter phishing will be history. Just a little change, but a step in the right direction.

@FSecure regularly tweets about Twitter safety using the hashtag #twittersafety. You can also read our How to Tweet Safely: 6 Tips for Safer Tweeting.

Cheers,

Jason

Image by Carrot  Creative.

Share this

According to a resent study we made here at F-Secure, households usually have roughly 2 computers. Many households however have more than 2 people. This left us with some interesting questions.

Do multiple people using the same computer with same account create interesting and potentially problematic privacy issues?

For example, are you comfortable with other users being able to see your browsing history and all your files on a shared computer? Might this lead to problems among family members? Do guests use your computers? Do they use your account?

We would like to know how you have set up your home computers and accounts. Please take a few minutes to contribute to the topic by filling in our survey.

To show our appreciation, everyone who completes the survey will be entered to win 1 of 5 F-Secure Online Backup 1-year licenses to protect your irreplaceable content.

UPDATE: Thanks to everyone who filled out a survey and congratulations to our winners:   joesmimi,  kweeny,  ub.bataar,  johnpanagiot and poitter_point.

CC image credit: rocksee

Share this

Now, I’d like to repay her for all of her heartfelt goodness by slightly embarrassing her in public.
My mom has never been afraid of technology. When we got our first Atari 2600, she finished Frogger before me or my brother. From the early days of AOL, she’s fearlessly surfed the net, battling her way through incredibly slow modem speeds, occasional viruses and assorted tech support nightmares. And she’s never once thrown a PC out the window.

I admire my mom’s fearlessness. (How could I not? In the 70s it got her the Showcase Showdown of the Price is Right.) But her it willingness to try anything can get her in a little trouble online.

When she first got her PC, she filled out every form that she found on the Internet. In about two months, her email was overflowing with so much spam that she had to close it down. (I think this happened to everyone’s mom.)

Since then she’s gotten a broadband connection and become a savvier about the web. Still there are certain things she does that make me batty. And I only feel comfortable pointing out in public. (I just hope she doesn’t feel the need to publicly respond with a blog of her own about my foibles because I’ve heard—about a million times—that I didn’t grasp the concept of toilet training quickly.)

So with all due respect, a lot of love and deep sense that I’m ruining my prospects for a good birthday present, here are 5 things I wish my mom would change about how she uses the Internet.

1. Take your home address off you email signature.
My mom is ahead of the curve when it comes to location-based technology. Forget Foursquare, my mom just puts her home address on every email she sends. Mom, email is not anywhere near as secure as you might think (especially because you use your dog’s name for every password).  Don’t let the bad guys know where you live.

2. You can stop forwarding me (and everyone you know) emails you did not write.
Mom, it’s nice that you’re always thinking of me. But when you send me cute, funny, ridiculous emails that you are also sending to my aunt, your cousin in Chicago and everyone you play Mah Jong with, it’s a little annoying. And when everyone on the list hits “reply all”, I have to practice deep breathing to avoid a stroke. The Internet is an amazing thing. You can be sure if there is any news, joke or conspiracy I need to know about, I’ll find it. And if it’s important enough, just send it straight to me!

3. Please be careful what you install.
My mom, like millions of people around the globe, has chosen to install scareware on her computer. An alert box came up, and my mom clicked OK. And bam, she was infected. Now, she only did this because the same process had worked for her several times. It’s how she got Flash and Quicktime. But this time, she got scammed.  So, Mom, one bad Google result can create a small disaster on your PC.  So only install a program if you know exactly what it is and what it does. Google the program’s name or email me – directly! – if you aren’t sure.

4. I don’t want to be your Facebook friend.
Millions of people must have figured out how to have a healthy relationship with their families on social networks like Facebook and MySpace. But to me, it’s just weird. I feel bad if I don’t comment on everything. I wonder, Who are these strangers writing LOL on my mom’s updates? Also, she is too willing to quizzes using apps, which, in the past, opened my information to the makers of the application whether I liked it or not. So sorry, Mom, I only use Facebook to keep in touch with old work and college friends.

5. I wish you were on Twitter.
I wish the whole world were on Twitter. It’s a quick peek into what they are doing/thinking about.  And I subscribe to the accounts I don’t want to miss on in my Google Reader. It’s light and it’s fun and it’s easy. Mom, please get on Twitter so I can keep up with you without feeling obligated to respond to every single update.

Being my mom can’t be easy (especially since it makes you ineligible to win two Canon cameras in our new sweepstakes). So thanks, again, for everything you’ve done and do. Besides these 5 little things, you’re perfect.

With love,
Jason

Share this

I used my phone to take an image of the F-Secure headquarters on my way into work:

We'll climb any mountain to get to work

The image is so striking that I wanted to share it. My fellow bloggers and I thought of how this image could relate to the work we do here. The consensus was that it was a great metaphor for the piles of viruses that we handle in F-Secure Labs each day.

The average number of virus samples that we process each day is a number around 100,000. Per day. Wow.

