Since joining the company a few months back, I have had the pleasure to listen to many talented and extremely enthusiastic people talk about security – and the solutions related to it. In these months I think I have learned more about the security threats and how to prevent them than in all the years of my working life so far.  One of the key learnings is that the foundation of security is to have the right tools for all levels of security.

• End-point protection protects you from internet threats. According to F-Secure Threat Report H2/2012, the most common way to get hit by malware is browsing the web.
• Server protection keeps your content safe from spam, malware and other threats. Protecting servers certainly doesn’t sound like a hot topic, but talking to our product managers, it actually is something much more interesting than you would first think.
• Email protection safeguards your communication. Even though email no longer is the number one target for attacks, due to its frequent and wide use, email protection is still as relevant as ever. Talking to one of our sales engineers just the other day, I was shown some stunning examples of how reliable and trustworthy spam mail can actually look like! Forget about the typical “Click here for this unbelievable one-time offer” type of obvious attempts… – Spam today is much more sophisticated.
• Web filtering protects your identity and reputation. The Threat Report additionally states that some types of hosting sites are favored by criminals and recently, dynamic DNS providers have been the fastest growing target for malware hosting. 87% of the domains supported by one of the top 3 dynamic DNS providers hosted malicious content. Think – 87%! Cannot be very good for the DNS provider’s reputation…

Wouldn’t you want to stay on top of this all 24/7, but effortlessly? For that, you need a central, holistic security management tool. Without it, this can all be too hard and time-consuming and you would need a lot of resources to take care of the security issues.

Luckily, this can all be very easy with the right tool. F-Secure Policy Manager is a security management tool that lets you shift your security to autopilot. As Yoshito Sato from Green House company puts it: ”We do not have to worry if each computer is secure or not anymore”.

Cheers, Eija

Share this

New mobile threat families and variants rose by 49% from last quarter, from 100 to 149. 136, or 91.3% of these were Android and 13, or 8.7% Symbian. Q1 2013 numbers are more than double that of a year ago in Q1 2012.

While the “walled-gardens” of the iOS and Windows Phone, where apps require approval before sale, have prevented malware threats to develop for the iPhone or Nokia models running those systems, Android threats are increasing and becoming more likely to affect average users.

“I’ll put it this way: Until now, I haven’t worried about my mother with her Android because she’s not into apps,” F-Secure Security Advisor Sean Sullivan said. “Now I have reason to worry because with cases like Stels, Android malware is also being distributed via spam, and my mother checks her email from her phone.”

You can get the entire report here and as you read through it, listen to our Chief Research Officer Mikko Hypponen and Sean Sullivan walk through the report in this exclusive preview. (Sorry, there is a odd echo for the first few minutes of the recording.)

Here’s a look at profit-motivated threats. Is anyone surprised that mobile malware authors are mostly motivated by money?

As far as the types of threats our Labs is seeing, Trojans continue to dominate:

We protect your mobile devices from all common threats. Get F-Secure Mobile Security free for 30 days or download it at Google Play .

Cheers,Jason

Share this

Plan the message – your “personal brand”

Ok, so you want a profile picture. Let’s first think about you and your profile. Why did you create the profile? What are you trying to tell the world? What kind of impression do you want to deliver with the profile and its picture? Do you want to be seen as a leader, an expert, a visionary, an entrepreneur, an entertainer, a trustworthy partner or just as a nice and comfortable person? And what’s the scope? Is it limited to your professional role only, or do you have hobbies, sports, organization memberships etc. that you want to expose as well? But be focused and don’t bring in too many things. And what’s your primary target audience?

Start by thinking about your personal brand for a while.

Plan the image

When you know who you are and what your brand is, then it is time to plan how to express it visually. Here come’s some points you should consider and which hopefully help you decide what your picture should look like.

But you could start by checking your own photo collection, or ask a friend who likes to shoot. There may already be a picture of you that match your personal brand. If you find a candidate you have to decide if it is good enough or if you want build from scratch. Jump straight to the last section if you find a good shot.

• A profile picture is small. It may be displayed at medium size on your profile page but most people see just a small thumbnail of it. Do not plan a picture with a message that depends on small details.
• Make a long-lasting picture. Like the logo of a brand, your picture shouldn’t change frequently. Avoid using visual elements that are in right now, but may be passé tomorrow.
• Portrait or not? Profile pictures were planned to be a portrait of the user, but there is usually no policy or technical limitation that enforce this. You can use any image, but this guide will focus on how to make a portrait of you.
• Color or black & white? BW can be used to create an artistic impression, and it may help gaining attention among vivid color shots. But BW depends a lot more on form and shapes, which are hard to express in small format. Color is a safer choice.
• Think of feelings and adjectives that would support your brand. Like calm, reliable, energetic, empathy, joyful, fun, dignity, etc. Keep the selected words in mind throughout the process.
• Get inspired by others’ profile pictures. Use Google’s image search with keywords like “profile picture” or “portrait”. Add another word to the search if you want pictures with a particular concept. Also browse through your favorite social media and pay attention to others’ profile pictures. Don’t be shy to steal ideas and build upon them, but avoid copying people in the same digital neighborhood.
• How bold do you dare to be? You fight for attention in a boiling kettle full of vivid images, but your role and brand may require some dignity.
• Find out what aspect ratio your favorite social media use for profile pictures. Are they shown as squares or are they higher than they are wide? This should be taken into account when planning the composition.
• Just a portrait or some environment too? Putting a person into an environment tells a lot more than just a face. Could a particular environment be a good way to express your brand? Are you interacting with the environment or just posing in front of it? But do remember the restriction about image size and small details.
• All pictures have a background even if it isn’t an environment. Dark or light? Smooth or textured? Solid color or gradient color? Just remember that the background shouldn’t compete with the object unless it has an important story to tell.
• What colors do you like and what colors would support your brand? If you want to address a global audience, remember that colors have different meanings in other cultures. Check this and this before you decide.
• Your role may demand a certain type of clothing, and you may have some strong personal preferences in this area. You can be mainstream by following the code or revolt by going your own way. As profile pictures are small you are quite likely to do just show head and parts of the upper body rather than full figure, so the lower parts doesn’t matter. A hat works fine, if it fits your brand.
• How do you want to pose? Do not plan a too fancy pose as those rarely feel natural in the final picture. Remember that your hands tells a lot about your feelings, also plan their position.
• Are there any personal attributes that definitively are part of your brand? A typical piece of clothing, or maybe a ponytail?
• The face expression is important. Use the feelings and adjectives mentioned above when figuring out what expression is best for you.
• Even subtle changes in the camera angle can have a significant impact on the feeling of the picture. You are on the same level as your peers. You may look helpless and begging if you look up on your audience. And a powerful rulers looks down on his people. These rules may not apply anymore if you go for dramatic camera angles.
• The lighting of the subject is important. A sharp harsh light creates sharp shadows and make the picture more dramatic. So does light from an unnatural direction, like illuminating a face from below. Smooth even light from every direction eliminates shadows but make the picture dull. The right lighting is usually somewhere between these extremes.
• If you don’t need an environment you can play with the framing of the face. A dramatic effect is to frame the face really tightly, or even focus on a part of it.
• Looking into the camera creates a connection between you and the audience. But you may want to differ by looking out of the picture or at an object in the visible environment.
• Accessories may emphasize your story. You can bring in items that relate to your role and brand.
• You may want to add graphical elements in post processing. It is good to plan that before you start shooting. These elements will become part of the final composition and affect the visual balance of the picture.

Yes, a lot of different aspects to think of. You do not need to pay a lot of attention to all of these, but they are all things that affect the picture. You may pick some of these points and focus on them. Hope this section puts your mind in creative mode so that you can come up with a great idea.

Take the photo

OK, now you should have a visual idea in your mind about what you want to create. Let’s start doing it by shooting the picture. Some hints that makes it easier to succeed.

• Ask someone to help you. Sure, you can use a tripod and timer to shoot by yourself. But it is so much easier if you don’t have to run back and forth between your pose and the camera. It is of course a plus if that someone has experience in portrait shooting. Depending on your planned shot, it might be good to have an assistant as well.
• Plan what camera to use. You do not need the latest megapixel monster as the picture will be shown small. But you should definitively use a camera that produce sharp pictures. Some mobile phone cameras are already good enough, but cheap pocket cameras may not be. Most cameras manage to take decent photos in good light, but use a system camera if you want to play with low-light scenes.
• Scout the place to shoot where you have the right environment or background.
• Plan when to shoot. The light conditions depend on weather and time of day. Other conditions, like traffic for example, may dictate when to shoot if you are planning to do it in a public place.
• Plan the lighting. Will natural light be enough or do you need artificial light to achieve the desired result? If the light is sharp, you may want your assistant to reflect light onto the shadow side of the face using a light flat object, like a sheet of Styrofoam.
• Shoot wide. Leave enough room on all sides of the object. It is easier to crop and create the perfect composition afterwards on the computer.
• Control the balance between object and background. You can make the background less distracting by making it darker or less sharp. You can blur it by moving the object further from the background and/or using a larger aperture setting in the camera.
• If you plan to replace the background using Photoshop, then it should be as even as possible. Select a color that creates a sharp contrast around all parts of you.
• Be careful with focusing, especially if you try to blur the background by using a large aperture. Always make sure the primary area of interest is in focus, which almost always is the eyes in portraits.
• Work on the technical details first without minding pose and face expression. Shoot, check the result on the camera’s screen, adjust something and shoot again until the light and exposure are right.
• Then continue to find the right pose. Just shoot until you are satisfied with what you see on the screen.
• Finally work on the face expression.
• When done, look through the shot carefully and check all the details. Load the picture into a laptop and view it on a proper screen before you pack your stuff and leave the shooting scene. At this point it is still easy to correct small details and take another shot.
• Why not try some variations when you are up to speed. Change clothes or pose or something else and shoot some more. It’s good to have more shots to select from.

Finalize the image

Now you should have a decent picture of yourself. It might be good as is, but all pictures can be improved by post processing. Use Photoshop or your favorite image editing program, or ask a savvy friend to help. These are examples of things that can be used to brush up the picture.

• Adjusting overall exposure, contrast and color saturation.
• Putting more or less attention on objects by making them darker or lighter.
• Selectively blurring unimportant parts.
• Cropping the picture.
• Concentrating focus to the center of the image with a vignetting.
• Cloning out distracting details.
• Replacing the background.
• Adding graphical elements like frames, logos and symbols.
• Maybe doing more advanced manipulations like combining two shots with different face expressions. Your imagination is the only limit. (And the limited picture size of course.)
• Or why not get a cheap round of plastic surgery if your Photoshop operator is savvy enough for that.
• Remember to zoom out and view the picture as small as it will be shown in reality. Does it still work?

OK, that’s it. Now you should have a great profile picture. But as always, testing is important. Show the picture to someone else and ask them for honest opinions. Your test audience should not know how you have planned the picture and what you have tried to achieve. Even better, use people who don’t know you at all. Ask them to describe the person in the picture just based on what they feel when seeing it. (Some persons are better than others on this.) It’s a success if that match what you tried to achieve.

And last but not least. This is important but it is after all just a picture. It helps you get attention and new followers, but in the long run people will still judge you by what you post.

Safe surfing,
Micke

Share this

His first impression is that it’s designed to encourage you to share and encourage your friends’ media consumption.

Coming soon to Facebook… television you’ve watched? And a new timeline layout? Oh please no. #DoNotWant twitter.com/5ean5ullivan/s…

— Sean Sullivan (@5ean5ullivan) April 29, 2013

In the endless attempt to monetize a free service that about one billion human beings rely on, Facebook is also encouraging you to give your friends more than just warm birthday greetings. They want you to give gifts.

Here are some of the gifts my friends are recommended to give to me:

Yes, I am over 21 years old. Sean found that if you’re under 21, Facebook recommends chocolate instead of wine.

It’s natural to speculate that Facebook wants to become a recommendation engine that serves you media and gift recommendations based on your interactions. This — as always — will lead to some unintended consequences.

Perhaps, the next time you change your relationship status to “single”, your friends will see this gift recommendation:

Share this

There seem to be a war between these two groups of photographers, especially in US after 9/11. Ordinary people who take snapshots of fine buildings have noticed this. Photography is often considered suspicious activity and many innocent tourists have been treated like suspect terrorists. Security guru Bruce Schneier has pointed out several times that the authorities watch far too much TV. They try to fight movie-plot threats rather than real terrorism. The war against photography is a good example. TV needs visual elements so the villains often goes on a photo trip before the strike. No pictures are however found when investigating real terrorism. Simply because they are not needed. To fly a jumbo into a skyscraper you need a map, not a photo of the building taken from ground level. But the authorities are desperately seeking ways to show that they are doing something, so photography becomes a convenient target.

What brings this to mind right now is the Boston bombs. There is said to be around 600 surveillance cameras in the area. FBI also had the suspected bomber’s face on file and was able to run automated face recognition against the surveillance footage. But that wasn’t enough, so they turned to the public and asked for photos and videos shot by ordinary citizens. The former enemy suddenly became a friend when FBI didn’t have enough footage themselves.

The request turned out to be successful. Submitted amateur footage is reported to have been crucial in identifying the bombers. This proved that photography in public places contributes to security rather than poses a threat.

I wonder when we reach the point where FBI doesn’t have to ask for these photos? More and more people upload their shots to social media sites. Chances are that the Tsarnaev brothers already are published by many ordinary citizens on their private walls, Flickr-accounts etc. Time and position metadata makes these shots suitable for face recognition scans. Privacy settings are of course an obstacle, but I wouldn’t be surprised if the US authorities demanded full access to such photos bypassing the security settings. An even scarier scenario, what if FBI gets legal access to all shots that smartphones upload automatically? The shots from my mobile camera land on SkyDrive. Personally I don’t like the idea of participating in an intelligence network with global reach but operated by a national agency.

Will this case change anything? I would like to see the Boston incident as an eye-opener that contributes to a less hostile attitude against photographing citizens. But that is probably naive. The war against photography will most likely go on just like before, at least until the next case where FBI need some help. And we may be heading towards a world where the authorities doesn’t ask kindly for these shots, but grab what they want from the net. Let’s hope that the legislators and privacy advocates manage to maintain a balance between privacy and terrorism hysteria.

Micke

Image by R/DV/RS @ Flickr

Share this

A lot of attacks have used the Blackhole exploit URLs. According to the Threat Report H1/2012 by F-Secure Labs, as many as 1 out of 25 emails contain spam with such a malicious URL which is intended to deliver a malicious payload to a victim’s computer. The Blackhole exploit kit targets vulnerabilities in the operating system, old versions of browsers such as Firefox, Google Chrome, Internet Explorer and Safari as well as many popular plugins like Adobe Flash, Adobe Acrobat and Java.

As normal spam filtering may not catch these kind of threats, it is important to understand the new forms of the spam emails. Ordinary spam definition updates are too slow and usually do not protect you from the Blackhole exploits, so Real-time URL reputation check is a must to have.

Windows and Java continue to be the most popular targets. F-Secure Threat Report H2/2012 states that a vast majority of exploit attacks in general relate to four commonly known vulnerabilities in Windows or Java, and all of these already have security patches.

With this in mind, it is essential to protect servers and email efficiently enough from attack.

F-Secure E-mail and Server Security solution uses the same awarded DeepGuard technology as Client Security, which has been given the Approved Corporate Endpoint Protection certificate by AV-Test. Check out the latest supported platforms on our Downloads page.

E-mail and Server Security was the first product launch for which I was responsible for on the marketing side here at F-Secure. And this is my first blog post in Save and Savvy as well! Time seems to have been flying since I joined the company at the beginning of March, there are so many interesting things going on.

Cheers, Eija

Share this

You know how it is to ask a lawyer if something is legal or not. It’s impossible to get a straight answer. I start to understand why when digging into this problem. There are really so many aspects that matter and many things that aren’t black and white (no pun intended). And on top of that, the international aspect. Laws are different in every country. I have been looking a long time for a good and comprehensive guide that covers photo law in different countries. In vain so far.

That’s an indication about how big and complex the issue is. But I’m going to give it a try anyway. I have tried to list the basic principles in a very compact form. This list can’t be very precise as it isn’t country specific. So be aware that the law in a specific country can differ from what’s stated below. But the risk that your camera puts you in trouble should be significantly lower if you know at least these principles.

To take a photo

• It is generally OK to take photos in public places, but some limitations may apply.
  • Taking photos that present a person in a defamatory way may be banned.
  • Taking photos of police officers may be banned.
  • Taking photos of military installations and critical infrastructure may be banned.
  • Taking photos of monumental buildings may be restricted or banned.
• It is generally OK to take photos of other persons without permission in public places, but some may have a personal problem with that. It’s polite to comply and cease shooting if someone complains, but these persons do typically not have any legal right to prevent others from photographing them. Unless the shooting can be seen as harassment. Also keep in mind that there may be cultural restrictions. It’s for example considered bad habit to photograph priests, monks and nuns in some countries.
• What’s a public place has typically nothing to do with ownership. It’s a place that the public has free access to, even if it isn’t owned by a public institution. Events and transportation that the public can buy tickets to freely do typically also qualify as public places.
• Some public places, like shopping centers or shops, try to limit or ban photography. Those rules may or may not be legally binding, depending on local legislation. Many shop owners seem to know as little as their customers about the laws regulating photo.
• Photography is typically not allowed without permission in private places and events for invited guests. You should always ask for permission before taking a shot in someone else’s home. Regardless what your local law says, that’s common sense IMO.
• Vehicles where you can stay overnight may be considered private places just like homes. Ordinary cars do not belong to this category.
• Taking photos of kids is typically no different from other kinds of photography from legal point of view. Many parents have however became wary about having pictures of their kids online because of increasing media coverage about pedophilia. So it’s best to be careful when shooting others’ children. Talk to the parents first, if possible.
• Remember that knowing the law and your rights to photograph is important, but so is common sense. If you face a photography ban that is in violation of your legal rights, it’s up to you if you want to challenge the ban or save both parties some trouble. Is it worth it?

Copyright and licenses

• The creator of a creative work, like a photo or a video, has automatically the right to decide about how the work can be used, and to be compensated if the work creates profit. It’s a bit like ownership and it is called copyright.
• Copyright exists automatically. You do not have to apply for it, register the work somewhere or even put a copyright statements in the corner of your photo.
• The copyright holder is the person who has done the creative work, i.e. came up with the idea for the photo. It doesn’t matter who pressed the shutter button or who owns the camera.
• Copyright can be transferred to someone else, which is like giving away the ownership. The copyright holder can also grant licenses to use the work. It is very important to understand the difference between these two.
• There are no usage rights by default. It means that you basically can’t do anything with a photo taken by someone else without permission from the copyright holder. And vice versa for others using your shots. There are however exceptions to this. The fair use concept in US is one example. It states that minor insignificant use is OK without permission, like use for private or some educational purposes.
• If you own the copyright, you have free hands to grant, or refuse to grant, others the right to use your photo. Such rights are called a license. A license can be any kind of free form statement that:
  • Specify what work it affects.
  • Specify who it grants rights to, or grant rights to anyone who want to use the work.
  • Can specify how the copyright holder shall be compensated.
  • Can demand that the copyright holder shall be attributed.
  • Can limit the rights to a defined period of time.
  • Can limit the rights to a specific kind of use.
  • Can limit the rights geographically.
  • Can be exclusive, meaning that the copyright holder agrees to not grant any conflicting licenses to others.
• Creative Commons (CC) is a widely used ready-made system for granting generic licenses to use your photos. This is a nice way to share shots if you don’t mind others using them for free. There are several kinds of CC-licenses, for example licenses that exclude commercial use.

 To publish a photo

• Remember that taking a photo and publishing it is two different things. You do not necessary have the right to publish even if it’s OK to take the photo.
• You can generally publish your own shots freely as long as it is done as a private person on a hobby basis. Like sharing on Facebook or Flickr.
• Publishing a shot that presents a recognizable person in a defamatory situation, state or context is most likely illegal.
• Be careful when publishing pictures of others’ children. It’s typically legal, but the parents may have issues with it.
• People usually can’t prevent others from photographing them in public places, but they have the right to decide if shots of them can be used commercially. An approval of this kind is called a model release. It is a document where a person who is recognizable in the picture grants rights to use the image. A similar property release may sometimes be needed for shots showing buildings etc.
• Some companies are guarding their brands rigorously. They may have a problem if they see their brand exposed in a published photo in a way they don’t like. You may get a letter that threat you with legal actions unless you remove the photo. There’s typically little or no legal substance behind these threats, as companies and brands typically aren’t protected against libel etc. in the same way as individuals. You may comply, ignore them or ask for more details about what paragraphs they refer to and under what jurisdiction. That may make them go away.
• You do by default not have any rights to publish others’ photos (exceptions exist, see for example fair use in US). Many photographers are however adopting a liberal attitude against sharing and publish their work under a CC-license, or similar. If you need to illustrate something, you can search the net for CC-images for example on Flickr. This is how I get most of the pictures I use in these blog posts. Remember to credit the photographer! That’s a small token of appreciation compared to the value you get.
• But what about sharing in social media, Facebook for example? If you take a picture file and upload it so that it is visible to anyone, then it is definitively publishing. But sharing a photo that someone else has uploaded to Facebook is totally different. What you do is really to tell others that the picture exist and where they can find it. You just share a pointer to it, not the image itself. That is of course always OK and only limited by the privacy settings of the photo.

As said. This summary is an attempt to list some generic fundamentals that should be valid pretty much everywhere. That’s a good start, but if you are a serious photographer you should educate yourself with more accurate info for your own country. Also, what’s said about photos also applies to video.

Do you know of a good source that covers international photo law? Or a good guide for your own country? Then post a link as a comment to this article. Maybe there isn’t a comprehensive international guide, but a collection of links to guides for different countries is almost as good.

And finally. Quoting an excellent tweet from @Mikko. “Remember that legal advice you find on the net is worth every penny you paid for it.” Nice disclaimer, isn’t it.

Share this

Our solution blocked 100% of the representative set of malicious apps discovered in the last 4 weeks tested. Nice.

The test went beyond just testing the ability to block bad software.

PC Magazine‘s Neil J. Reubenking explains:

Antivirus protection is important, but for mobile users additional security features like anti-theft can be just as important. In the initial test of Android-based antivirus, AV-Test noted whether each product included specific additional security features: 1) anti-theft (remote lock, wipe, and locate), 2) call blocking, 3) message filtering, 4) safe browsing, 5) parental control, 6) backup, and 7) encryption. In the latest test, products are scored on whether they include extra security features, either the seven from the preceding list or other useful security features.

You can see our complete score card here.

We want to congratulate all the fellows on who work to make our Mobile Security the best protection in the world.

And you can try Mobile Security for free here.

Cheers,
Sandra

Share this

Thus your profile has all kinds of likes and apps you probably don’t remember adding. That’s why spring is the perfect time to look at your page and try to make it new again. Here are 3 easy steps that will improve your privacy and your Facebook experience.

1. Stop your friends from sharing your private information.
If you take pains to lock down your Facebook profile, it may disturb you that some of your private information may still be shared with strangers by your friends.

They’re doing it not because they want to make your privates public but because you haven’t locked down how they can share your information via Facebook apps.

To fix this, just go to “Privacy Settings” then the “Apps” section. Next to “Apps others use” click “edit”. You’ll see this:

But likely some of the boxes will be checked. Any box that is checked can be shared by your friends to the makers of any app the authorize. Uncheck the boxes and click “Save Changes”

2. Clean out your old apps.
Now, while you’re on this page, you should scroll up do some spring cleaning. Click that little “x” next to any app you don’t use anymore. And if you aren’t sure if you use an app, you can always click “x” and reauthorize it later.

To be extra safe, you can always do what F-Secure Security Adviser Sean Sullivan does turn off Facebook’s “platform” so none of your information can be shared with apps. This also means, you can’t use any apps, of course.

To do this, click “Edit” next to “Apps you use”

Then click “Turn Off Platform.”

3. Audit your friends and ‘likes’
The best way to keep your Facebook account useful and free of annoyances is to review your friends and “likes” to get rid of anyone who doesn’t respect your privacy or clutters your feed.

This sounds easier than it is since most people have dozens if not hundreds of connections of Facebook. As you have to view your “Friends” list and “unfriend” each user one by one. Your “Likes” list is even more annoying. If you have time, you should do this at least once a year. So why not for Spring?

Or you can do this on an ongoing basis whenever you visit your newsfeed. See something offensive, unlike that page or friend, if he or she isn’t really a friend anyway. But be aware that you won’t see all of your friends and “likes” on your feed. Facebook filters it so you only see those you’re most likely to interact with along with the posts they’re being paid to promote.

Jason

[Photo via El Frito]

Share this

What do you think about them? Do you pass them on? Does this kind of messages play on your emotions? Do you like the feeling of helping a poor child somewhere in the word by clicking share? Have you ever tried to verify if the sad story is true? Or do you want to hold on to the dream that you are helping, and avoid checking the background even if there is a grain of doubt? Or are you one of the skeptics who dislike chain letters and write an angry reply instead?

Chain letter may be an old-fashion term from the snail-mail era. But that is really what we are talking about here. They are also called hoaxes, which refer to the content rather than the spreading mechanism. Our modern communities on the net provide an ideal environment for them. It has never before been so easy to share information with a large number of friends globally, just by a click. The content might be anything, but there are some easy ways to identify them.

• They play on your emotions, often empathy or fear.
• They tell you to share it with all your friends.
• There’s often a shocking picture of a claimed victim. (The same picture is often reused in many different chain letters.)
• It may claim that the victim gets money for each share. (This is never true.)
• There’s no or very little details of the claimed victim to make it harder to debunk the story.
• There’s no reference to news articles or other reliable sources, or the article is fake if there is one.

Here comes a couple of examples from different categories.

Help save baby with cancer is a really classical example. Who can resist a sick child? And that thing on the little boy’s face. OMG! In reality, this story is just made up and the boy doesn’t exist. Or the baby in the picture certainly exists, but he has appeared in many different chain letters and nobody knows where the picture comes from or if that thing is fake or real. The promise of one dollar per share is also just made up, there is no such commitment in reality.

YOU COULD SAVE A LOVED ONES LIFE BY KNOWING THIS SIMPLE INFORMATION!!! First aid and medical advice is another common chain letter category. I have attended a number of first aid courses at different levels, and this example is legit as far as I can tell. The described STR-rule is also well known and used elsewhere too. But how do you know that? If you can assess that, you don’t need the advice. And if you can’t, you have no clue if the advice is reliable and accurate. This one might be legit, but that can’t be said about all the other messages of this kind. They can in the worst case be directly harmful! (I have selected to not share one of those here.)

Facebook is not a good info source for matters of life and death. If you truly care about your loved ones and want to be able to help, then there is no substitute for professional first aid training. Trash all chain letters of this kind and sign up for a course today!

[Insert celebrity of your choice] found dead at Dominican Republic resort. This is really a sick form of humor. There’s a web-based generator that can generate hoaxes like this. It even creates fake news pages that can be passed around with the chain letter. I’m including the link to the generator here. I trust that you use it only to learn how to spot these hoaxes, not to make one yourself.

If you see some shocking news like this and the source isn’t one of the big news networks that you recognize, then turn to Google and get a second opinion before you hit share. Well, sites can be faked so Google is a good idea even if you recognize the news source.

But these chain letters are mostly harmless, you might think. Is it really that bad to pass one on? Well, they don’t harm the reader directly. Messages that trick you into downloading a file or opening a site that can contain malware is a different cup of tea. Phishing scams that trick you into entering secret data at a faked site are also truly harmful. Chain letters and hoaxes are not harmful in this way.

But that’s not the full story. There are still several reasons to avoid them:

• Your own reputation. You may feel good when “helping a sick child”, but do your friends think the same way? Some of them may think you are gullible and easily fooled.
• You create unnecessary noise on Facebook, or whatever community you are on. It may already be hard enough to spot the relevant posts from 500+ friends and a load of groups. Your friends do not need more junk to cover the valuable posts.
• Things seem to replicate, especially problems. If you have a habit of sharing chain letters and hoaxes, you contribute to the culture among your friends. You signal that it is OK to share hoaxes and your habit will spread to some of them.
• If you forward a message with some advice about first aid, a friend uses it and it tunes out to be bad advice. How would you feel? If you share info like this, you also carry responsibility for it.
• Passing on jokes about someone killed in an accident is really sick humor, even if you might be in shock and believe it when you press share. Double-check before sharing and spare your friends that unnecessary shock.
• If your account is compromised and misused to spread truly harmful content, it will blend in better in a stream of chain letters. Your friends are less likely to notice any difference and more likely to click on the malicious link from “you”.  Such post will however stick out if your normal posts are strictly no-nonsense.
• A historical note. Old-school computer folks dislike chain letters because they were seen as a bad thing in the early days of e-mail. This was based on the limited capacity of the computers and telecommunications at that time. Technical capacity is not a problem anymore, today’s bottleneck is our capacity to process all the messages we get. But as said above, even if the technical capacity is there, it is still a bad idea to circulate chain letters.

And by the way. Why should you support this particular child? Just because you got a picture of him? There are probably thousands of real children with the same disease. You feel emotionally involved, that’s good. Let’s use your emotions for something more productive than just passing hoaxes around. Look up a local charity organization that work with children and make a donation while watching the picture. That really matters!

So, to summarize. Don’t feel bad if you have shared chain letters like this. As said, they do no direct harm. But I hope that as many as possible become aware of the downsides and start ignoring them. Our Facebook experience would be tidier.

So now you know how to spot a chain letter. Just click the share button and make sure all your friends on Facebook also know. Hey, wait…

Safe surfing,
Micke

Image from About.com Urban legends

Share this

• It’s free;
• it’s fast;
• it works on your Windows PC EVEN if you have security software from another company installed;
• it’s light — less than 5 MB — and doesn’t require installation;
• it eliminates viruses;
• and now it removes one of the most difficult-to-remove malware in existence — advanced rootkits.

Rootkits are tough to detect and even harder to get rid of. They boot up even before your operating system does and often require restarting your system from a CD or flash drive with the help of customer service or an IT expert.

But with our Online Scanner, you can remove them easily, quickly and for free with just a few clicks.

Millions of computers around the world are infected with rootkits like TDL and ZeroAccess. To make sure your PC isn’t one of them, run Online Scanner and then make sure your PC is protected with security solution like our Internet Security 2013 that protects you against advanced threats.

Cheers,

Sandra

Photo credit:  AnyaLogic

Share this

I’m not going into the big picture about anonymity and privacy here. I’m going to present a tool that can be used to obfuscate your true identity. The anonymity network TOR. This is a tool and network that provides fairly strong protection against anyone who try to find out where a connection over the Internet really came from.

Let’s first debunk two myths.

• This kind of stuff is only needed by criminals. I’m a law-obeying citizen! Well, yes. It is in most cases OK to surf without this kind of protection. But it is also good to be aware of this possibility. There are situations where it can be smart to cover your traces even if you have perfectly honest intentions. And being anonymous is not wrong in any way, you have the right to use this kind of tool if you like.
• I don’t know how to do this. I’m no hacker. Don’t worry. Using this tool is no harder than installing a program on your computer.

So what’s the problem we are trying to tackle here? Practically all services on the net log all access. This log contains the so called IP-address that you are using, no matter if you have entered your real name at the site or not. The IP-address is a numeric code that is unique for all devices that connect to the net. Your ISP assigns one to your computer (or router, or modem) automatically when you connect to the net and you don’t have to worry about that. When you surf “anonymously” on a site, the site owner will know this IP-address but not who it has been assigned to. That information remains in the ISP’s log and is typically revealed only to authorities when investigating crimes. (Depends on local laws.) So you can under normal circumstances be traced back to your ISP, but the trace stops there.

So you have a certain level of privacy when surfing from home. But what about your computer at work? Here the company is in the ISP’s position. All traffic you generate can easily be traced to the company, but not to your workstation. The company’s administrators may be able to trace further, but that depends on how the internal network is managed.

Here’s some examples of situations where the default protection may be insufficient:

• Your ISP may protect your identity, but how reliable is that? Someone may present fraudulent accusations to get access to your true identity. People may misuse their access rights and leak data. The ISP’s employees are just humans after all. You don’t have to worry about that if you are using TOR.
• What if you discuss something online from work, but the topic is totally unrelated to your employer? Or even in conflict with your employer’s interests. Then it’s best if no one afterwards can claim that someone from that company made a comment in the discussion.
• If you consider becoming a whistle-blower, get TOR! Handle the case through TOR exclusively. This is a tricky situation where you may break contracts or even the law, and still do very much good for the society. You may have to pay a high price for being a hero unless you protect yourself.
• TOR can circumvent some national censorship schemes. This benefit is obvious in totalitarian states, but might be more relevant to you than you think. Finland, for example, is considered to be a democratic country without severe human rights problems. But despite that we have an Internet censorship scheme that was developed to stop child pornography. Now it is misused to block on-line poker, criticism against the authorities and many other things. The list of censored sites is secret and site owners can’t challenge it in court. But TOR-users have free access. (Yes, seriously! Sounds like China or Iran but this is in EU.)
• TOR is not only protecting your identity, it also encrypts traffic and prevents 3^rd parties from finding out what you are doing and who you are communicating with. This may be beneficial if you don’t trust the network you are using. A good example is FRA in Sweden. They have legal rights to intercept all network traffic crossing Sweden’s borders, including traffic in transit to other countries. A bummer for us here in Finland as our cables to the world go west.

TOR is a privacy network that routes your traffic through a chain of several randomly picked servers before it goes to the site you are accessing. The traffic is encrypted all the way from your computer to the last relay machine. The protocol is also designed so that the relaying machines never know more than they need to know. The first server knows who you are but not what you are doing or what site you are accessing. The last server can see your traffic in plaintext and knows where it is going, but do not know who you are. None of this is however logged by the TOR relays as their purpose is to ensure your privacy. Even if someone with malicious intent would get hold of one of these servers, they would not be able to reveal your secret.

The simplest way to use TOR is to download and install the browser bundle. It consists of two parts that work together seamlessly. “Vidalia” is the control center that sets up the chain of secure servers and handles communication. “TorBrowser” is a Firefox-based web browser that is preconfigured to communicate through TOR. It makes it easy to start using TOR, no nerdy settings needed. A separate browser is also really necessary to guard your privacy as your normal browser is full of cookies that can identify you.

Installing TOR is easy, but that alone does not guard your identity. If you want to be truly anonymous at some certain site, you need to follow some additional guidelines.

• Do not use a user name or account that you have used previously without TOR. That account can be connected to your real IP-address using old log entries. Start fresh and create a new account through TOR. Needless to say, your new alias shall not give any hint about your true identity.
• Make sure that all your access to the site where you want to be anonymous is through TOR. Even a single login from a connection that can be traced may reveal you.
• If you have to provide a mail address for your new account, use TOR to create a new mailbox in a webmail service of your choice and use that address exclusively. tormail.org is an alternative if you are paranoid.
• Think about what info you submit when anonymous. Personal info is naturally no-no, but also other kind of knowledge may reveal you or limit the number of possible persons behind your alias.
• Don’t use both your anonymous identity and your real identity from the TorBrowser at the same time. This makes it possible to tie them together as they both would use the same IP-address. You can use the Vidalia-console to refresh the IP-address that is shown outwards. Make sure you do this before logging in with another identity, or use your real-life identity from your normal browser instead.
• Don’t break the law. That is of course good advice in generic as well. In this case a criminal investigation will pose a greater threat against your anonymity as the authorities have much more abilities to trace you.

Disclaimer. I hope you never truly need this kind of protection. But if you are in doubt, play safe and cover your tracks. Also keep in mind that it is tricky to be truly anonymous on the net. That is especially true if you are wanted by the authorities. Do not rely solely on this article if you are in a situation where your personal safety depends on anonymity, like for high-end whistle-blowers or opposition activists in non-democratic countries. What’s said above is a good start in these situations too, but you should get a more comprehensive understanding of on-line anonymity before putting yourself at risk.

Check what your surfing looks like from the site owners’ perspective. This site reveals the info. If using several connections, like home and work, check all of them. If you install TOR, visit the site from the TorBrowser to see how the address has changed.

Safe surfing,
Micke

PS. Another way to see the need for anonymity. The law protects our property against thieves, but still we use locks. The law protects our privacy on-line (to some extent), but most people do not enforce that in any way. TOR is for privacy what a lock is for theft. Why not play safe and lock it?

Photo by zigazou76 @ Flickr

Share this

Sharing photos on the net is fun, but did you know how much a single picture can tell? I’m not talking about the traditional “more than 1000 words” here. I’m talking about metadata. This is invisible data that describes the content and is embedded in the picture file. This is some of the data that a photo can contain:

• Date and time when the picture is taken
• Photographic parameters like lens, aperture and exposure time
• Geographical position from a GPS-device
• Information about the device that took the picture, brand, model, serial number, etc.
• Name and contact information of the device’s owner
• Information about the photo’s copyright owner and rights to use the photo
• A lot of other info that professionals and serious amateurs can use to manage large photo collections.

All this data does really provide a lot of added value. You can automatically have shots sorted by capture time, you can plot photo locations on maps, find all shots taken with a certain camera or lens, and so on. The possibilities are almost endless. But metadata is like all other great things, it can be used and misused. The downside is naturally privacy.

I did a quick test with my Nokia Lumia, which is a Windows Phone -device. It turned out that its camera embeds the date and time, photographic parameters and the GPS-location automatically. But data about the owner is not included. This data is also kept when using all share-options that I currently have available; mail, Flickr, Facebook, SkyDrive and DropBox. There’s no setting anywhere that would control this behavior. In theory, I could reveal my exact location every time I upload a photo.

But this is not the full story. The service that you upload to can also decide how to process metadata. Facebook strips it altogether. This design was probably implemented to save storage space, but has a positive side-effect on privacy. Photographers who are interested in the photo parameters are however not happy. Flickr uses a different strategy. Metadata is extracted and used in the interface. You can decide if you want it to be showed or not. Users can also download smaller picture files without metadata, or the original with all data intact, if you choose to allow it. It’s quite natural that Flickr is more advanced as it is a site focusing on photo sharing.

So what should I do about this?

• What data you share depend on many factors, so you really have to find out yourself. Go to the site where your pictures are shared. Download a picture of yours and examine its metadata. This can be done by opening the file’s properties or with some special tool. Photo editing software usually let you examine and manipulate the metadata. Opanda IExif is a free tool for Windows. Think about what data you can see and if you think it is a privacy problem.
• If you share photos from your mobile device, there may not be much you can do to manage metadata. Look for settings controlling metadata in the camera program and all apps used when sharing. You may also look for alternative apps with better controls. If nothing else helps, you may have to accept the situation, restrict your sharing or disable the GPS if position info is your concern.
• Old-school folks who share through a computer have much more options. Most workflow programs have options that control what metadata you embed in the final files. There’s also many tools available that can strip metadata from files before you upload. I already mentioned one above.

To summarize. You do not necessary have a privacy problem with metadata in photos you share. It depends on many factors. The device you take photos with, the software you use to process and transmit the shots and finally the site where they are published. And naturally your own privacy expectation, what data are you ready to share? But the most important point is to be on top of this yourself. Don’t leave it to chance. Check what you share and make up your mind if it’s OK or not.

An exercise for you. Download the photo file in this post and check what kind of metadata you can find in it. It’s taken straight from my workflow program on the PC, no data removed.

Safe surfing,
Micke

PS. Also keep this in mind if you feel tempted to cheat about when and where a shot is taken. You are unlikely to get away with it if you have photo-savvy friends.

Photo by Micke-fi @ Flickr

Share this

F-Secure is about to host our annual Hackathon in Bangsar South at our Kuala Lumpur office on April 12-13.

It will kickoff F-Secure’s 25th Anniversary celebrations in the APAC region. The theme is “Securing service in the Web” and developers will be provided with a variety of APIs for web reputation and real-time malware detection from our cloud network.

The winner gets to have dinner with our own Chief Research Officer and inductee to the Infosecurity Europe Hall of Fame — Mikko Hypponen

You can sign up here.

Cheers,

Jason

Share this

- (phone rings) Hello.
- Hello, I’m calling from American Express. Are you Mr. *****  ******?
- Yes, great that someone finally reacts to my reclamation.
- First I need to verify your identity. What’s your social security number?
- Excuse me but you are calling me on a number that you have in your register, so you can be pretty confident that you are talking to the right person. But I have no way of knowing that you really are from Amex. So YOU tell ME what my social security number is. I know you have it on file.
- (silence) Well, eh … we must identify our customers to be able to serve them by phone. It’s company policy.
- Yes, I know that. But I’m certainly NOT going to give out my number to a stranger who calls and asks for it. I really need some kind of identification from you first.