Sean from Labs points out that while these viruses are “individual, like snowflakes”, they do fall into categories. Sometimes they are from the same criminal gangs, sometimes they are the same type of virus from a different gang. Sometimes they are almost the same virus, but altered in small ways to try and fool anti-virus technologies.

We really would be ‘snowed under’ if it weren’t for the technology that our lab technicians build for us to catch and analyze all of them.

Just imagine having to sit down with a magnifying glass and check every snowflake in the photo. Instead, we use technology to do that for us, to give us up-to-date information on what our virus protection services need to block in order to protect our customers. Our technicians have to build that technology, keep it smart, feed it, and so on! It’s a good thing that they are up to the task.

With their help and expertise, we can protect our customers whatever the (virus) weather.

What do you think of the image? Do you think the virus metaphor fits, or is it more like an icy firewall, protecting the f-secure premises? Or something else? Let me know!

Share this

A recent  snow storm left me particularly bored. It was late in the evening and I was waiting at Helsinki airport for my flight to Munich to finally take off. When the smiling lady at the Lufthansa check-in desk announced that the flight would be delayed for at least 2.5 hours, people  began pulling their laptops from their bags to open them. And so did I.

While my PC was booting, I looked around and realized that I was surrounded – by Macs!

Normally, I’m quite ok with my PC. It fits in my handbag and that’s what really matters. But amidst those stylish flat MacBooks and their glossy screens, I felt a little bit embarrassed by my unspectacular boxy, black laptop. And just when I thought it couldn’t get worse, I got Windows’ famous blue screen. Thank you very much, Bill Gates!

I got an understanding glance from my neighbor and we started a conversation about Apple’s steady march toward victory. Undeniably Macs are becoming more and more popular, and not only with designers and other creatives. This gentleman, for example, runs his own consultant company and has equipped his whole staff with Macs. Now he was giving me a lecture about why Macs are so much better than PCs.

After some time, we got to the point where he asked me what I do for a living. When I told him that I work for an IT security company, I knew it was my turn to give a little lecture. Like every other Mac user I’ve ever met, he felt he was magically safe from malware. Well… sorry, but this perception needs a little revision.

Yes, Macs are safer because cyber criminals can make so much more money with PC malware. PCs dominate our online world. But – and this goes out to all Mac users – this doesn’t mean Macs are more secure than PCs.

It’s like living in a safe neighborhood. Just because there aren’t as many thieves about doesn’t mean that your windows are any less easy to break. There is more and more malware with cryptic names that could infect your Mac… Zlob codec trojans just being one example.

Another consideration is that malware is increasingly browser-based and Mac users can be hit by phishing scams social engineering exploits just like any PC user. Just recently the criminal “Koobface” gang specifically targeted Mac users and tried to make profit. Go to Dancho Danchev’s blog if you want to know more about the technical details.

Macs’ growing popularity is so overwhelming that we decided that it’s time for our own Mac solution. Just as I recommended to my Mac enthusiast neighbor, I recommend you checking out F-Secure Mac Protection, free for six months. Register for our Beta program now.

We’d love to know if F-Secure Mac Protection found anything on your Mac.  Please leave a comment below.

Have a safe onward journey – in the online and offline world!

Sandra

Share this

Everyone who commented already will be receiving a code for 6 months of free Internet Security over the next week, whether your comment appears on the site or not.

More giveaways are coming soon. And you can always try F-Secure Internet Security, Antivirus and Online Backup for free.

Cheers,
Jason

Share this

I saw this for myself with Facebook. About 2 years ago I decided to discontinue my Facebook account because I wasn’t really using it. I deactivated it and – I thought – deleted all the pictures I had uploaded there. About 18 months ago I decided to return to Facebook and to my astonishment, Facebook found all my old deleted photos and it hadn’t got rid of any of my status updates either. It was all there.

So considering that for example employers are doing searches on LinkedIn and Facebook about potential employees, you might want to think again before you upload that hilarious picture of when you fell off a chair, drink in hand.

But at the end of the day, humans are very social animals and we want to share. We want to know how our friends are doing and we want to let them know how we are. Many, myself included, have accumulated quite a number of Facebook Friends. Clearly, though, my 100+ Friends are not all my BFFs.

So let’s say your boss is your Friend on Facebook, or some of your work acquaintances. Do you want to share the same things with them as with your sister and best friends?

Here’s where Facebook helps you out. Nowadays you can organize all your Friends onto different lists and determine which lists see which status updates or photo albums.

For instance, a friend recently broke up with her boyfriend and has now organized all her boyfriend’s friends onto an “Ex” list. The people on that list, she feels, don’t need to read details about her new boyfriend. Another friend has made a “Family” list and shares certain photo albums only with them.

Me? I like to keep it simple. I only share things online which I can be sure won’t come back to haunt me. For the juicier stuff I go old school: I give my friends a call or meet them IRL.

Our in-house social media guru Jason has been tweeting about privacy on Twitter and Facebook extensively. If you want to be kept up-to-date on the topic, I recommend our Twitter and Facebook feeds for the latest on what’s being said about this issue.

Signing off,
Your Friend Hetta

Share this