It went on like that for a while until I proposed a compromise. I told her the first part of my number and she told me the last digits. It all matched and we were able to proceed.

This post is not about American Express, it is about a severe and widespread problem that is visible in this case. The problem is these Social Security Numbers, SSNs, or National Identification Numbers which is a proper global term. They appear in most countries, in many forms and under many names. But they all have two things in common. They were designed to be unique and distinguish persons with the same name. And they are misused for identification.

The practice of using the SSN as proof of identity is really fundamentally flawed. They are used in the same way as a password, knowledge of the “secret” is supposed to prove who you are. The problem is just that the SSN isn’t designed to be secret. If you are a little bit Internet savvy, you know the basic rules for safe passwords. Think of your SSN as a password. It’s assigned once for your whole lifetime and you can’t change it. You are forced to use the same SSN on all services you use. It’s printed on various documents, depending on what country you live in. It’s recorded in numerous registers, and you don’t even know where all those registers are and who’s got access to them. Would you handle the password to your favorite net service this way? Hell, no! Still knowledge of this fundamentally flawed “password” may enable anyone to get credit, order goods, close accounts, etc. in someone else’s name. Scary!

But what can we do about it? Let’s refresh the memory with some practical advice about how to handle your SSN.

• Do some googling and look for national advice about SSN security in your country. Laws and practices vary and a local source is typically more accurate. But here comes some generic advice.
• Do not give out your SSN unless you know who he other part is.
• Verify that the other part has a valid reason to use your SSN before you reveal it.
• If a business demands your SSN, you can refuse to give it but the business can refuse to serve you. You can either comply or spend your money elsewhere.
• Some try to phish for SSNs, look out for fraudulent web forms that ask for it.
• Check what documents you carry in your wallet that have the SSN printed. Avoid carrying those documents daily, if possible, as your wallet may get stolen.
• Invoices, tax documents etc. may have the SSN printed. Think about how you dispose those papers. If you have a shredder, use it.
• Needless to say, don’t post the SSN on the net in any context.

This will help a bit, but not cure the fundamental problem. Your SSN is still used and stored so widely that you may be the victim of identity theft even if you do all this.

The problem is really the misuse of SSNs as proof of identity. And the next question is obvious, what should we use instead? Yes, that’s right. There is no common, safe and reliable method for identifying a caller. Some companies have their own methods to improve security. They may require both your SSN and for example a customer number or invoice number. Better, but still not good as those additional numbers aren’t protected very well either. The banks have good systems with sheets of one-time passwords, or similar. These system have been developed with security in mind and are typically reliable enough. They are developed for on-line access but often work for identifying a caller as well.

Banks have good systems, but they are unique for each bank. We would really need national systems, or even better, a global system for reliable identification of persons both on-line and over the phone. More and more of our transactions cross borders and national systems do not help if you are dealing with someone overseas, like in this case. The problem is not technical, public key cryptography and digital signatures could be deployed to achieve this. But agreeing on a reliable global identification standard that won’t become a privacy threat would certainly be a significant political achievement.

So we probably have to live with this flaw for quite a long time. National solutions will no doubt become available in some countries. Estonia is usually quick to utilize new technology and this is no exception, An electronic ID is a good fundament even if reliable identification over the phone still would require some additional technology. But the rest of us just have to acknowledge the risk, keep our non-secret SSNs as secret as possible and hope for the best.

Safe surfing,
Micke

Image by DonkeyHotey @ Flickr.

Share this

But before you do, now is an excellent time to think about something that’s going to be a much bigger issue soon — your photo privacy. The new newsfeed is all about highlight photos and making them easier to share.

In a recent survey of Facebook users, we found out that 1 out 5 have had a picture of piece of content posted on Facebook reused without their permission*.

This is why it’s important to remember the key rule of Facebook privacy: Nearly anything you share on Facebook can be reshared by your friends — no matter how locked down your privacy settings are. You do technically own the content you post on Facebook, meaning Facebook probably won’t claim control of your content (even though its terms and conditions suggest it might be able to.)

But once you post anything on a social network, you’re basically setting it free in the world.

There are also a few key things about photos that many Facebook users are not aware of, though they are listed in Facebook’s privacy help pages:

• The privacy setting for your Cover Photos album is always public.
• If there’s a photo of you in an album that someone else posted, only the person who posted it can change the album privacy. If you don’t like the photo, you can remove a tag or escalate the issue.
• If you share a high resolution photo or album with someone, that person will be able to download those photos.
• Unlike other photo albums you create, you can choose an audience for individual photos in your Timeline Photos and Mobile Uploads albums. Each time you post a new photo, you pick who sees that photo using the audience selector.

You can always change the privacy setting of any individual album or photo by adjusting the icon. If you want to avoid your friends seeing an embarrassing photo of you that you didn’t post but were tagged in before you do, be sure to use the “Activity Log.” Here’s how:

How do I get to my activity log?

You can get to your activity log from your privacy shortcuts:

1. Click your privacy shortcuts in the upper-right corner of the page and select Who can see my stuff?
2. Click Use Activity Log.

Note: Only you can see your activity log. However, stories in your activity log may appear other places on Facebook, like on your timeline, in search or in your friends’ News Feeds.

Cheers,
Jason

*Based on a survey of 495 Internet users contacted in December 2- 31 2012 through Facebook, Twitter and the F-Secure Safe and Savvy blog and conducted through Surveygizmo.

Share this

Having a camera in your phone has lowered the threshold to take photos tremendously. It’s always with you and ready to snap. But you still have to take it out of the pocket and aim it at your object. The “victim” has a fair chance to notice that you are taking photos, especially if you are working at close distance.

Google Glass is a smartphone-like device that is integrated in a piece of headgear. You wear it all the time just like ordinary glasses. The screen is a transparent piece in your field of view that show output as an overlay layer on top of what’s in front of you. No keyboard, mouse or touchscreen. You control it by voice commands. Cool, but here comes the privacy concern. Two of the voice commands are “ok, glass, take a picture” and “ok, glass, record a video”. Yes, that’s right. It has a camera too.

Imagine a world where Google Glasses are as common as mobile phones today. You know that every time you talk to someone, you have a camera and microphone pointed at you. You have no way of knowing if it is recording or not. You have to take this into account when deciding what you say, or run the risk of having an embarrassing video on YouTube in minutes. A little bit like in the old movie RoboCop, where the metallic law enforcement officer was recording constantly and the material was good to use as evidence in court. Do we want a world like that? A world where we all are RoboCops?

We have a fairly clear and good legislation about the rules for taking photos. It is in most countries OK to take photos in public places, and people who show up there must accept to be photographed. Private places have more strict rules and there are also separate rules about publishing and commercial use of a photo. This is all fine and it applies to any device, also the Google Glass. The other side of the coin is peoples’ awareness of these laws, or actually lack thereof. In practice we have a law that very few care about, and a varying degree of common sense. People’s common sense do indeed prevent many problems, but not all. It may work fairly OK today, but will it be enough if the glasses become common?

I think that if Google Glass become a hit, then it will force us to rethink our relationship to photo privacy. Both as individuals and as a society. There will certainly be problems if 90% of the population have glasses and still walk around with only a rudimentary understanding about how the law restricts photography. Some would suffer because they broke the law unintentionally, and many would suffer because of the published content.

I hope that our final way to deal with the glasses isn’t the solution that 5 Point Cafe in Seattle came up with. They became the first to ban the Google Glass. It is just the same old primitive reaction that has followed so many new technologies. Needless to say, much fine technology would be unavailable if that was our only way to deal with new things.

But what will happen? That is no doubt an interesting question. My guess is that there will be a compromise. Camera users will gradually become more aware of what boundaries the law sets. Many people also need to redefine their privacy expectation, as we have to adopt to a world with more cameras. That might be a good thing if the fear of being recorded makes us more thoughtful and polite against others. It’s very bad if it makes it harder to mingle in a relaxed way. Many questions remain to be answered, but one thing is clear. Google Glass will definitively be a hot topic when discussing privacy.

Micke

PS. I have an app idea for the Glass. You remember the meteorite in Russia in February 2013? It was captured by numerous car cameras, as drivers in Russia commonly use constantly recording cameras as measure against fraudulent accusations. What if you had the same functionality on your head all the time? There would always be a video with the last hour of your life. Automatically on all the time and ready to get you out of tricky situations. Or to make sure you don’t miss any juicy moments…

Photo by zugaldia @ Flickr

Share this

94% of all mobile malware the F-Secure Response Labs analyzed in Q4  targets Google’s Android platform.

You can get the whole report here.

Here’s what the growth of mobile mobile malware looks like over 2012.

As Android threats have grown, Symbian malware has nearly disappeared. Why? Symbian which used to be the world’s most popular mobile OS is disappearing. Nokia phones are increasingly moving to Windows Phone, which — as you may have noticed — is attracting no threats. The world’s second most popular mobile platform Apple’s  iOS for iPhones and iPads also had no threats found in 2012.

Why the difference? It comes down to platform openness and App store security.

How can you protect your phone from these threats?

1.  Stick to the official app stores.
Apple and Microsoft have strict guidelines for their app stores and Google’s Play store is increasingly adopting restrictions that prevent bad apps from ever showing up. If you only get apps in the official stores, your chances of getting a bad app are almost zero.

2. Check out reviews.
Malicious apps are often weeded out by active users who rate and review software. If an app doesn’t have positive feedback and a lot of it, you probably don’t want to be the one who tests it out.

3. Keep your phone’s software updated.
Your smartphone is a mini PC with the same software issues that your PC has including software that continually needs to be updated. This may require some help from your carrier depending on your phone –  but the basic rule is: The more current, the better.

4. Be very careful when giving your mobile number out.

The main thing to keep in mind is that while your family and friends may want to pry on your phone to see what you’re up to, the most likely reason a criminal will be targeting you is pretty obvious.

You guessed it: FOR THE MONEY.

Cheers,

Jason

Share this

Soon I get a mail from a nice young lady. Let’s call her Mrs. Witney De Villiers, as that is what he or she called herself. (Probably a randomly picked false identity, any similarity to real existing persons is purely coincidental.) She was very keen on buying my boat and we had a nice conversation over a couple of days. I did unfortunately not sell the boat, but I got a nice story to tell instead. I will not bother you with all the details, so here’s a shortened version with all the important parts included.

- Hi, I’m in Mexico and I want to buy your boat. How long have you had it? What’s the final price? (Well, I’m in Finland and this is the point where I became more or less convinced that it is a scam.)
- I have had it for five years.
- OK, the price is fine. I want to buy it. Please take down the ad. What’s your PayPal account info so that I can make a payment? I’ll cover the PayPal charges. (Needless to say, the ad remained up.)
- Good news. I can accept wire-transfer which would be a lot cheaper for you than PayPal. (She can’t accept if this is a traditional PayPal scam.)
- Sorry, but I can’t do wire-transfers now. I only have access to PayPal because bla bla blaa …. (Yes, another scam-indicator.)
- OK, I created a PayPal account. Here’s the account info. But there’s some paperwork we need to handle before we proceed. Please fill in the buyer’s part of this attached contract and mail a scanned copy to me. I also need a picture of your photo ID. (The provided PayPal account info was false.)
- Great! I have made the payment. “Check your mail as there should be a confirmation mail from PayPal. I made an extra payment of 3650 € and I’am sure you noticed that, you’ll have to send the extra amount to the Shipping Company through Western Union right away, so that they can come ahead for the pick up and also you should send your address where they have to come for the pick up and also the necessary Western Union Payment Information.” (All the key elements in this very traditional scam becomes visible at this point. This is where you should realize what’s the name of the game, if you haven’t figured it out already. A faked mail from “PayPal” appears in my spam folder.)
- Hold your horses. We need to do the paperwork first. See my previous mail.
- “I want you to know that I have made an arrangement for you to receive the copy of my ID and my other necessary data for the boat. I want you to know that the courier representative coming over for the pick up has all he said documents in an enclosed confidential envelope with him which he will deliver to you in person.”
- Well, we really need to close the deal and have a legally binding agreement before we can arrange for transportation.
- “I understand your concern and certify that all sales is final. Your show of concern has given me a very good fact that you are indeed an honest seller hence, the reason why I am using this medium to confirm to you that all sales is final and I am satisfied with the present condition of the Boat.. so you can now proceed with the western union and get back to the paypal with the western union scan receipt so they can release all the fund into your account immediately..More so, send me a copy of the western union receipt… i look forward to read from you…” (Contract and passport files attached. Oh gosh what a poorly faked British passport!!!)
- Thanks, but you forgot to sign the contract.
- “Oh sorry, I write my name as the signature.. i hope to receive a copy of western union receipt from you today…” (That “signature” was typed, not handwritten.)
- Just want to let you know that I need the SIGNED contract before 3 PM. Otherwise I will not have time to go to the bank. And I’m traveling tomorrow so I will be unable to handle transactions. (To create urgency is a common scammer tactic. )
- “Have signed on the contract.. i wait to read from you with the western union receipt..” (Printed, handwritten and scanned this time. It’s 4 AM in Mexico when this part of the conversation takes place.)
- WTF!!! The bank refused the transaction. The recipient is on some kind of international blacklist, apparently suspected for criminal activities. (Well, I wasn’t completely honest here.)
- “How about you go there and split up the money in to 2 and send on two transaction.”
- I’m certainly NOT going to send any money to a blacklisted company!
- “here is another shipping company info [another private person in US] I wait your story again” (We enter the threatening phase. A while later a mail appears in my spam folder. “PayPal” will take “LEGALACTION” and hand me over to FBI if I don’t pay in 24 h.)
- What are those clowns at PayPal up to now? They talk about some legal action against me even if I haven’t entered into any legally binding agreement to transfer money. Do you have any clue, or maybe I should contact PayPal directly and ask what they think they are doing? (Let’s see how/if they react. Contacting PayPal would reveal the scam instantly.)

Next I got a long mail pointing out how honest this lady is and how keen she is to do business with nice and honest sellers like me. But she can’t unfortunately do anything about the PayPal actions as the purpose of all that is to protect both the seller and buyer. She points out that even a smaller sum would be enough to release the payment into my PayPal account (ok, we are in the bargaining phase). At this point I decided that this blog post is becoming far too long and chose to not respond at all. She didn’t get back to me either. They probably realized that they are not going to get 3650 € from me and gave up.

As you have noticed, I became wary at a pretty early stage. There were several details in this conversation that made me suspicious. 37 to be more precise:

1. The boat is of a local brand made for the Finnish market and totally unknown pretty much everywhere else. Why did she want this particular brand and model? Boats are also different in Mexico and Finland. My boat would be a real oddity over there.
2. The boat is far too cheap to make it feasible to ship across the Atlantic.
3. Smaller boats are inexpensive and widely available in the US. Buying one from Europe would be madness even if shipping was free.
4. Buyer showed very little interest in the object. A 10 years old boat is not a bulk item. Every such boat has a soul of its own. One would be mad to buy without seeing it.
5. Only one question was asked about the price. And it was no problem to proceed even if I ignored that question. Well, price doesn’t matter if you have no intention to pay.
6. The buyer paid a lot more interest in the payment process than in the object of the deal.
7. The buyer was extremely keen to pay and close the deal, but not to make any official papers that would prove her ownership. It should really be the buyer who cares about the papers and the seller who cares about payment, and not the other way around.
8. Messages in the beginning of the conversation were very generic boilerplates. They were designed to work for any kind of goods. It doesn’t sound very convincing when selling a boat and the other part insists on talking about “the merchandise”.
9. No other method of payment worked except PayPal. Naturally, as their scamming technique is based on PayPal.
10. I’m supposed to make a payment to a courier company, which indeed do exist. The address to receive the payment has however nothing to do with that company. Both courier companies seem to use private persons in US as their billing contacts. Strange.
11. A common tactic throughout the conversation was to ignore questions and requests that were not part of the script. They were addressed only if they stalled the process.
12. The buyer had no problem “sending the money” even if the provided PayPal account was false. “PayPal” also had no problem sending mails to this non-existing account holder.
13. The scam includes sending a fake message from PayPal stating that the money is on hold until the shipping agent has been paid. This fake is obvious if you know how PayPal works or know how to check the sender’s true mail address.
14. The whole scenario match the very common scam where the victim is lured to pay money to someone and is promised more money later. The Nigerian scams belong to the same group and use a logic that is quite similar.
15. At one point they claim to be satisfied with the present condition of the boat. They have made no attempt to find out in what condition the boat is.
16. This Mrs. Witney De Villiers seems to be a true cosmopolitan. She is using an address and phone number in Mexico for this deal but her passport is British. At one point she also mentioned a phone number located in the British Virgin Islands. A Google search revealed that young ladies with an identical picture are living in at least two different places in US, but are using different names.
17. If the husband of Mrs. De Villiers is still around, then he should do some Googling too. Seems like at least two dating sites have profiles with the photo of his wife.
18. If you look European and hold a British passport, one could assume that you know English. But I guess that means nothing, people are so sloppy with grammars nowadays …
19. And the passport. Oh gosh! Where should I start? The name has apparently been replaced, very bluntly, I might add. The first thing that strikes the eye is that the new name is in a different font than the rest of the passport. The font isn’t even close. But they did at least get the color right. All text is black. That’s an achievement considering their overall Photoshop skills!
20. The background behind the replaced name does not have surface structure that is coherent with the rest of the passport.
21. They didn’t apparently know how to scale pictures in Photoshop as the passport’s photo is smaller than the place reserved for it. (The photo of “Mrs. De Villiers” can be found on the net with more than sufficient resolution to fill the whole space.)
22. The empty space around the passport’s too small photo is very badly cloned.
23. If replacing part of a text line, make sure the new text is vertically aligned with the old text. It looks funny otherwise. Using the same text size also helps. And yes, I mentioned the font already.
24. The passport’s signature is readable. But wait a minute! It reads Gabriella B and not Witney De Villiers!
25. The embedded metadata in the passport’s picture file reveals that it isn’t saved by a camera’s firmware. The file comes from Adobe Photoshop CS4 for Windows.
26. The content of the optically readable bottom lines do not match the standard for passports.
27. Got a contract with a typed signature instead of handwriting. The habit to handwrite signatures should be fairly well known globally.
28. When I finally got a signed contract, the signature bears no similarity to the signature in the passport, even if both are supposed to be signed by the same person. They didn’t even try to mimic he signature in the passport.
29. The signed contract seemed to be scanned with a Konica Minolta multifunction device. “Mrs. De Villiers” mentioned however earlier that one of the reasons why she couldn’t do wire transfers was that she was out boating. Well, she could of course be cruising with a well-equipped boat, but buying mine would be a big step down in that case.
30.  “Mrs. De Villiers” is very keen to get the receipt of the transport agency payment herself. The faked mails from “PayPal” do however clearly state that it is PayPal who need the receipt to clear the transaction, and not the buyer.
31. This young lady in Mexico seems to have unusual working hours or staff that works shifts to answer her mail. Replies are received promptly throughout the European working hours.
32. When the payment is delayed they start to threaten the victim. “PayPal” claims that legal actions will be taken if the payment isn’t made, and the seller hasn’t fulfilled that part of the “agreement”. Interesting in a situation where the seller hasn’t made any legally binding commitments to relay money.
33. When they enter the threatening phase, they try to use FBI to scare the victim. Finland is not part of the US, which the scammer may or may not know. Looking up the name of the local police, or even using Europol, could have increased the scare-factor. They do mention the “World Law Enforcement Agency”, but selecting an existing agency might have been more effective.
34. The first threat mail arrive less than 48 h after the initial notification that “PayPal” has a pending transaction. No previous mails do however contain any information about a deadline for the payment or anything about legal consequences if no payment is made.
35. At one point she started bargaining and suggested that I should send at least some money ASAP and the rest when I have got the money on my account. 20 minutes later I receive a mail form “PayPal” that clearly states that the full 3650 € must be paid before the funds are released. There were many more discrepancies between the messages from “Mrs. De Villiers” and “PayPal” even if both came from the same source.
36. When the bargaining starts, she mentions that I can pay a smaller part first if I’m short on cash and need to borrow money. Well, a couple of days ago I claimed that I had tried to transfer the whole sum, so it should be clear that I have the money.
37. Some of their boilerplates seem to have been in use for many years. Googling key phrases will reveal the scam immediately and point to discussions and warnings that are several years old.

Fake passport. Some parts blurred to protect victims of identity theft.

Sounds hilarious, doesn’t it! The scam is so obvious when presented in this way. And forcing the scammer out of the ready-made script makes the act crack up even more. But the sad fact is that people are lured by these guys daily. A lot of this seems to be done in volume so they must be dealing with a significant number of victims every day. Their way to do business very quickly and easily may seem feasible for smaller bulk items, and may not ring the alarm bells in the same way as when dealing with bigger items. Big or small item, it’s always a good idea to take a critical look at the whole case and look for discrepancies like this. Many of the points listed above are on their own enough to spot the scam. Also make sure that they can’t orchestrate the show on their own. Think about what you need to be able to trust the other part, and be persistent about getting what you want. Reluctance to comply is a pretty strong sign that something is fishy.

The core point for anyone who runs into cases like this is however to understand how the scam works. That’s the key to recognizing it in practice. You are promised money but something must be paid before the transaction can be completed. Sounds familiar? Yes, this is basically the same scenario as in the Nigerian scams. The core of the scam is that the money you are to receive is just a promise, but the money you transfer to someone else is real. The PayPal-based scams may be somewhat more effective as many people trust PayPal. It’s not an official bank, but many people think of it as a bank. You may believe that this trusted party is holding the money and securing the transaction. In reality, all you have got is a faked mail. There is no PayPal transaction and the promised money is just numbers written in the mail.

If you fall for the scam and pay, the scammers will vanish like smoke in thin air. PayPal can’t help you as this has nothing with them to do. The scammers have just misused PayPal’s name. And the payment method used to collect your money is always irreversible and provides no security for the sender.

So to summarize. If you ever consider engaging in a transaction with strangers and where money is relayed through you, you should:

• Validate the reasons for the transaction. Most proposals of this kind are scams.
• Make sure that you really know who you are dealing with. Demand proof of identity.
• Make sure that the money is under your own control before making any payments to others. Cash or a deposit in your own account is pretty safe. (Added: See the comments below for an issue with this.)
• Make sure that you are not engaging in money laundering.

What really strikes me is how poorly this false buyer’s role is created. Some simple Google searches is all it takes to reveal the scam. And many discrepancies would have been so easy to fix. Are these guys really “America’s dumbest criminals”?

Maybe, maybe not. The point is probably that you need to be suspicious before you turn to Google. And once there you will find descriptions of this type of scam no matter how well the scammers have tried to eliminate discrepancies in their story. So once you get suspicious, it’s game over for the scammers anyway. The most profitable tactic for them is maybe to run the scam en masse without caring about the details, and just harvest those who won’t get suspicious until it’s too late. Or maybe they’re just stupid and can’t do any better? (Believing that anyone would fall for that fake passport would indicate the latter.)

Well, the boat is still for sale. Anyone interested?

Safe surfing,
Micke

Message from “PayPal”. Note the sender’s address and the scam warning. The warning is actually authentic and copied from real PayPal messages. This may be good advice against phishers, who just know the mail address but not the victims real name. All “PayPal” mails in this case had the correct name in the beginning.

Share this

UPDATE: You can now watch a recording of this event here.

Want to hear our cyber security rock star/guru Mikko Hypponen, live? Our upcoming free lab webinar is your chance! He’ll speak about the hot topics in the world of fighting malware. You’ll even have an opportunity to ask him your most burning questions.

Topics Mikko will cover:

• Mobile Threat Report – Be the first to know what’s in our brand-new report, coming out the same day. Hear the latest on Android and Symbian, mobile banking Trojans and more – and get Mikko’s perspective.
• Click Fraud Business – Advertising is big business. Click-fraud is complex and is an innovative crime. What does it involve and how did it get this way?
• Fighting bots on your computers and your phone – Windows-based botnets are a major problem. What can we do to fight them? And how can we prevent our phones from becoming the next battleground?
• Apple, FB hacks and its implications for the rest of the world – Facebook and Apple employees were compromised. How did it happen? What are the issues and who else may be affected? And what does it mean for the rest of us?

Hear it straight from the labs, live and unplugged – click here to sign up now.

Share this

Thursday night and checking Facebook on my mobile before going to sleep. One of my friends is complaining about how hard it is to use Yahoo mail abroad. Problem logging in and now there’s some problem with the account. “Your E-mail account has exceeded its limit and needs to be verified, if not verified within 24 hours, we shall suspend your account. Click Here to verify your email account now.” And when you try to resolve it, it doesn’t even work. You just end up on the login page! Damn Yahoo!

Stop! This message is not about a problem with the mail system, it’s a very typical phishing mail. I responded with a warning, and yes, the link had indeed been clicked and the credentials entered on a page that looked like the Yahoo login page. That made my friend a phishing victim like so many other Internet users. It was the beginning of a long night trying to figure out how to change the mail password using a tiny mobile screen. But the case came to a happy end. The password was apparently changed before the attackers had a chance to take benefit from the account, thanks to the swift reaction.

How to spot a phishing attempt?

• It arrives as a mail message. Mail can be sent by anyone and it is trivial to spoof the sender’s address so that it seems to come from your mail operator or some other company you trust.
• People think less when they are afraid so it tries to create a sense of danger. Something bad will happen unless you react. The closure of your account is a very common threat when phishing for e-mail accounts.
• People think less when in a hurry so it tries to create a sense of urgency. You need to act right now. This lowers the risk that the victim checks out the facts first. The 24h deadline is a typical trick to achieve this.
• It links to a web page that looks like an official page of, for example,  your mail operator. But it is actually controlled by the attacker, who also receives any information you enter. You are hacked if you enter your mail user name and password, or other valuable information.

My friend is not a computer newbie, and did in theory know all this. But the attack succeeded anyway. How is this possible? Imagine that it is late in the night and you are tired. There are other people distracting you. You are traveling and really depending on your mail account. And on top of that, you have had problems and expect even more trouble with this operator. So this is a very typical situation where the fingers can be faster than the brains. This is really the optimal situation for an attacker to hit, and they happened to send this phishing mail at the right wrong time.  Honestly, are you sure this couldn’t happen to you?

Ok, so what should I do to avoid being phished?

• First of all, do not click links in mails! This is not just about phishing, many get malware too by clicking links. But there are also legitimate links that friends send to you. So you should always think about who the sender is (remember, the apparent sender can be spoofed), in what style and language the message is written, what the claimed content of the link is and how does all this fit together? To summarize, do I expect this kind of message from this person (or company) at this time? This way you should be able to spot the legit links.
• If in doubt, check what address the link is taking you to before you click. Note that the text forming the visible part of the link may look like a web URL but still be linked to a totally different address. Hover the mouse pointer over the link and examine the address that the mail client or browser shows you. Make sure that the address match the company or site that the link is claimed to point to. For example: The login to Gmail should start with “https://accounts.google.com/” but a phishing site targeting Gmail may use an address like “http://accounts.google.com.etw368hj.nu/”. The latter does NOT belong to Gmail.
• Get familiar with the login URLs of your favorite services BEFORE you run into a phishing mail. Then it is a lot easier to spot the spoof. The address may look long and nerdy, but you only need to mind the part after the double-slash “//” but before the first single slash. That part identifies the server that you will access. (Your browser may show the address without the initial “http://”, in that case just examine the part before the first slash.)
• Get familiar with the concept of secured web pages and how to recognize them. Login pages of important services are typically protected this way. Their addresses start with “https://” instead of “http://” and your browser shows a lock or similar symbol next to the address field. You can examine the certificate of the server you are connected to by clicking the lock, and this is reasonable hard proof about who’s running the service. Needless to say, the phishing sites can’t duplicate these cryptographic certificates.
• If you suspect that there really may be a problem with your mail account, then log in with the link that you normally use to access the account. Do not use a link in a mail message. Look for info banners and pop-up messages shown in the browser after you have logged in. These messages are a lot more reliable and can generally be trusted. Mail operators are well aware of the phishing threat. If you get a mail claiming that there’s a problem, then you can be pretty sure that it isn’t true. The mail operators do not communicate in that way.
• If you still fall for the scam, attempt to change your password right away. This is also a good time to think about if you have used the same password on other services. Say that john.doe@gmail.com is using the same password as john.doe@hotmail.com. If one get hacked, then the hacker just need to try some of the common mail services to get access to more accounts. This would be a good time to brush up your password practices.

As a practice, examine the link above and try to figure out where it points and what company it belongs to without clicking it.

Safe surfing,
Micke

Phishing @ Wikipedia.

Phishing is the act of attempting to acquire information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT administrators are commonly used to lure the unsuspecting public.

Share this

Your customers win because they can store, sync, share and access their photos, videos, documents and other data securely, from any device. They get a consistent user experience across their digital life with security based on F-Secure’s proven technology. You win through additional revenue opportunities and association of your brand.

Consumers are adopt more and more devices for daily use – from smart phones to tablets to laptops and pcs. And they want those devices to share and have access to more and more content – from simple documents to photos and videos and more. Research shows that consumers want personal cloud services and that they want to know their photos, videos, documents, and data are safe, secure, and under their control. According to our research* 68 percent of consumers are concerned about third parties gaining access to their content due to vulnerabilities in cloud storage providers’ technology, and 42 percent feel they are losing control of their content. Yet, these are issues that should be of concern for everyone!

“Content Anywhere is the world’s safest cloud,” says Timo Laaksonen, Vice President, Content Cloud at F-Secure. “We are a security company with over two decades of security expertise. Our cloud is built and managed according to proven security processes. It’s not simply an afterthought like some other services out there.”

Designed with platform openness, data portability and data sovereignty in mind, Content Anywhere can easily be configured under your brand’s look & feel, while the service platform integrates directly to your authentication, provisioning and billing systems. Further VAS services can also be launched on the platform with ease – giving you the opportunity to provide your customers with access to their precious content from any device with confidence it’s private and secure because it is offered from a brand they trust: yours.

*The F-Secure broadband survey covered web interviews of 6,400 broadband subscribers aged 20–60 years from 14 countries: France, the UK, Germany, Sweden, Finland, Italy, Spain, the Netherlands, Belgium, USA, Canada, Brazil, India and Japan. The survey was completed by GfK, 25 May–1 June 2012.

[Image by ^riza^ via Flickr]

Share this

Cybercrime doesn’t just affect end users. Infected networks cost providers huge losses through needing to deploy expensive internal resources to clean, repair and manage any damage caused. In addition to direct theft of data, operators experience additional financial pressures from increases in service calls from infected end-users, researching and refunding fraudulent charges, reduced network bandwidth and damaged brand association – let alone the risk of potential fines and penalties.

Reduce your risk, improve your anti-cybercrime activities, and enjoy more profitable customers with F-Secure AntiBot: a cutting-edge, new product specifically designed to clean an operator’s network of botnets.

• Secure your network and attached devices
• Provide customers a significantly differentiated offering via a more secure network
• Reduce costs from increased help-desk usage, fraudulent billings, and repair costs associated with cyber crime
• Provide customers with a safe and uncomplicated experience

F-Secure AntiBot is designed to automatically detect and identify infected network devices and remotely disinfect them. It can guide end-users through a simple cleanup process that reduces or eliminates the need for expensive and time-consuming calls to your helpdesk and support services – thus providing a more customer-centric and positive experience.

A Bot is a malware-infected device that gets taken over and remotely controlled by cybercriminals. A Botnet is created when cybercrimals are able to take over a number of devices and link them together to perform broader activities and more extensive damage – like sending mass spam that hogs a network bandwidth, sending text messages to premium numbers, or flooding recipients with unwanted ads. They can even take a device “hostage;” requiring a ransom to be paid before ceding control back to the owner.

“Botnets are not only extremely disrupting to consumers, in that they impact device and Internet performance, they are also a risk to their privacy.” says Pekka Mettälä, Head of Global Business Development at F-Secure. “Private credentials like passwords can be stolen, giving access to online bank accounts, social media accounts, and other personal data. Operators who can provide customers with more simplified or automated and robust protection from botnets, will enjoy a distinct advantage over their competitors as well as more satisfied and loyal customers.”

Operators benefit directly through reducing their network’s vulnerability and through doing their part towards stopping the proliferation of botnets and cybercrime. Expensive resources previously dedicated to repairs and maintenance after an infection is discovered, can now be utilized for more productive activities.

Customers benefit from an overall reduction of risk as well as a more simplified process for dealing with their infected devices.

Cheers,

Melissa

Share this

Some days you will remember forever. In your personal life, these irreplaceable days include the birth of your child, your wedding or visiting a new country. In business, it could be a promotion to new job, meeting an important business partner or speaking at a conference.

Last Tuesday is definitely a day I know I’ll remember forever.

When I woke up at 5am to catch my flight to Berlin, I had a little smile on face. I was heading to a ceremony where F-Secure would be given the prestigious BEST PROTECTION 2012 AWARD from AV-TEST.

Winning feels always great. Working in a software security company, you really don’t concentrate on winning a certain award or nomination. Our focus is on providing best possible product and service to our customers.

We know it’s not easy to select security software to protect your PC. Each vendor claims to provide the best protection, most features and the simplest interface.

Testing security software is not easy either. It’s especially difficult to prove how good protection is against modern, sophisticated malware. It requires deep knowledge of malware and state-of-the-art testing facilities. AV TEST is one of the most respected independent testing organizations in the antivirus industry.

Being recognized by AV-TEST as the best product to protect consumers feels even better than great. It feels awesome.

Of course, this award would not have been possible without huge effort from hundreds individuals within our Labs. It’s their skills, hard work and determination to be the best that has made all this possible. They analyze sophisticated threats, provide detection mechanisms against them and develop new technologies to protect against new, unknown malware.

It’s really they who receive this award. For me, it’s my honor to work with them.

After the  award ceremony and photos, AV-TEST arranged for a trolley car tour around Magdeburg, where our guide George gave us a history of the city. A gala dinner followed. It was an excellent time and unique opportunity talk with Andreas Marx, Guido Habicht and Maik Morgenstern about latest trends in computer security.

Tomorrow, I’ll head back to Finland. My colleagues are anxiously waiting to celebrate this award in our own special way. At F-Secure we have a tradition. We take our trophies out on the town and pose them for pictures around Helsinki so we can post them online. And we never forget to get a picture in the sauna.

Great tradition. Great times.

—
Sami enjoys his freetime with his family and friends. He is a long distance runner who participates in 2-3 marathons every year. He never travels without his running gear.

Share this

One of the major trends is no doubt the increasing importance of exploits and vulnerabilities. And you have probably already heard the nagging about how important it is to patch your system. That IS good advice and our threat report shows how it is getting even more important. But I don’t want to just repeat the nagging. I want to take the opportunity to dig a bit deeper into this issue and explain what it is all about.

There are basically two ways to get malware into your computer; to trick you to install it and to utilize a vulnerability. All software in your computer is written by humans, and as we know, “mistake” is our human race’s middle name. Mistakes in computer programs are called bugs and a vulnerability is a special type of bug. Many bugs just affect the functionality of the program. Something may not work or work in an unexpected way. Applications are supposed to handle errors in a graceful way. But they may encounter erroneous data that the programmer didn’t anticipate. The application wreaks havoc and starts behaving in an unplanned way, and this may breach security. If this can happen, then there’s a vulnerability in the system.

An exploit is data that is carefully crafted by a hacker. Its purpose is to create an error that is no accident . What happens after the error is not chaotic after all; it is orchestrated by the hacker. He has at this point gained unauthorized control and the next task is to make sure that some malware is installed permanently on the system. The attacker has successfully exploited a vulnerability.

This may happen by just visiting a web page. The web page is a document that is rendered by your browser. If your browser has a vulnerability and you visit the wrong page you may be victim of a so called drive-by download. You surf the page comfortably unaware of the fact that a program silently is installed on your computer. And that’s not a friendly program!

But I have bought an antivirus program for good money. Doesn’t that protect me? Yes, that’s good. But we still recommend that you pay attention to patches as well. Your security product will detect and block malware that is about to execute. It will monitor your file transfers over the net and block harmful content. It will even check what sites you surf and warn when entering hostile territory. And if all that fails, executing programs are watched for suspicious behavior. But all this is a cat and mouse game. The bad guys come up with new clever tricks to circumvent all these layers and the security researchers upgrade the product to cope with them. If you are unlucky you can hit malware that your product can’t cope with yet. Remember that no product will ever give you 100% protection no matter what the sleek marketoids are claiming! But you are still fine if you have patched the vulnerability that the bad guys try to exploit. The malware has to go through that bottleneck so why not plug the hole? It can’t be done by your security vendor; it must be done by the vendor of the affected software. Your security suite can just build layers of security around the hole, but not correct errors in other products.

OK, I’m convinced. I want to start patching my system now. But how? One problem is that you probably have software from several vendors on your system. They all have to produce patches for their own product and there is no single outlet that would provide patches for all vendors. That’s one of the reasons why we have made F-Secure Safe Check . This free tool checks the security of your system from several different angles; your patching status is one of them. And you will get instructions about how to patch if that is needed. Why not run it right away!

Micke

PS. Some definitions: (Source: Wikipedia)

Vulnerability
“In computer security, a vulnerability is a weakness which allows an attacker to reduce a system’s information assurance.”

Exploit
“An exploit (from the verb to exploit, in the meaning of using something to one’s own advantage) is a piece of software, a chunk of data, or sequence of commands that takes advantage of a bug, glitch or vulnerability in order to cause unintended or unanticipated behaviour to occur on computer software, hardware, or something electronic (usually computerised).”

Patch
“A patch is a piece of software designed to fix problems with, or update a computer program or its supporting data. This includes fixing security vulnerabilities and other bugs, and improving the usability or performance.”

Share this

One in ten – sounds like a lot, but what does this mean in practice?

One of our product managers illustrated the significance of a high threat detection rate with a practical example. On average, an employee faces two malware per year (depending on the Internet usage profile of the users and the other layers of the protection, of course). In a company of 500 employees, with a detection rate of 92%, 80 infections in total will pass the traditional malware protection. If the detection rate is 99%, only 10 attacks out of one thousand will succeed. A minor difference in percentage points can make up a major difference in practice.

With this in mind, we believe that detection rate is a key factor in the value of security.

With businesses spending sizable sums of money to clean up damage from malware, high malware detection rates take on greater importance. Have you ever wondered how much it costs to have your business down for one day? Companies are not only spending for malware cleanup, but costs are also incurred as a result of lost productivity, loss of data (such as trade secrets, intellectual property and private customer data), investigation, and post-incident management. And how about your company’s reputation – how much is it worth? Add all these together, and malware that has gone undetected can have serious ramifications to a business. And that’s exactly why even a one percent higher detection rate can save thousands.

Recent examples of attacks with possibly multifold consequences include the patient records of an Australian medical centre held to ransom, as well as Internet advertising network NetSeer suffering a hack that also affected any Web page that included an ad served from NetSeer’s servers – among others several high profile Web sites and news agencies. And these are only a tiny fraction of all the examples out there.

Cyber attacks are not only costly to large enterprises, but also affect small and medium sized businesses (SMBs). Small firms are increasingly popular targets for attacks, as they are not as likely to be adequately protected. In fact, according to Verizon 2012 Data Breach Investigation Report, 79% of data breach victims from the past year were targets of attacks mainly because they were found to possess an exploitable weakness rather than because they were pre-identified targets. In addition, the same study states that victims don’t usually discover their own incidents, but they’re typically discovered by third parties only weeks or months after the initial instance – when significant damage has already been done.

To stay on top of the latest threats, we are launching F-Secure Client Security 10 that provides proactive protection for corporate desktops and laptops. It offers enhanced security with DeepGuard 4 threat detection technology that has been tested by AV-TEST with top-notch scores against new malware. In these independent tests for preventing new “zero-day” malware attacks, DeepGuard 4 performs at 98 to 100%, while the industry average hovers around 90 percent.

So why does detection rate matter? The answer is simple: even a single incident can be one too many.

And that’s why our aim is to “Protect the Irreplaceable.”

Share this

This time of the year is always interesting. It is the time when Labs looks back on the past half-year to summarize what has happened in the threat landscape. I can proudly announce that the report for H2 2012 has been published and is free for you to download and read!

The report is once again packed with highly interesting reading on the threats that we all face when using the net. And this report is not just a repetition of what has been published in the media. A compilation like this makes it easier to spot the trends and the big picture. Thanks guys for putting it all together! And of course for the continuous research effort that it is based on. (I’m not going to list all the names here, the full list of contributors can be found in the report.)

Here’s some teasers…

Botnets. ZeroAccess was easily the most prevalent botnet we saw in 2012, with infections most visible in France, United States and Sweden. It is also one of the most actively developed and perhaps the most profitable botnet of last year. Read more about ZeroAccess and botnets in general at page 15 – 20.

Exploits. Java was the main target for most of the exploit-based attacks we saw during the past half year. This is aptly demonstrated in the statistics for the top 10 most prevalent detections recorded by our cloud lookup systems. Learn more about exploits at page 25-27.

Banking trojans. With regards to banking-trojans, a botnet known as Zeus—which is also the name for the malware used to infect the user’s machines—is the main story for 2012. Browse to page 21-24 to read how the traditional way to rob a bank has become hopelessly old-fashioned.

The web. Common sense is still important when surfing, but it is becoming increasingly difficult to spot the dangerous places. Ad-networks are integrated in an increasing number of sites and can distribute malware through web portals that should be trustworthy. More about the web’s dangerous places at page 28-31.

Mobile devices. Did you know that there is malware on all commonly used mobile platforms? But Android has the questionable honor to lead the pack, and the others are far behind. The full story is on page 35-37.

The threat report covers all this and a lot more. Why not make sure that you are up to date on the threat scenario by continuing to the report. It is highly recommended reading.

Micke

Share this

The Rapid Expansion of the Cloud Space infographic

From gigabytes to terabytes to petabytes, the cloud is expanding and F-Secure is a leader in with 5 data centers on 3 continents. We secure content for millions of customers around the globe and our cloud is expanding every minute of every day.

We’ll be at the 2013 GSMA Mobile World Congress in Barcelona from February 25 through 28 to show off all of our solutions including F-Secure Content Anywhere, our flagship solution for mobile and broadband operators. F-Secure’s Personal Content Cloud enables consumers to store, sync, access and share their photos, videos, documents and other files safely anywhere, from any device.

68% of consumers are concerned about third parties gaining access to their content due to vulnerabilities in cloud storage providers’ technology, and 42% feel they are losing control of their content.*

That’s why over 100 operators around the world turn to F-Secure for security and content cloud solutions. They know they with us customers private content stays private and protected.

The content we store is scanned only for malware — never for marketing analytics and profiling.

We believe that by providing the safest personal cloud possible, F-Secure will help millions more of the 61% of broadband users who looking forward to being able to store, sync, access and share their digital lives through the cloud.

Cheers,

Sandra

*The F-Secure broadband survey covered web interviews of 6,400 broadband subscribers aged 20–60 years from 14 countries: France, the UK, Germany, Sweden, Finland, Italy, Spain, the Netherlands, Belgium, USA, Canada, Brazil, India and Japan. The survey was completed by GfK, 25 May–1 June 2012.

Share this

Last Wednesday marked the beginning of our first lecture at the Aalto University (Espoo campus) in Finland for our Reverse Engineering Malware course for the spring 2013 semester. This course expands and continues F-Secure’s longstanding efforts to promote education in information security, which started in 2008 with a course in Malware Analysis and Antivirus Technologies with the Helsinki University of Technology.

Aalto University’s Reverse Engineering Malware course is taught by security researchers from our Security Lab in Helsinki. The program teaches students about what malicious code is, how it can be analyzed, and how to reverse engineer executable code for different platforms, such as Windows and Android.

Towards the end of the course, students are also exposed to more advanced topics, such as understanding the latest techniques in binary obfuscation and exploits. The syllabus is designed to encourage a very hands-on approach to learning reverse engineering. Our security researchers personally craft exercises and lab assignments to help students gain an understanding of how malicious code works, for example by looking for hidden messages in the code (with keys to help them to achieve the goal of the exercise, as seen in the example below).

Do note that F-Secure does not use or write real world malware in our academic courses.  F-Secure strives to positively motivate programmers and includes modules that cover topics like ethics and legal issues in the course to encourage them to use their skills for a good cause – helping to protect the end user.

Over the other side of the world in Kuala Lumpur, Malaysia, where our other Security Lab is located to cater for the Asia Pacific region, we are partnering with Monash University (Sunway Campus) for the first time to develop a similar Malware Analysis syllabus, with a greater focus on the Android platform. The growing dominance of the Android platform in the smartphone market has also led to a tremendous growth in malware targeting devices using that operating system.

In conjunction with the lecturers from the School of Information Technology of the Sunway campus, and several security researchers from F-Secure’s Kuala Lumpur Security Lab, we are developing the syllabus from the ground up with brand new lecture and lab materials to help students whom are active in the security field gain a broader perspective of this field, as well as develop the specialized skills needed for analyzing malware.  Subjects and techniques covered in the lectures and lab sessions include, among others interesting topics, understanding the Android security framework, the operating and file systems, static and dynamic analysis of malware.

For those who are interested in understanding executable code inside out (literally) and are passionate about security, this is definitely the course for you! You can follow along on the Labs’ weblog for updates.

Share this

Have you ever wondered if that machine that gives you cash make also be swiping some? Do you know how to tell if an ATM skimmer has been adding to a banking machine? Are you using your primary bank account when you travel?

Then you need to watch this.

Our Mikko Hypponen and Sean Sullivan from the F-Secure Labs explain the risks you face when using an unfamiliar ATM.

Share this

You may have heard about Storify. A new tool that you can use to publish private conversations in Facebook. Scary, isn’t it? Or that’s at least the angle many headlines take. But the full picture is a lot less dramatic. In fact, Storify does not enable you to do anything that you couldn’t do before, it just makes it easier. And it is an excellent reminder about the risks with so called private messages.

Most legislations provide a fairly high level of protection for messages in transit. The goal is to prevent 3^rd parties from eavesdropping and tampering with the messages. But what many forget is that the parties involved in the communication have rights to use the message. It means that the recipient has fairly free hands to use what you write as soon as the message hits the inbox. Your only protection is really your trust in the other part. You may write things that both parties understand should remain private, and it may be sufficient protection today. But what about the future? We all know that trust can change. Many who have gone through a divorce know that the person you trust the most of all may become your worst enemy.

So what about Facebook and Storify? It’s just a good reminder about what can happen to “private” messages. The same threat exists in any kind of messaging service. Not only on the Internet, phone calls can be recorded and misused as well. Letters on paper can be copied, scanned and published. Facebook didn’t provide tools for publishing private messages, but that never prevented users from using copy-paste or taking screenshots of the messages. And our good old e-mail is no better. It has a button called Forward for this purpose.

The only thing that can protect you from this kind of leaks is to not write things that would be embarrassing if published. Be polite and adopt a no-nonsense attitude even in private communications. Think twice before reveling secrets over electronic communication systems. Even if you use encryption it only protects you against 3^rd parties, not against the recipient. And last but not least. Do not turn your friends into enemies. That’s probably the biggest reason for leaked private messages.

Micke

Photo by Sam Catanzaro @ Flickr

Share this

Mikko Hypponen and Sean Sullivan from the F-Secure Labs recently sat down to answer some questions on online banking security from our F-Secure Community. The first question dealt with remembering strong passwords. They recommended a password manager, pass-phrases and simpler passwords for less critical accounts.

Here’s a system we recommend to create strong passwords you can remember for you most critical accounts.

More answers are coming soon or you can treat yourself to them all now.

Share this

Stop! You should always stop and think when an unknown website asks for your mobile phone number (well, actually when asked for any kind of personal information). Knowing your number is the key prerequisite for someone who want to scam you with premium rate text messages. Ask yourself the following questions when you encounter a page like this:

• In what way do I benefit from giving my phone number to this organization? Do they have a valid reason to reach me by phone?
• Do I know this organization and is it trustworthy? Do I even know what organization I am dealing with?
• Am I accepting legal terms when submitting my number? Have I read them and did I understand them?
• Do I need to participate at all? Can I live without the opportunity to win an iPod, or whatever they offer me?

Most people already know that one should be careful when entering mail addresses at fishy websites. Your junk mail folder may start to fill up much faster than before. But what about your mobile phone number? It’s easy to forget that the mobile number is a key to a billing system. It can be a lot more harmful if it gets in the wrong hands. You may get an unpleasant surprise in the next phone bill.

How does the scam work? Someone puts up a web page where you can sign up for anything that sounds interesting. A lottery is a typical example. Your phone number is required as part of your personal information. And you are of course keen to get it right as you want to make sure they can reach you if you win. There’s also the usual checkbox indicating that you accept the terms, but who cares about those legal details?

Well, you should care. Somewhere deep down in the terms there is a paragraph where you agree to receive informational text messages, or whatever they are called, for a price that can be several Euros each. Yes, that’s right. The billing system of our mobile phones supports messages that are paid by the recipient. This scheme is not even illegal as you have agreed to receive them. And needless to say, the sender is impossible to reach if you change your mind and want to terminate the agreement.

You should leave out your phone number or steer clear of the site if you have any doubts about it. If the organization isn’t trusted, but you still feel that you really have to participate, get familiar with the legal terms. Yes, I really mean reading them!

Another variant of the scam is to send you an unexpected text message that invites you to a quiz, a lottery or something else. Responding to the message means in practice that you sign up to the scam.

So what about Frankfurt? Well, the page asking for my phone number was pretty nicely designed. It looked legit. But there was a legal document that users must accept. So I decided to not use the network. It’s much nicer to spend the remaining 20 minutes before departure reading a good book about sailing in the Mediterranean than reading legal terms.

Micke

PS. I’m of course not claiming that the Frankfurt network login is a scam. The point is that I can’t know for sure, and I don’t have to take the risk as the benefit I could have gained was very small.

Photo by whiteafrican @ Flickr

Share this

A few years ago, its growth seemed unsustainable. Everyone assumed that some other social network would eventually rise up to replace it as had happened to its precursors Friendster and Myspace. And its privacy controls felt purposely confusing.

Now, with more than a billion active users, the site is still growing. Its biggest competitor is Google+, which is isn’t setting the world on fire yet. And it finally has privacy controls that the average user has some hope of understanding.

Why is Facebook finally offering privacy settings that make sense?

Because they’re about to start using your information in new ways that may make you squirm.

You may have already taken Facebook’s tour of the new settings. If you haven’t, you should then consider these 3 recommendations to take control of your profile.

Find this  near the upper right hand corner, click on it and select “See more settings” at the bottom of the menu that pops up.

You’ll see this screen:

1. Use “friends” as a default.
Under “Who can see my stuff?” you’ll see “Who can see my future posts?” Unless you have a good reason, go with “Friends”. This will save you from having to backtrack and change the settings on something you didn’t want to get out. Of course, your friends can still share what you put out — as Facebook founder Mark Zuckerberg’s sister Randi learned — so keep in mind that anything you put on Facebook could end up on the front of a newspaper. Also consider using “Friends” as the setting for “Who can look you up using the email address or phone number you provided? and “Who can look up your timeline by name?”

Facebook is going to be making more and more of your information easily accessible. While it’s smart to consider that anything you post on Facebook could easily made public, you may want to restrict what information strangers can easily browse through.

2.  Do not let other search engines link to your profile.
Unless you use your Facebook profile as a professional tool, you probably don’t want it to be one of the first things people find when they search your name. So we recommend selecting “off” for “Do you want other search engines to link to your timeline?”

3. Turn of “tag review”.
Next click  on Timeline and Tagging on the left menu.

You’ll see this screen:

Most people want to allow friends to post on your wall but if protecting your images is your priority, you may want to make it available only for you. Either way, it’s a good idea to select “friends” for “Who can see what others post on your timeline?” This will prevent strangers or even potential mates or employers happening to catch your page right as a friend posted some hilariously sick image on your timeline.

We recommend you turn on “Review posts friends tag you in before they appear on your timeline?” This won’t stop your friends from tagging you in something embarrassing but it will stop it from showing up on your wall if they do.

We definitely recommend you enable “Review tags people add to your own posts before the tags appear on Facebook?” This so called tag review will keep you from being in ridiculous tagged pictures or posts that show up in search results.

If you don’t want to be tagged much or don’t like the idea of photo recognition, you may want to select “No one” for “Who sees tag suggestions when photos that look like you are uploaded?”

That’s a good start. Next time, we’ll walk through Facebook’s security settings.

Jason

Share this

We’re proud to be featured in The Forrester Wave™, Endpoint Security Q1 2013 as top-ranked in Strategy. Forrester Research Inc. called us a Strong Performer and gave us the highest score among all vendors for our product roadmap and strategy.

What makes our approach to securing the workplace so appealing is that we don’t see ourselves just offering our clients security software—we take away the worry of securing your office and let our professionals do the job. I recently had a discussion with an end customer of ours in the media industry. He told me that he’s not really interested in what happens in the background and how our products work – he only wants to know that the level of protection is sufficient. And this is not a unique case; we’ve heard the same story from many of our customers.

This simple, breakthrough approach also makes it easier and more affordable to deploy the award-winning security we’ve been providing for more than two decades.

“We think this vision is closely aligned with the bigger climate change where IT all over the world is moving to procuring services rather than products,” Forrester said.

Forrester also praised our rootkit detection and DeepGuard, which we’re especially proud of. Deepguard anticipates threats using heuristical, behavioral and reputation-based technologies.

The other morning when I was commuting to the office in freezing cold weather, I started thinking about layered protection – a term we use to describe the way our protection technology is built. Security is a bit like weather; we forecast it to be able to be prepared. And the colder it gets, the more layers we need to protect us. It is not always that we need all the layers we’ve got at the back of our closet, but we still need to have them come the winter frosts – and the same logic goes for the different layers included in our security products.

Just as clothing companies develop better materials, we continuously develop new technologies to protect our customers

Forrester credited our Labs’ research and gave our Client Security credit for performance, anti-malware detection and customer feedback.

The best news is that they evaluated us even before our new Software Updater tool, which makes it easy to keep your network patched and protected, was released. And that’s a big part of how we try to be smart—by always improving.

Here are some of our tips on securing your business network. And you can find out more about our corporate service portfolio here.

[Photo by Sean MacEntee via Flickr]

Share this

If you’re on the Internet, you’re probably being monitored. If you’re using a free service, you’re giving up some of your privacy as a payment. If you post something online, you have to assume that it could easily be shared with anyone with an Internet connection.

But that doesn’t mean you have to give up your privacy when you turn on your PC or phone. Here are 5 basic resolutions that will help you make sure that prying eyes can’t get easy access to your data online.

1. I will have a strong, unique password for every account that contains private information.
If you’re super concerned about protecting your privacy, you’ll use unique, unguessable passwords for all your accounts and update them 3-4 times a year. For your most important accounts, this is essential. But for your webmail, banking and Facebook accounts, if you have them, good password hygiene is a must. Here’s a system to create strong passwords you’ll remember.

2. I will go “Friends only” on Facebook.
Sharing your digital life with your friends only won’t guarantee your privacy — ask Randi Zuckerberg. But it will help limit your potential leakage from private to public. Facebook isn’t completely private, of course, ever. But if you want to share everything, Twitter or a blog are probably better options.

3. If I use Gmail, I will turn on two-factor authentication.
If you use your Gmail for business, the extra-layer of security of two-factor authentication is essential. Just make sure that your phone also has some sort of anti-theft or Find My iPhone app installed in case a thief gets ahold of your device. You may also want to clear your Google history, if you’re not interested in that existing.

4. I will log out of any account I’m not using and lock my PC and phone when it’s not in use.
This is just good common sense that I personally ignore on a regular basis. Not in 2013! It reduces how you’ll be tracked, it makes it less likely your own accounts will be used against you.

5. I will keep my software updated.
Our smartphones and PCs are actually quite secure if we keep them patched and protected with update system and security software. This, as you know, can be time consuming, so I’ll update as they come up and for my PC, I’ll use F-Secure’s free Health Check.

Happy 2013,

Jason

[Photo by Triple Tri]

Share this

Here are a few suggestions to help you get off to a safe start from the moment you’ve got your system up and running.

PC–Laptop or Desktop

1. Make sure you’re running the most up to date software.
There have likely been several system updates since your hardware was packaged and you opened it. Hopefully your system updated itself or prompted you to update as you installed. But it’s always a good idea to double check. You can do go to Windows Update for your Windows machine. On a Mac, just click on the apple in the top left of your desktop and select, Software Update. You also want to make sure your other software is current and isn’t leaving some hole that can be exploited by an online criminal. You can update each program one-by-one or use our free Health Check.

2. Install security software.
Of course, as company that’s been protecting computers for 25 years, we believe security software including anti-virus is crucial. But don’t just take our word for it. Most, if not all, law enforcement agencies, governments and experts agree that you need security software if you’re planning to use the Internet. So if you aren’t going to use our award-winning Internet Security–which we invite you to try for free–please use another.

3. Choose a backup.Yes, we’re also in the backup business because we believe it’s essential to safe, smart computing. But if you aren’t going to use our Online Backup, you can use an external hard drive, DVDs or some other backup solution. But as our Mikko Hypponen demonstrated in his TED Talk, a reliable backup can save the day.

You may also want to: Uninstall all the programs that came on your PC as promotions if you know you won’t be using them. If you’re super security conscious, you should also disable all your Java plug-ins or make sure they never get enabled–unless you need them.

Smartphone or Tablet

After you’ve registered your accounts and synced your phone when possible, your mobile device is a lot like your PC.

1. Install mobile security.
We also offer Mobile Security for Android that protects your smartphone and tablet from bad apps and scams that are even more tricky on mobile browsers. Some say Android is replacing Windows as the number one target of online criminals–if that happens, it will be the result of too many people not protecting their phones.

Sorry, there’s no iPhone mobile security available yet because Apple isn’t allowing anyone to develop such apps and is relying on keeping bad guys out with its well-policed app store. But if you do not jailbreak your iPhone, it will likely be safe from bad apps.

2. Choose a backup.
You can choose from a variety of backup services for your smartphone, which as you know soon fills up with irreplaceable content. You can also backup by dragging and dropping your content to your backed up PC whenever you dock your phone.  Set up your Android to save your settings regardless of what happens to your device. Just go to Settings > Privacy, and make sure that “Back up my settings” and “Automatic restore” are checked off.

3. Install Anti-Theft.
It just makes sense that you’re more likely to misplace your phone or tablet than your PC. But it’s also simple to track your device and protect your data if it falls out of your hands. We offer free Anti-Theft. Apple offers a Find My iPhone app for free.

4. Stick to Official App Stores.
If you get your apps from the official Google Play or ITunes store, you will likely never deal with a malicious app. Be sure to check user reviews and stick with software that has a proven record.

Enjoy your new toy!

Sandra

Share this

I love this grainy, quirky picture. I emailed it to my wife. I Facebooked it. I tweeted it.

I love it so much that I brought it to my local photo lab to be blown up so I could frame it and put it on my wall. Unfortunately, the resolution is so low that it’s hardly worth the print, let alone the frame.

The picture was taken with my iPhone, which is handy to catch perfect poses like this. This method is great for capturing digital images to share but they just don’t transfer into the real world all that well.

So here are two quick tips to make sure the irreplaceable images you create this holiday season.

1. Make sure you capture the images you want to turn into actual printed images on photo paper are taken with a high-resolution camera, meaning NOT your smartphone.

2. Keep a backup of all your images–high quality or not–somewhere outside of your home in case damage to your equipment and even your storage disks.

Facebook is probably better than nothing but you probably don’t share every image you want to keep. You can try our Online Backup for free.

Cheers,

Jason

Share this

1. The end of the Internet as we know it?
“Depending on the outcome of an important conference taking place now in Dubai, a lot of things could happen in 2013,” says Sean Sullivan, Security Advisor at F-Secure Labs.That event, the World Conference on International Telecommunications, could have a major impact on the Internet as we know it. “The Internet could break up into a series of smaller Internets,” Sullivansays. “Or it may start to be funded differently, with big content providers like Facebook and Google/YouTube having to pay taxes for the content they deliver.”

The WCIT event is a meeting convened by the International Telecommunication Union (ITU) to finalize changes to the International Telecommunications Regulations treaty. In attendance are regulators representing governments from around the world, not all of whom are interested in Internet freedom. There is concern that some regimes would want to shift control of the Internet “from the geeks, and give it to governments,” as Sullivan puts it. New measures are also being proposed in the name of Internet security that privacy advocates suggest would mean the end of anonymity on the Internet.

2. Leaks will reveal more government-sponsored espionage tools
“It’s clear from past leaks about Stuxnet, Flame, and Gauss that the cyber arms race is well underway,” says Mikko Hypponen, Chief Research Officer at F-Secure Labs. While we may not always be aware of nation-states’ covert cyber operations, we can expect that governments are more and more involved in such activity. In 2013, we’ll most likely see more leaks that definitively demonstrate this, and from countries who haven’t previously been seen as a source of attacks. As the arms race heats up, the odds of leaks increase.

3. Commoditization of mobile malware will increase
The Android operating system has solidified in a way that previous mobile operating systems haven’t, extending from phones to tablets to TVs to specialized versions of tablets. The more ubitiquous it becomes, “the easier to build malware on top of it and the more opportunities for criminals to innovate businesswise,” Sullivan says. Mobile malware will become more commoditized, with cybercriminals building toolkits that can be purchased and used by other criminals without real hacking skills. In other words, malware as a service, for Android.

4. Another malware outbreak will hit the Mac world
2011 saw scareware called Mac Defender, and in 2012 Flashback took advantage of flaws in Java. The Labs predict 2013 will bring another Mac malware outbreak that will have some success within the Mac community.

“The author of the Flashback Trojan is still at large and is rumored to be working on something else,” Sullivan says. “And while there have been smart security changes to the Mac OS, there’s a segment of the Mac-using population who are basically oblivious to the threats facing Macs, making them vulnerable to a new malware outbreak.”

5. Smart TVs will become a hacker target
Smart TVs are plugged into the Internet, they’ve got processing power, and since they typically aren’t equipped with security, they’re wide open to attacks. Adding to their vulnerability is that unlike home computers, many smart TVs are directly connected to the Internet without the buffer of a router, which deflects unsolicited traffic. Also, consumers often don’t change the factory default username and password that have been set for web administration, giving easy access to hackers.

“It’s very easy for hackers to scan for smart TVs on the Internet,” says Sullivan. “When found, they only need to use the default username and password, and they’re in.” 2012 already witnessed LightAidra, a breed of malware that infected set top boxes. 2013 could see smart TVs being used for such purposes as click fraud, Bitcoin mining, and DDoS attacks.

6. Mobile spy software will go mainstream
2013 may see a rise in popularity of tracking software, and not just for parental control purposes. There has already been growth in child safety apps that monitor kids’ activities, for example, their Facebook behavior. “Of course this kind of software can also be used to spy on anyone, not just kids,” Sullivan says. “The more smartphones there are, the more people will be seeking out software like this – to find out what their ex is up to, for example.”

7. Free tablets will be offered to prime content customers
Tablets and e-readers are all the rage, and more and more often in closed ecosystems such as the iPad with iTunes or the Kindle with Amazon. As the Kindle price keeps dropping, the Labs predict that 2013 may bring a free e-reader or tablet for prime customers of companies who charge for content, like Amazon or Barnes & Noble. “Closed ecosystems are more secure, but you have to trust the provider to protect your privacy,” says Sullivan.

For ongoing analysis from the F-Secure Labs, follow News from the Lab.

Share this

85% of people who bank online are afraid of conducting transactions via public PCs or via open wireless network because of 21st century bank robbers.

Share this

This sweepstakes is now closed. Be sure to ‘like’ us on Facebook for more giveaways and Internet safety tips.

Holiday shopping is underway so we thought now was the perfect time to remind you that safe shopping leads to merry celebrations. Every year we release a list of the Most Dangerous Gifts for shoppers in the U.S. that always includes some safe shopping tips that are good for shoppers all over the world. They are:

• Visit retailers’ websites directly if possible (e.g., www.amazon.com vs. searching ‘Amazon’ on Google)
• Use Internet security software that features browsing protection (or check links with F-Secure’s free Browsing Protection)
• Always check a site’s URL before making any purchase (look to make sure you’re at the correct online store and that the page URL begins with https://, which means it’s secure)

You should also keep an eye on any credit card account you use for online shopping and your bank account on a regular basis to make sure all the transactions are correct.

To celebrate what we call the Safe Shopping Season we’re giving away a Nexus 10 tablet 16 GB with F-Secure Mobile Security.

All you have to do is answer the following question in the comments of this post: Do you plan on doing more shopping this holiday online and offline?

Just read the rules for this sweepstakes and post your answer below for your chance to win.

WANT AN EXTRA CHANCE TO WIN? Take this quick survey then post in an additional comment that says “SURVEY COMPLETED.”

Cheers,

Sandra

[CC image by Dave416]

Share this

However, this convenience serves only as further motivation for cybercriminals targeting unassuming shoppers as they use search engines to find gifts for their loved ones. Google search results for products often include links to ‘poisoned’ sites, or malicious websites that can infect an unsecured computer or smartphone with viruses, worms and other malware, putting one’s personal and financial information at risk.

The more popular an item is, the more likely it will attract a dangerous search result, which could lead to malware or an unreliable merchant. Here are the products we anticipate will be targeted by cybercriminals this holiday season:

1. Nintendo Wii U – Available as of this past weekend, the Wii U is expected to be a big seller like the original Wii, which was sold out for nearly an entire year after its launch
2. Kindle Fire HD – Tablets are all the rage right now, and a $199 sets this 7” to sell big, with some predicting that the Kindle Fire HD will outsell the iPad mini by two to one
3. iPad mini– This budget-friendly Apple tablet is flying off the shelves, with it taking just minutes for the white iPad Mini to sell out at its initial launch
4. Hot video game titles – New titles like Halo 4 and COD Black Ops 2 are shattering sales records. In fact, Halo 4 raked in $220 million in its first day on the shelves
5. Pre-sale tickets for The Hobbit – Scheduled to come out December 18, pre-sale tickets for this great stocking stuffer are already going fast
6. Windows 8 Certification–With the launch of Microsoft’s Windows 8 software has come a flurry of interest in computer monitors and PCs that boast certification rights
7. iPhone 5 / Samsung Galaxy 3– It is predicted that this December quarter, Apple will sell 46 million iPhones, and with retailers already advertising Black Friday deals of nearly 75 percent off on the Samsung Galaxy 3, both smartphones will be in demand
8. Touchscreen gloves – We expect the overall demand for touch devices to drive the sale of related accessories
9. Furby – Remember this furry little creature that created utter chaos back in the 90’s – well he’s all any kid can talk about for this holiday season
10. Breaking Dawn DVD– With Breaking Dawn 2 experiencing a $30.4 million opening, the first Breaking Dawn DVD and other Twilight movies will be popular stocking stuffers

Here are three tips from F-Secure to ensure you stay safe while shopping online this Cyber Monday, and throughout the 2012 holiday season:

• Visit retailers’ websites directly if possible (e.g., www.amazon.com vs. searching ‘Amazon’ on Google)
• Use Internet security software that features browsing protection (or check links with F-Secure’s free Browsing Protection)
• Always check a site’s URL before making any purchase (look to make sure you’re at the correct online store and that the page URL begins with https://, which means it’s secure)

For more advice on staying safe online, including our tips for protecting credit card information while online shopping.

F-Secure’s list of the ‘most dangerous gifts’ was compiled based on market analyst data and gift list inclusions. An analysis of Google Trends has shown items on this list are positioned to spike in search volume during this holiday season.

Cheers,

Sandra

Share this

We stopped and I took a photo of my husband and son with him. That done, we proceeded along to the supermarket to do our Saturday grocery shopping.

Some minutes later it hit me. We had just met the prime minister, the most powerful man in Finland. I should have shaken his hand. And why hadn’t I gotten in the photo too? The significance of meeting this dignitary had been completely lost on me!

The thing was, it was so low key. There was no big fuss about it. People were mostly going about their business. There was no heavy security detail, no men in black suits and sunglasses. And the prime minister himself, Jyrki Katainen, had looked so ordinary. Casually dressed, he could have been any other shopper that day.

But he wasn’t any other shopper. He was the head of the Republic of Finland, out campaigning for his party (municipal elections were the following day).

It was a completely different experience from the other time I saw a head of government. In 1996 President Clinton came through my hometown on his re-election campaign. I remember the excitement. Thousands of people stood thronged around the stage. It took quite a while for my cousins and I to weave our way to the front of the crowd, where a rope separated the mass of people from the president. My cousin, who was bolder than I, stretched out far enough to shake his hand. And you can bet there was security.

The laid-back encounter with Prime Minister Katainen got me thinking about security in the real world versus the online world. In the real world, the need for security varies depending on the population, economics, social problems, et cetera, of where you are. It’s apparently pretty easy for Katainen to get around in this quiet northern country of 5.4 million people. But in many countries with higher populations and less egalitarianism than Finland, top government officials must travel with an elaborate entourage.

In the online world however, threats are not bound by geography. Hackers use the information superhighway to get them anywhere in the world they want to go, in milliseconds. They can, for example, steal personal data, spread viruses, infiltrate bank accounts, and turn computers into robots that do their bidding, all from the comfort of their own home. So hackers in Wherever-ia aren’t just that country’s problem – they’re everyone’s problem.

Comprehensive Internet security is a must, whether you’re in a small, relatively safe country like Finland, a populous nation like the USA, or whether you use a Mac or a PC. And wherever, whoever you are, there’s protection for you.

Share this

The fact is that the average Facebook user has over 120 friends and likes another 100 groups or pages.

This means the news feed generally moves very quickly pushing down updates almost immediately. In an effort to improve engagement, Facebook has developed Edgerank which pushes the updates your most likely to engage with to the top of your feed. It also pushes Promoted Posts to the top, to monetize the tremendous amount of time about a billion people around the world spend on the site. If you don’t interact with a friend or a page, you’ll eventually stop seeing their posts in your feed.

Facebook isn’t like email. You can’t expect every friend to see every post. Depending on how many friends you have and how active they are, they are probably much more likely to see your status update than a tweet—which fly, by usually only seen by a tiny fraction of your followers.

Cuban’s main complaint is that Facebook doesn’t understand what its business is. He says the site is a “time waster” like television. For that reason, he thinks users would be better are determining what they’d like to engage with than Facebook is—if the site would only make it easier to “unlike” things and sort through the feed.

Cuban is right about what the site’s value is—a way to pass time enjoyably. But it does offer a more authentic, unique, interactive experience than TV in that it makes your friends and family your entertainment. If relationships are easily made and broken the site becomes a little less like life. It’s that relationship to reality that gives Facebook its advantage over old media. Still the accumulation of likes and relationships on the site creates your experience but it also makes it messier and less enjoyable if you aren’t getting to the good stuff fast.

In a recent survey we found that about 6 out of 10 Facebook users think the site as good or better than it has been. That left 4 out of 10 who think it’s worse.

So does Marc Cuban have a point? Could you do a better job managing your feed than Facebook?

The reason the site has taken it upon its self to manage our feeds is because it knows that most people won’t take the time to do so. They’ll just stop using when it gets boring.

But if you’re reading this, you care more than the average user. So here are a few suggestions to improve your Facebook experience.

1. Unlike, unlike, unlike.
If you’re on Facebook and see something that annoys you—like spam or a not safe for work posting, go ahead and unlike the person or page. It takes a second, you have to go to profile, click on the wheel thing and select “Unfriend” or “Unlike”. You can always reconnect later. But unless you get in the practice or trimming your feed, you’re never going to improve your experience.

2. Switch your feed view from “Top Stories” to “Most Recent”.
This won’t guarantee that you’ll see all the posts from all your friends in linear order. Facebook’s algorithm seems to make that impossible. But it will prevent Facebook from controlling your feed entirely.

3. Use “Close Friends”.
On the left-hand column of your Facebook feed, you’ll see a Friends category. You may have to click on “More” to get to it. Click on “Close Friends” and Facebook will give you suggestions on who to add to this list. Only add the people you’re most interested in following. This won’t improve your feed, but Facebook will give you a notification when one of your favorite friends post. With this feature, you don’t need to worry about missing the posts from the people you care about most.

Cheers,

Jason

Share this

This is a guest post from Klas, an F-Secure expert. Enjoy!

You read about it in the news all the time these days: “Zeus Banking Trojan steals $1 million from U.K bank accounts”or “SpyEye: New PC virus steals your money!”

More and more people are doing their banking online and criminals go where the money is. It is clear that malware designed to steal money from online banks has become a real and actual threat.

Creating  banking trojans, unfortunately, is now pretty easy. There are ready made toolkits that criminals without the technical know-how can buy in order to create their own variant. A few clicks and the criminal has created his own personal piece of nastiness, designed to steal money from specific banks or accounts. Malware-as-a-service as our own Mikko Hyppönen put it.

So what exactly is a Banking Trojan? As with any other Trojan, it is a program that has been installed to your computer one way or another without you knowing its real purpose. Once there, it simply waits quietly in the background until you access your online bank. It will then start recording the information that you enter and send it back to criminals. It can now do automatic transactions in the background or alter the information that you see in order to buy time for the attacker to use your bank credentials for fraudulent transactions. Once the criminal has gotten your bank details there is no knowing what he or she can do.

So how to you protect yourself?

Here are 4 ways to make sure that when you bank on your PC, it’s as safe as it can possibly be.

1. Keep your operating system updated.
Think of your operating system as the walls around your house that keeps developing holes. Luckily, the maker of the wall will keep patching the holes. All you have to do is update your system software. You can do this on your Windows PC by going to windowsupdate.microsoft.com. On your Mac, you can go to the Apple menu and selecting “Software Update.”

2. Keep your software updated.
The programs on your PC also develop vulnerabilities that need to be patched or you may allow criminals a foothold into your life. You can update each application individually or you can use our free Health Check, which checks all of your major applications and your operating system to make sure they’re patched and protected.

3. Don’t click on links in emails from your bank.
It’s a good idea not to click on links in an email unless you specifically asked for it, such as a password refresh. A common practices is to spoof a bank’s look and send a scam email to thousands of recipients hoping to find a few that use the bank. You can avoid this by going to your bank’s site directly and calling them if you have a question.

4. Use Internet Security that has banking protection.
F-Secure’s Banking Protection automatically detects when you’re visiting an online bank. It notifies you that additional Banking Protection is enabled and adds an extra layer of security by only allowing access to banks or trusted sites that are necessary to do online banking. All other new connections will be prevented. In other words, there is no possibility for the attacker to get your bank details. Once you’re finished with your online banking, you simply end the Banking Protection mode and everything is back to normal. Sort of like unbuckling your safety belt when you’ve reached your destination. And no extra apps, plug-ins, or special browsers are required.

Banking Protection is a part of F-Secure Internet Security 2013 and works together with all the other security layers. All existing users of F-Secure Internet Security 2013 will receive Banking Protection as an automatic update in the first quarter of 2013, and those who do not want to wait can download the update now.

You can find out more about our new Banking Protection here.

We hope you enjoy the protection!

Image credit: MoneyBlogNewz

Share this

Browse more infographics.

From jet packs to underwater cars, Bond movies have featured some technology that’s more fun than practical–at least so far. However, mobile phones and fingerprint security devices also turned up in Bond films before they existed in real life.

What’s your favorite Bond movie gadget? Let us know in the comments.

Share this

Keeping up with these changing tactics is a job for the F-Secure Labs—not you. But there are some basic precautions you can and must take so that way the expert virus hunters know can be used to protect your company’s irreplaceable assets.

1. Never reuse your work passwords for personal accounts.
You need to make sure your work passwords are strong, reasonable for you to remember and unique! The last thing you want is a Facebook or webmail hack to lead to a compromise of your work network. Also avoid using your work email for personal accounts.

2. Use a separate browser for work and web browsing.
This is good for both focus and security reasons. If you do any banking for work or use any secure credentials do it all in one browser such as Chrome or Firefox. Then use another browser for research or personal communications to minimize the chances of compromising your company data.

3. Always lock your PC when you’re not in front of it.
This piece of advice almost goes without saying but we have to remind you that an unlocked PC should be thought of like an open wallet. You probably wouldn’t ever walk away with that in plain sight, would you?

4. Make sure you’re running the latest versions of all your software.
Yes, that’s all your software, like operating systems, plugins such as Flash and Java, Microsoft Office and any browsers in use – not just security software. However, keeping up with software updates can be a time-consuming, costly process. Our new Software Updater feature makes this easy.

5.  Be sure your organization has solid security product coverage on all layers of your IT environment, from laptops and desktops to servers and mobiles.
In case you’re unsure of how to stay protected or lack the resources for it, find an expert who can guide you through security issues and knows the dangers out there.

We believe that keeping your organization secure doesn’t have to be time consuming or difficult. With the right solution and the right partner, you can devote your time and resources to your commercial priorities – without compromising on security.

Cheers,

Emma

Share this

President Ilves was recently named by TechCrunch one of 20 Most Innovative People In Democracy 2012. He and President Barack Obama were the only two elected leaders on the list. They called Estonia, ” the most technologically advanced democracy on Earth.”

Why? “…citizens vote online, enjoy universal access to medical records, and can perform most government services without leaving their laptops (Estonians filed their taxes online long before it was popular in the U.S.).”

As a result cyber security is a constant concern and an area the president understands well. Tallinn, Estonia is the home of the NATO Cooperative Cyber Defence Centre of Excellence.

Our Vice Preside of Consumer Security Maria Nordgren briefed the president about F-Secure and then our Chief Research Office Mikko Hypponen presented on cyberthreat landscape as seen from the F-Secure Labs.

Stuxnet, Flame, cyberwarfare and all the risks that countries face online all came up in the discussion that went on for hours. The president visited the famous F-Secure Labs.

In the President Ilves tweet documenting the visit he noted that he spent more time discussing cyber security with Mikko than he did meeting with the president of Finland.

This looks to be the beginning of a beautiful friendship.

Share this

As we prepare for the holiday season, we thought we’d review a few smart tactics to make sure that the only one who is spending your money is you.

1. Make sure your PC is patched and protected.
This is a standard piece of advice we always share but it’s especially crucial for people who rely on their PC for their financial transactions. Keep your PC updated with the latest system, application and security software. Our free Health Check makes this easy. With an updated and protected PC, you’ll avoid more than 99% of the trouble you might face online.

2. Go directly to the site
When you’re shopping online, it’s always best to stick to retailers you know and trust. Go to the site directly and search there. Avoid clicking on links in your email to go to a store or your bank so you don’t end up at a scam site. If your bank contacts you with a problem, go to the site on your own, or just pick up the phone and give them a call.

3. Look for the “s” in “https:”.
Only enter your information in if you see that extra “s” in your URL. It stands for secured and it’s an extra layer of protection that keeps your account information private.

4. Shop and bank when you’re secure.
Only shop when you know you’re on a network and a PC that’s protected. A computer in an Internet cafe may have a keylogger that tracks your credit card number or password. An open “free Wi-Fi” network, may be convenient. But it’s also risky for shopping or banking. If you use your smartphone or tablet to shop or bank, make sure you have security software on it that includes anti-theft protection that will you allow you to deactivate your device if you lose it. That way when you lose your phone you don’t lose control of your money.

5. Check your accounts.
Try to limit your online shopping to one credit card, and make sure you check that account on a regular basis. Make it a weekly chore to check your account statement and your bank account. Then you’ll be ready to contact your institutions as soon as you notice a problem. The longer a criminal has access to your account, the more trouble they can do–of course.

With these few precautions, you can worry less about your security and more about what you’d actually like to buy.

Cheers,
Sandra

Image credit: Images_of_Money

Share this

This is a guest post from Karmina, an expert from F-Secure Labs. Enjoy!

Little is known about the team in the F-Secure Labs that focuses on tracking down threats. Usually, those contacting the Labs are looking for solutions such as detections and removals. Though mostly working in the background, I’m proud to be part of that team that deals with preventing threats from infecting further.

Proactive protection is my daily mantra. The usual question that I ask when analyzing a threat is where did it come from? If we are able to determine the source and block it from there, then it won’t proceed to infect your computer. My job is to spot threats and track down their possible sources, from social networks to email spams to application stores. Then I need to understand the threat’s behavior and how it spreads. They usually leave distinct trails and have certain characteristics that make them identifiable. It’s fun, in the sense that I feel like I’m a detective trying to uncover something. It’s like building a puzzle where I examine the pieces and put them together to see the bigger picture.

In the Labs, teamwork is important. I provide the information that I gather to other teams so they can build solutions such as website ratings, detections, and removals. We work together toward a common goal: to protect you and provide online safety. From blocking malicious URLs that push information-thieving wares into computers, to scouring application stores worldwide for Trojans disguised as interesting apps, we try to catch them all and protect the users.

Considering that I didn’t plan to get into this field, I’d have to say that I enjoy doing this. Due to constantly evolving threats, I learn a lot of new things daily. I feel fulfilled when I uncover a mystery. I’m glad I ended up in the online security field. My career is also why I’ve had the chance to live in three different countries. I get to see the world while doing interesting work. All in all, not bad!

Share this

We started off by asking Emma what it is she likes most about her job.

“It’s quite difficult to pinpoint one single thing that I most enjoy at work,” she told us, “since one of my favorite things about my job is the variety of tasks. However, one of the best parts of my job is definitely creating content. Telling stories is fun, and I hope that we also succeed in communicating in ways and about topics that are relevant and of interest to our target audience.”

That audience is made up of F-Secure partners —some of the best and brightest business minds around the globe.

Like many of us at F-Secure, Emma enjoys the unique opportunity to work with and around some of the world’s foremost experts in digital threats.

“During my time at F-Secure, I have had the chance to learn not only a whole lot of new things about marketing, but also about the industry and the threat landscape,” she said.

Her job also puts her in touch with the current challenges that exist in securing the workplace.

“There’s no single threat that most affects businesses,” she told us. “Rather, organizations of all sizes are affected by cyber crime in all it’s different forms and variations, but one clear purpose: to steal money and confidential data. Even small businesses are increasingly becoming the target of these attacks, as many of them lack the resources and expertise to protect their irreplaceable assets.”

The threat landscape is always evolving but one aspect that is increasingly scary to businesses is software vulnerabilities.

“Recently, we’ve seen an increasing amount of attempts to gain access to a computer through vulnerability exploitation – the art of finding a security hole in any software and using that as a way to infect the machine. Vulnerabilities in Java and Internet Explorer have been all over the news, and criminals haven’t left these opportunities unused.”

She pointed out a perfect example of this. @TimoHirvonen from the F-Secure Labs recently posted an example of just how quickly a criminal can go from vulnerability to exploit. It’s scary.

That’s where F-Secure comes in, of course.

Emma explains: “Our portfolio covers a whole range of customer needs, from organizations willing to manage their solution on their own to a fully outsourced solution where IT security is managed by a trusted partner. We protect all layers of the organization from desktop PCs, laptops and mobile phones to file servers and email servers. In addition, our advanced management tools make it possible to monitor and manage a network.”

F-Secure was the first security company in the world to offer security as a service. Many businesses find that by relying on us for the best protection in the world doesn’t just save them time and money. It frees them up to concentrate on what matters most.

“Security as a Service has proven to be a success and it is increasingly popular among businesses. Outsourcing security to a partner means worry-free and reliable protection that is always backed up by F-Secure’s world class technology,” Emma told us. “When professionals take care of security, you can focus on your core business. Security as a Service is a great solution especially for those businesses, large and small, that don’t have the necessary expertise.”

How can F-Secure affect your workplace?

“Ensuring high-quality protection ensures uninterrupted work and keeps an organization running. Actually, the challenge with security is that it is only noticed when something negative happens,” she said.

But for Emma, security that works best is security that you don’t notice.

“Security is paramount for business but it should not come at the cost of usability. Our objective is to offer our customers the best protection without unnecessary impact on performance or distraction.”

When this happens everyone performs better.

“At best, IT security can improve productivity,” she said. “Think about email, for example. Email is a vital business tool for companies, but spam email traffic can reduce employee productivity and burden the IT infrastructure. Effective and accurate virus and spam filtering saves internal network bandwidth and increases productivity.”

Most businesses have had email security in mind for years but forward-thinking businesses are thinking ahead. Optimal software performance prevents online crime and keeps businesses functioning optimally when it matters most.

“Another example could be updating software. Keeping software up-to-date fixes holes in security,” Emma told us, “but can also keep software and applications running smoothly and reliably during critical times.”

For business, those critical times are the last moments when you want to think about security. And that’s why Emma and F-Secure are here, so you don’t have to.

Share this

This link almost inevitably leads to something you don’t want–a phishing scam or a malicious page.

There’s one way to avoid this problem complete: Don’t click on links people send you via Direct Messages on Twitter.

But is there a larger message here, something that extends beyond Twitter? Sure!

Don’t click on that link in an email from your “bank.” Don’t click on that link on Facebook that promises an outrageous video. Don’t click on that link that screams “FREE!” In this era of shortened and spoofed URLs, you can’t be sure where any link will take you.,

It’s always best to go directly to your bank or financial institution’s site or Google for videos or images related to the hottest scandal. Nothing is a hundred percent reliable but you’re adding a layer of protection.

If you really must click on a questionable link, check it with our free Browsing Protection first.

Cheers,

Jason

Share this

He’s known for being a code warrior, writing fantastic tweets and tracking down the makers of the world’s first PC virus:

And as you can see in that video, he’s also known for his ponytail.

Yesterday, Mikko did something no one expected — he cut that famous ponytail off.

Why? For a good cause, of course. Mikko’s ponytail was auctioned off for $2,000 and the proceeds went to a children’s cancer hospital.

Cheers to you, Mikko, though we hardly recognize you now.

Sandra

Share this

I thought I would never lose my smartphone. I was wrong. I lost my phone, but I was lucky enough to get it back. And believe it or not, I followed it real-time as it traveled across Europe for 24 hours. How was that possible?

Last week I traveled from Helsinki, Finland to Munich, Germany. As we landed at Munich Airport, I switched my phone on as usual. But when leaving the baggage claim area I realized my phone wasn’t with me anymore. My mind began to race. Had it been stolen or was it just waiting to be found in the plane? I visited the lost and found desk. They contacted the airport cleaners to see if my phone had been found. No such luck. So there I was, abroad, feeling totally stranded without my precious phone, its contacts and content.

Now for the good news. Lucky me, I had installed F-Secure Mobile Security, which includes an Anti-Theft feature to locate your device if lost or stolen. It was as easy as it sounds. I just borrowed my friend’s phone and sent the following SMS to my phone: #locate#.  I instantly received a link to Google Maps and  was able to locate my phone. It was still at Munich Airport in the aircraft area.

Now I knew where my phone was, and I could track it wherever it went with a single SMS. Good thing because my smartphone was traveling without a ticket around Europe. First back to Helsinki. The next tracked location was in Manchester, UK, which was also the aircraft’s next destination, according to the airline. Some hours later it was in Helsinki again. And my phone kept traveling, and I kept tracking it, but the airline staff were unable to find it. They even suggested it could have gone out with the garbage. I knew it hadn’t, thanks to the locate feature. Once more my phone traveled between Munich and Helsinki. Finally I wasn’t going to let it travel anymore. 24 hours of tracking was enough. I was able to convince the airline security that my phone was on the plane heading to Helsinki.

F-Secure Mobile Security has another useful feature. I was able to remotely set off my phone’s alarm.  #ALARM#. This is a good feature to use instantly the moment you realize your phone has disappeared. The alarm sound is extremely loud to reveal a thief or to reveal the exact location of your phone.

This time when the security staff searched the plane for my phone, they were finally able to find it between the seats. Not without a little annoyance – the security chief called me and asked how to shut off the very disturbing alarm. So I sent another SMS “Alarm off #ALARM#<security code>#0” to stop the alarm.

The next day when I arrived back from my trip, my phone and I had a pleasant reunion in Helsinki.

So, what did I learn? Always keep your F-Secure Mobile Security up to date. Keep your phone charged and on whenever possible, so it can be tracked if lost or stolen. And keep the SMS commands safely in your wallet so you have them when you need them. F-Secure Customer Support will also help you if you don’t have the commands. Just make sure you remember your security code for Anti-Theft.

With F-Secure Mobile Security you are not only able to locate your lost device, you can also keep track of your children’s or anyone’s moves who is holding a phone. Also if the device is stolen, you can wipe the information from it with just one SMS: #wipe#.

And I can now continue my work with my precious calendar and contacts back in my hands. I have to say it out loud, “I just love the feeling of being protected!”

You can try F-Secure Mobile Security for free for 30 days here.

Share this

Consumers are adopting these technologies just as quickly. According to F-Secure’s 2012 global consumer survey, 45% of consumers are already using smartphones to access the Internet, 18% are using tablets and 10% smart TVs. And the numbers are increasing all the time.

You might say that these developments are finally heralding the era of ubiquitous computing. But it’s important to remember that the attackers will follow the users. That’s why having up-to-date protection on all your devices is as critical as ever.

To that end, the newest version of F-Secure Mobile Security offers universal Android protection – for all your Android devices, even your smart TV or set top box. Smart TVs are a new frontier for threats from cybercriminals, so it’s reassuring to know that our solution is there to protect as the technology develops and the threats grow.

Share this

Do you have Java plugin in your browser? You’re vulnerable. Unless you run J2SE 1.x from the 1990s. And you shouldn’t. seclists.org/fulldisclosure…

— Mikko Hypponen (@mikko) September 26, 2012

Java plug-in vulnerabilities haven long presented opportunities for online criminals. In December of last year, Mikko wrote, “Do you need Java in your web browser? Seriously, do you? If not, get rid of it.”

How do you get rid of the Java Plug-in? Our Labs has made a helpful guide for the following browsers:

• Mozilla Firefox
• Google Chrome
  
• Apple Safari
  
• Microsoft Internet Explorer

Seriously, take Mikko’s advice and disable it now. And if you need to use it again, just disable it when you’re done.

Cheers,
Jason

Share this

My name is Timo Hirvonen and I work in the F-Secure Labs as Anti-malware Analyst. I have two major areas of focus in my work: exploit prevention and F-Secure DeepGuard.

Exploit analysis and prevention is my passion, and I love the challenge it offers.

I find fighting against exploits important; nowadays exploit kits are the main infection vector so no matter how safely and wisely you browse you might still get infected. By stopping the exploits, we block the attacker from executing any code on the victim’s computer, which in turn protects against many kinds of threats: ransomware, banking trojans – you name it.

The second cool part of my job is working with the F-Secure DeepGuard technology. I try my best to make sure it offers our Security Response the best possible tools to fight current and also future malware. The main idea behind DeepGuard is simple but extremely powerful: it monitors the behavior of unknown applications. Modern malware evolves quickly, and often each user gets infected by a unique copy of the malware. This poses a challenge for traditional detection technologies.

For DeepGuard, however, this is not a problem since there is one trait that all malware have in common: they exhibit malicious behavior. It is really an awesome technology, and we have had great results in protecting our users from serious threats like the infamous banking trojan Zeus.

Working in the F-Secure Labs was a dream of mine even as a teenager. I have now been with F-Secure for little over two years, and I can say it feels great to first work hard with all the talented the people in the Labs to solve some challenge, and then get the reward of seeing the fruit of your labor protecting all our users out there.

I can truly say that my job is a dream come true.

You can try out Deep Guard as part of our Internet Security 2013.

Share this

UPDATE: Microsoft has issued an update to secure Internet Explorer. Our Internet Security 2013‘s Browsing Protection keeps you safe on any browser you use.

Microsoft is warning about a vulnerability in its Internet Explorer browser that is actively being exploited to inject the Poison Ivy Trojan.

No simple update is available and the fix Microsoft suggests is complicated. The flaw is only in Internet Explorer versions 9 and earlier. Internet Explorer 10, which is bundled with Windows 8, is not affected.

For this reason, F-Secure Labs is currently recommending that you avoid using Internet Explorer. “We know that this vulnerability has been used by criminals,” Mikko Hypponen, F-Secure’s Chief Research Officer said. “The only secure way to use the internet is to change your browser.”

Our Labs blog suggests, “You can take a pick from Chrome, Firefox or Internet Explorer 10 for now.”

Image by hashir.

Share this

THIS SWEEPSTAKES IS NOW CLOSED: Please ‘like’ our Facebook page for more sweepstakes and Internet security tips.

We know that what we protect is more than information on your hard drives. It’s the precious memories in your digital images and videos. It’s the peace of mind that comes with knowing your personal and work documents are secure. It’s the security of knowing that your credit card will work the next time you use it, and there won’t be any strange charges on your next bill.

To celebrate the launch of F-Secure Internet Security 2013 and how we protect you, we’re giving away an HP Pavilion Laptop g6-1d80nr 15.6 inch laptop protected by Internet Security 2013.

All you have to do is answer the following question in the comments of this post: What on your computer do you care about protecting most?

Is it a specific photo, a game, a video, a file? Be as specific or general as you’d like to be.

Just read the rules for this sweepstakes and post your answer below for your chance to win.

Cheers,

Sandra

Image by Bob West.

Share this

It all starts inside the F-Secure Labs in Helsinki, Finland and Kuala Lumpur, Malaysia. Our security analysts spend endless hours investigating the digital landscape to guarantee immediate reaction to new and emerging online threats with frequent updates. Our Labs receives tens of thousands samples every day. Thousands of those are suspicious — trojans, worms, ransomware, etc. Their constant investigation and dissection of malicious software ensures prompt and effective response to all outbreaks.

At this moment, samples are being collected from Moscow, Russia, Birmingham, England and Riverside, USA. And these are just a  tiny fraction of the samples that will be tracked today. You can follow the F-Secure’s real-time sample activity here and see the suspicious samples we’re processing now.

F-Secure products are the result constant collaboration. Our R&D team keeps F-Secure ahead of the curve, offering best technology to face the newest threats. Our UX team keeps our interface welcoming and intuitive. Last but not least, our Customer Care is there to support you when you need it most.

We will protect you, right now, whenever you’re online. Our flagship product, F-Secure Internet Security 2013 is out now and it gives you the best protection for your and your family’s online life.  You can try it for free for 30 days here.

If you’re already have a license for F-Secure Internet Security, you can download Internet Security 2013 here.

Share this

If you’re looking to connect constantly with friends online constantly and seamlessly there is no better way to do it than using Facebook. Since I use the site for free, I’m aware that I am Facebook’s product, meaning they need to market or monetize as much as what I do on the site to make it profitable. Knowing this, I do not think it’s a great place to be private but that’s not why I go on the site. For me it’s about sharing and connecting.

I’m also a believer in Facebook as a business. In a world where people where are doing whatever they can to avoid advertisement, people are friending brands and artists to get more information (also known as more ads). This creates relationships between people and brands that have never really existed in history. The many ways this platform can be used to build or grow businesses cannot yet be imagined. I expect that this holiday season and every holiday season, Facebook will set new records for enabling commerce and helping people find perfect gifts.

But as a devoted Facebook fan and user, I am aware that the financial trouble the company is in will affect my use of the site. When the company went public earlier this year, the stock did not maintain its value and recently it has tested new lows. What made Facebook great was a focus on experience but only a fool would assume that the financial situation the company is in won’t force it to try new methods to grow revenues.

One of the first examples of how your information will be used to market to you has just been announced. Companies that have your email or phone number will soon be able to use that information to serve you ads on the site. Facebook will anonymize the data so the companies won’t get any extra information on you unless you respond to the ad.

A natural response would be to wonder if you want this kind of targeting based on your information. Should you delete your number from the site? (Your email address is required.)

I’ve decided I will not because I like the ability to use my phone to get my account if it’s hacked, two-factor authentication and to get one-time passwords for use on public computers. And the companies that already have my email and phone number are likely companies I trust.

(You can remove your number if Facebook has it by going to Account Settings > Mobile.)

I am aware that anything I do on Facebook my ultimately be used to market me or to try to increase my friends’ interactions on the site. I’m also used to this idea of paying for content by enduring advertisement from television, radio, Google… But the thought of my social life being that content is always a bit scary.

Still, nothing much has changed. Facebook will only be able to share what I give it share. As always, my privacy is up to me.

Image by Johan Larsson.

Share this

Mikko Hyppönen believes that nation states are using these complex, difficult-to-detect malware to attack each other. Cyber warfare has become a viable option, often preferable to conventional warfare or diplomacy. “Just like modern hi-tech research revolutionized military operations over the last 50 years, we are going to see a new revolution, focusing on information operations and cyber warfare,” Mikko writes in his introduction to the report. “This revolution is underway and it’s happening right now.”

What else in happening in online security? Real threats to owners of Apple computers. Flashback was the first massive malware outbreak on the Mac OS X platform. It infected more than 600 000 Macs around the world.

Several of policed themed ransomware attacks have appeared around the globe, and they’re expected to get increase. Simply put this malware type employs extortion techniques to make money out of the victims. It takes control of the user’s computer, then leverages the victim’s surprise, embarrassment and fear to push them into paying the ransom demanded in order to regain control of their files.

At the F-Secure Response Labs in Helsinki, Finland, and Kuala Lumpur, Malaysia, security experts work around the clock to ensure customers are protected from the latest online threats so F-Secure Internet Security will give you the best possible protection.

You can download the full report  from the Labs section of our site.

Share this

In the US, we’re in the middle of an election where social media is playing a huge role in seeking support and donations. For millions of Americans, “liking” a candidate on Facebook is an easy way to keep stay in touch with or show a little support for a candidate. Of course, your friends will see that you’ve liked a page. But that’s just one quick event in your newsfeed.

However, there’s another way your political “likes” may show up on the site that you should keep in mind. Facebook automatically opts you into your social ads program. This means it can use your name to tell your friends that you’ve liked a page on Facebook. So you may see an ad that says “Your  friend likes Mitt Romney” or “Your friend likes Barack Obama” if they’ve liked that candidates page. Or let’s say you’ve liked the page of a candidate you don’t actually like to keep up with his or her activities. That candidate can still use your name to advertise to friends.

If you’re worried about your political views getting between you and your friends and family on Facebook, there’s two simple things you can do.

1. Avoid liking political pages on Facebook.

2. If you enjoy keeping up with politics on Facebook but want to keep your views to yourself, just turn off Facebook’s social Ads.

• Just go to “Account Settings”.
• Click on “Facebook Ads”.
• Click on “Edit social ads setting”
• Next to “Pair my social actions with ads for” select “No one”.
• Click “Save Changes”.

There you go.
Cheers,
Jason

[CC image by west.m]

Share this

Our Chief Research Officer Mikko Hypponen recently sat down for a brief discussion on online crime. Below are five of the most important things he explained about online crime and what you can do to prevent it.

1. There is no geography online. You’re as likely to be a victim of a criminal from across the globe as across the street. It is as if the Internet has given free plane tickets to criminals all over the world.

2. It’s probably more likely that you’ll be a victim of crime online than in the real world.

3.There are three groups responsible for most online threats: criminals, hacktivists/online activists and governments. They all have different targets. Criminals target everyone, often in search of credit card numbers. Hacktivists are trying to send a message or play a joke and are difficult to interpret or defend against. Governments generally target other governments.

4. There are precautions that make using the Internet is usable: always back up your files, keep your software patched and always have security software running.

5. Despite online crime, the Internet is still responsible for much more good than bad. That’s why we must protect it.

Cheers,

Anna

Share this

Most mobile malicious software comes from third-party or unofficial markets.  The 5033 malware samples analyzed by the labs between April 27 and June 27 of this year included the first ever mobile malware in the wild that uses the highly effective “drive-by download” method. If an Android device was configured to allow installations by unknown sources, this malware—called Trojan-Proxy:Android/NotCompatible.A—downloads and waits to be installed. If the user is tricked into installing the file by the software’s name, which includes “update,” “security” or both, the device becomes part of a bot network.

Websites aren’t the only new way to infect Android devices. Twitter, the mini-blogging phenomenon that has flourished on mobile phones, is being used as a method of infecting mobile devices. New malware variant Cawitt.A accesses a Twitter account to get a server address, which it maintains contact with. When it receives instructions, the malware sends out SMS messages to certain numbers, and forwards data on the device’s International Mobile Equipment Identity (IMEI) number, phone number, and Android ID to the server.

Of the variants discovered this quarter, 39 were profit-motivated. This matches a peak reached in the third quarter of last year and speaks to why mobile malware is advancing. Authors are finding new ways to use target users including attacks that target specific regions. In Spain for instance, there were several reports on banking-related attacks, which offer the promise of major monetary reward for the most sophisticated online criminals.

Have we reached a point in time when using an Android without mobile security software is as unthinkable as surfing the net on an unprotected PC?

Cheers,

Jason

Share this

About 8 out of 10 people, 77%, believe that the videos, pictures and data on their phones are more valuable than the phones themselves. Our phones have replaces so many devices it’s nearly impossible to count. They’re our constant companion and probably hold more secrets about us than our best friends.

Here’s how to protect the content on your phone.

1. Always lock your phone.
Whether a friend or a stranger finds your phone, you’re better off if they can’t access it. The iPhone has an option to erase your phone if someone tries to unlock it unsuccessfully too many times. If you use your phone for work, this is something you may want to consider.

2. Back up your data.
Your digital memories are irreplaceable so you owe it to yourself to make sure they exist in more than one places. Back up your phones as often as you can remember to do so. If you know an image or video is especially invaluable, email it to yourself immediately.

3. Use an Anti-theft app.
We all lose our phones. It may be gone for a few minutes or forever. Luckily you can install an app on most phones that allows you to lock the phone no matter where it ends up. If you know you’re not getting the phone back, you can then erase it. Our Anti-Theft for Mobile is free and you can get it here.

Of course, your phone is valuable, too. Keep it safe by always storing it in the same pocket/section of your purse. Put a unique case on it that you’ll quickly recognize. Only take it out while walking or on public transit when you really have to.

What other tips do you have for keeping your content and your phone safe?

Cheers,
Jason

Share this

Take a look:

Our Content Anywhere solution gives you the ability to share any of your content on any of your devices anytime without losing control of it. Until that’s available to all users, here are a few suggestions on how to keep control of your content.

1. Share your images through email.
It’s never a good idea to broadcast your location on Facebook or any social network to anyone you wouldn’t tell in purpose. Still, many of us like to share our images in real time. So you can always share the old fashioned way — email. This removes the worry of who exactly you’re sharing with when you don’t want your pictures to spread out over your network.

2. Be careful when sharing “unlisted” YouTube videos.
YouTube has a handy option that allows you to share a video directly only with people who have the link. This feature doesn’t prevent anyone from sharing that link or posting that link on other sites. There have been instances of unlisted videos going viral. To be safe when you want to keep a video private, choose the private setting and invite specific users to see it.

3. Remove the location data from your images.
Even if you’re sharing your content, you may may not want to reveal your location or the location of your kids. Yet the images you share may be doing just that unless you’ve made sure to turn off the location data stored in your images. Here’s how to disable the location meta-data your phone may be adding to your images.

Share this

The US government had kept hundreds of thousands of Internet users infected with DNSChanger online. And they announced they would stop doing so, rendering many with a connection they could not use. How many users would be affected? A few hundred thousand. OH, NO!

Well, the event came and went and no one seemed to notice. The education spread by the security industry, operators and the news media had been enough to keep the consequences to a minimum. Maybe the computers that were affected probably weren’t being used? Maybe the affected users have no way to complain? Not likely in this connected world. But in the end, only a few hundred thousand machines were affected. A drop in the bucket.

But later the same week came news of leak of over 450,000 Yahoo! passwords. Again alarm bells went off. Some of the same people who were pointing out that DNSChanger only affected a drop in the huge Internet bucket were now informing all users everywhere of a huge security problem. Maybe because so many millions of users have had a Yahoo! account at some time this story seemed even bigger than it was.

The fact is that both of these events were a big deal to those affected. But not many people were affected, percentage wise.

For the great majority of Internet users, the scares reported on the news are just that: scares. However, if you follow a few precautions, most of those scares will never affect you. So what do you actually need to worry about? Here are 3 big things.

1. Passwords.
Use strong and UNIQUE passwords for each account you really care about. We recommend this system. Never use the same password for your work and home accounts. Never use a password that any friend or family member can guess—or a word that appears in a dictionary.

2. Keep your system updated and protected.
Updated system, application and security software are your best protection from most threats. Unless you are a systems administrator for a country that builds nuclear weapons, this will protect you from 99.9% of the attacks you might face. Our free Health Check makes keeping your PC patched and protected easy.

3. Think before you click.
Never click “install” or “run” on any software you did not seek out. Never click on a link in an email, even on your phone; they can be as dangerous as attachments. Go to the site directly instead. And if a link on a website or a social network seems too good to be true—if it’s super sexy or gossipy or offers something for free—assume that it is too good to be true.

We’ll keep you updated on odd threats as they come up. But with these basic precautions you can expect to connect easily whenever and wherever you want.

Cheers,

Jason

[CC image by Anonymous9000]

Share this

When I started tweeting 2007, it took a while to find out how to make Twitter part of my life, or why I even would. Now I know that it’s the perfect way to share and enjoy observations, jokes and content from around the world.

Twitter is both business-friendly and casual. It’s silly and serious. A passing fancy and completely addictive. When the game is on or news is breaking, Twitter is the perfect way to have a conversation with the world. If you get your feed right, it’s like a never-ending cocktail party with the people you want to hear from most.

That all may sound nice. BUT WHAT IS IT REALLY?

That’s what a colleague at F-Secure wanted to know. So he sent me series of questions that he called “Twitter for Dummies”. I hope he doesn’t mind but I decided to turn my answers into a blog post since his questions are the perfect way to introduce to service to a new user.

1. What’s a tweet ?
A tweet is a 140 character message. That includes punctuation and emoticons. The limit inspires a precision of language.

Want to know what a popular tweet looks like? Go to Favstar.fm You’ll see most are quips or jokes. But nearly every publication and writer in the western world is on Twitter. Ricky Gervais, Stephen Fry and Steve Martin all tweet.

Here’s an example of one of @Mikko‘s most popular tweets:

“Siri, I’m bleeding really bad, can you call me an ambulance?” imgur.com/2cY3m.jpg

— Mikko Hypponen (@mikko) December 27, 2011

2. Who sees it when I send one?
The only people likely to see a tweet are the people who follow you. At first, that may be no one or not many people. BUT it is important to note that unless you protect your tweets in your settings it still could be seen by anyone—if they go looking for it.

Twitter has two privacy settings: public and protected. Nearly all users choose public. And of course, even if it’s protected, the information in your tweet could be shared by anyone follows you.

3. Where do I send it to?
First you need to sign up either by going to Twitter.com or by downloading the Twitter app for your phone. There are other ways but going to the website is easiest. You’ll need to choose a unique user name that isn’t more than 15 characters. You’ll also be able to write a bio and choose an icon to identify you. But these are optional steps that you can do later.

Once you have an account, Twitter can search your webmail accounts to find out if you have any friends on Twitter. You surely do. Once you follow them, they’ll likely follow you.

Now you’re ready to tweet. Go to the Compose a tweet button and type directly into the pop-up.

4. What does this symbol signify…#xxxxx
It’s called a hashtag and it was invented by Twitter users as a way to create a channel or thread of people discussing the same topic. Most TV shows and events have their own hashtags these days. Companies use them to promote themselves. Often they are added by users as jokes as in #TMI or #firstworldproblems.

5. What does this symbol signify…@xxxxx
That indicates a Twitter username. It was also invented by Twitter users. When you tweet someone’s username in that format, the person gets a notification—that they probably turned off but they can still your message even if they’re not following you by clicking on the @Connect tab on Twitter.com

6. Can I add pictures?
Yes! It’s very simple now to add pictures to a tweet. When you have the Compose window open, click the camera button. Add your photo in the same way you’d add an email attachment. Your mobile app will have a similar button that works about the same way.

7. Links ?
You can add a link to any tweet—if there is room. Don’t worry. Twitter both on its website and its mobile app automatically shortens your links so they take up about 20 characters and won’t let you tweet if you’re over the limit.

8. How do I ensure I don’t mess up?
Excellent question. It happens all the time. People have lost their jobs for Tweets. At least one man has been arrested for a tweet. Yet millions and millions of people tweet all the time, enjoying mostly positive experiences. The easiest answer is don’t tweet anything you wouldn’t say in a crowded room of colleagues. If you do, delete it as soon as possible.

If you’re very worried about what you might say, open an account with an email account you don’t regularly use. You can then obscure your identity and tweet with impunity—as long as you don’t threaten or libel anyone.

There’s lots more we can go into. But I think this is more than enough to get started—if it sounds interesting to you.

If you’re already Twitter user, what made you fall in love with Twitter? What should new users know and whom should they follow?

Cheers,
Jason

[CC iPhone image by SteveGarfield]

Share this

That means: Unless you purposely set out to put a new program on your computer, don’t click “install”, “run” or “continue“.

This rule is increasingly important in a world where the malware is being socially engineered to cause you trouble. Take this recent case from the F-Secure Labs where a web exploit can tell if you’re using a Windows, Mac or Linux PC. Once installed it knows exactly what trojan to install and it connects back to its source to find more malicious code.

How do you avoid getting bad software trying to install itself on your PC?

Kreb’s Number Two Rule will help you with that: “If you installed it, update it.”

The software on your PC is as only as secure as its latest update. Your job is to make sure that you keep up with the updates for your system software and all the applications you use. Our free Health Check makes that easy on Windows PCs.

Of course, we also recommend that you run updated Internet security software. Our Browsing Protection will block most of the sites with harmful payloads. You can try F-Secure Internet Security free.

Share this

Who will be affected?
Around 300,000 computers around the globe are still part of a botnet called DNSChanger. The botnet altered DNS server settings on the infected computers to conduct click-fraud schemes. Last year the FBI and Estonian authorities arrested the gang behind DNSChanger. Since then, US Courts have authorized running “clean” servers for infected IP addresses. And those servers are set to be turned off on July 9th.

Am I infected?
Probably not. But go to http://www.dcwg.org/detect/ and find out now.

See, we told you that you probably weren’t infected.

On the odd chance you are, you can use our free tool to reset your settings. You should do this now even though the courts are likely to extend the servers for a bit longer. Why now? If you’re infected your computer is a “zombie” and vulnerable to new infections. And these new infections won’t be run by a court in the United States.

For more about DNSChanger visit the F-Secure Labs blog.

Cheers,

Anna

[CC image by Brad Montgomery]

Share this

Now iPhone is battling Android to be the most popular smartphone platform in the world.

F-Secure Labs received one of the first iPhones to make it to Europe. Chief Research Office Mikko Hypponen immediately tested it to make sure it could handle a Finnish winter.

As you can see, the iPhone survived and thrived. And on the five-year anniversary of its release Mikko decided that Apple deserved a little congratulations.

iPhone is 5 years old today. After 5 years, not a single serious malware case. It’s not just luck; we need to congratulate Apple on this.

— Mikko Hypponen (@mikko) June 28, 2012

Despite the fact that just about every version of its OS has been opened up or “jailbroken” by users, there has not been one piece of malware that has been able to successfully infect unmodified iPhones. If security is the “art of making nothing happen”, Apple’s iPhone security has been a work of art. And they’ve done it with strict controls of applications via their own app store.

However, some experts disagreed with Mikko’s assessment—including our own Security Advisor Sean Sullivan.

@mikko And yet… there’s FlexiSPY. No version of XProtect for iOS, and Apple won’t allow security vendors access. I’ll withhold my congrats.

— Sean Sullivan (@FSLabsAdvisor) June 28, 2012

Let’s break Sean’s response down. FlexiSPY is malware that was written for “jailbroken” iPhones. XProtect is describing the built-in feature in Apple desktop operating system starting with Snow Leopard that scan files to see if they are malicious.

His last point is a major grievance that security experts like Sean and Mikko have been airing for a long time. Apple will not work with vendors like us so that we can provide additional, optional anti-virus protection. Realtime anti-virus would be an essential layer of protection in the case of a malware outbreak.

But Apple has five years of success to counter that argument.

One thing for sure is that you cannot use your iPhone believing you’re magically free of all threats. You’re just as likely are more likely to be victimized by a phishing scam, as we’ve learned to accept dodgy-looking mobile sites on our phones.

Your kids can also get into trouble by accessing content or people you can limit on your phone. That’s why we released F-Secure Child Safe for your child’s iPhone or iPad. It’s our first iOS app and we’d love for you to check it out.

Was security a big concern when you picked out your phone? Let us know in the comments.

Share this

Hopefully you have some time to get away this summer. But before you, we think now is an excellent time to clean up your online accounts.

1. Change your passwords on your most important accounts.
It’s good password hygiene to update your passwords at least a couple of times a year. If you haven’t updated the passwords on your most important accounts, do that now.

Remember to use different passwords for all of your accounts that matter. Need help remembering strong passwords for all your accounts? We suggest this system.

2. Clean out the apps you aren’t using on your Facebook and Twitter accounts.
If you’re an active user you’ve probably given third-parties access to your Facebook and Twitter accounts to get the benefits of different applications. Now is a great time to erase any apps you aren’t using.

On Facebook:
Go to the down arrow in the upper right hand corner, and select “Account Settings”. On the left side of the next screen select “Apps” and click the “X” on the far right next to any app you do not use. If you’re not sure if you use it, feel free to click the “X” because you can always add it again later.

On Twitter:
Under “Settings”, go to Apps. Click “Revoke Access” next to any app you aren’t using. You can also add any app you miss back later.

3. Close down any accounts you aren’t using.
Did you join Classmates.com? How long has it been since you’ve been there? If there is an online account you started and do not use, the smart move is to close it down before your information is sold to another service you never intended to sign up for. Some services purposely make closing an account difficult. In that case, just erase as much of the information as you possibly can.

Ahh, doesn’t that feel better? Now you’re ready to enjoy your Midsummer.

All the best to you and yours,
Anna

[CC image by darkismus]

Share this

To request an invite you have to tell us a bit about yourself and your computer experience. The point isn’t to make your life difficult. We just want to make sure that we find people who will really use the software and give us feedback on how to make it even better.

This year’s update includes several new features we’re proud of. Internet Security 2013 Beta supports Google Chrome—the world’s most popular browser. Browsing Protection no longer depends on a browser plugin, offering better performance regardless of which browser you’re using. Deepguard, our behavioral engine, is improved and the Beta now uses the Windows firewall with more filters for extra protection.

If you’re the kind of person who loves to play with and possibly break new technology, we’d appreciate your time. Become a Beta tester. You get six months subscription to the product, a chance to influence the product and chance to win prizes—if you’re one of the best of best when it comes to providing feedback.

Thanks for your time and helping us produce the best protection possible.

Cheers,
Jason

Share this

1. It’s taking over

In less than two years, Gartner expects millions of users to transition from the personal computing, hardware-centered ecosystem of the last two generations to a cloud computing experience that is virtually the same on all devices. Billions of people already use cloud services like Facebook and Youtube. But soon, many experts think, the cloud will be the primary way you interact with digital media.

2. Your smartphones/PCs/Macs already support it.
For years, experts assumed computers, phones and wallets would merge into one super device. Some thought the tablet might be the technology they’ve been waiting for. But what has actually happened is that many users now rely on up to three devices– a PC, a smartphone and a tablet.

Any Internet-connected device connects you to the cloud. Apps are already making the experience on each of smart device more and more similar on all devices.

Steve Kleynhans, research vice president at Gartner, said, “Emerging cloud services will become the glue that connects the web of devices that users choose to access during the different aspects of their daily life.”

3. The cloud will only win if it is awesome.
Imagine having any photo you’ve ever taken instantly available on any on phone, tablet, laptop or even TV. Access any video you have at any time. Move a teleconference from a phone to a tablet and taking all the related files with you. And then back again.

Eventually, you’ll be able to save frame of every image, every document created or collected from birth on will be available on any wirelessly connected through one interface that always works the same.

“Many call this era the post-PC era, but it isn’t really about being ‘after’ the PC, but rather about a new style of personal computing that frees individuals to use computing in fundamentally new ways to improve multiple aspects of their work and personal lives,” Kleynhans said.

The meme “Content is king” has been around since the birth of broadband. But the true innovation of the cloud is that it will make users king. The services that provide the best, most useful tools will compete for billions of customers. And they will also compete when it comes to security.

As the cloud absorbs your computing life, keep in mind that your content is your kingdom. Store and share it wisely.

[CC image by fairytalelights]

Share this

F-Secure Labs has covered the recent discovery of the Flame malware, a cyberweapon that is being used to target very specific users for surveillance purposes. Unless you’re a nuclear scientist or the system administrator of a weapons developer, you’re not likely to be targeted by such advanced malware.

Still regular, everyday cyber criminals will take advantage of any sloppy mistakes you make while relaxing. So let’s get a few security precautions out of the way so you can have a good time.

1. Update your devices before you go.
Make your system software is updated on your PC, smartphone and tablet at home on your safe and secure network. A patched and protected system along with updated security software is your best protection against threats. (Our free Health Check makes that easy.) Avoid taking software updates while on the road, especially while using hotel Wi-Fi. Criminals have used faked updates on hotel Wi-Fi to infect users with malware. If you follow Krebs’s Number One Rule for Staying Safe Online–“If you didn’t go looking for it, don’t install it!”—you’ll be fine.

2. Back up your hard drives and put a remote lock on your phone.
Traveling with the only digital copy of irreplaceable data or media is not a wise choice. Before you leave your house, back up your devices hard drives. (If you don’t have a backup option, you can try our Online Backup for free.) You should also put a software on your phone that gives you the ability to lock a lost phone and erase it if necessary. (Our free Anti-Theft for Mobile does this for Android and Symbian phones.)

3. Use direct DSL or cable connection when you can; if not, use encrypted Wi-Fi with a VPN.
If free public Wi-Fi is your only option and you do not have a VPN, consider yourself watched. Try to use one-time passwords for services that offer them such as Facebook and Hotmail. Using free Wi-Fi or a public computer for shopping and banking is definitely not recommended.

4. Don’t click on links or attachments in email, especially from email you were not expecting.
This is a piece of advice from the Labs that we keep repeating because everyone knows the attachment but the link part is new. Links can lead to scams, which on your phone especially may look as official as any bank website.

5. Be careful about sharing your location.
Most of the fear about sharing location online comes from a very few examples of people being robbed by Facebook friends. The basic rule is don’t tell anyone online that you’re not home who you wouldn’t tell in real life. So you probably don’t want to broadcast your vacation on your public social networks. Why not use email—like we did in the olden days?

Using your devices to improve your vacation is not a problem as long, as you take a few precautions. You earned the chance to rest and relax so enjoy it.

Cheers,
Jason

[CC image by gavdana]

Share this

Online criminals know millions of us are bound to be obsessed with the Olympics. So they’re going to use our interest to lure us into doing dumb things we would not normally do.

Here’s what you can to do help avoid current event threats.

1. Be wary of any email or private message that includes attachments or links.
Everyone knows opening an email attachment you weren’t expecting is dangerous. However links in emails can easily lead to malicious attacks or scams. Be extra suspicious of any emails related to topical events and celebrities. If you must click the link, check it with Browsing Protection first. Also keep in mind that private messages in Twitter with links often lead to phishing scams. While these scams probably won’t lead to malware, they could end up with a very embarrassing spamming of all your friends and followers.

2. Keep your system patched and protected.
The Olympic-themed malicious PDF the Labs found relied on an exploit in older versions of Adobe Reader. Other attacks will use other exploits. This is why it’s crucial you keep your Adobe Reader, Java, browsers, operating system and security software updated. Our Health Check makes this easy on your PC.

3. If a message is about a current event or seems to good (or bad) to be true, pause for a moment.
If you are looking for information on breaking news use the Google News search when available. If you get an email from your bank or credit card company that seems odd, call your institution. If you get a message that says someone has been saying bad things about you, don’t click on the link. Because this is the Internet. Of course someone is saying bad things about you somewhere. Clicking on the link can only lead to bad things, like a scam.

Events like the Olympics bring the world together. With some savvy, you can enjoy the games without the trouble of a comprised computer.

Cheers,

Anna

Share this

Why has Chrome grown so quickly since it was first launched less than four years ago?

Our Chief Research Officer @Mikko Hyppönen has a theory: Security.

He gave this explanation at Google Zeitgeist 2012 on May 22:

Chrome is actually excellent in security senses. And I’m not saying that just because we are at a Google event.

Looking at real world statistics of people who surf the web and happen to visit a website that has an exploit kit waiting, users surfing with IE or Firefox have—in practice—a much higher risk of getting infected than users with Chrome. And I do believe that’s one of the reasons why Chrome bypassed IE in popularity globally just yesterday—after IE had been the number one browser in the world, Chrome became number one just yesterday.

Share this

(You can download the whole report here.)

1. A vast majority of mobile malware is targeting the Android operating system.
New families and variants of Android malware keep cropping up each quarter, and this trend isn’t slowing down. In Q1 2011, 10 new Android malware families and variants were discovered. A year later, this number has nearly quadrupled. 37 new families and variants discovered in the first quarter of 2012 alone. In the first quarter of 2011, 139 malicious Android application package files (APKs) were identified. In the first quarter of that number grew to 3063.

2. If Android users stick to official Google marketplace Play, they should be fine for now.
F-Secure Labs has seen a handful of examples of bad apps popping up in the official Android Marketplace, which has now become Google Play. But these examples are extremely rare compared to the thousands and thousands of good apps available. Apps that you haven’t found inside an official marketplace and begin installing themselves on your phone are much more likely to be malicious.

3. Mobile malware developers are after your money and they’re increasingly sneaky.
We’ve now reached the era where the bad guys believe there is money to be made by invading your smartphone. A vast majority of Android malware is now profit motivated. And with money on their minds, criminals tend to step up their game. Malware authors craft their infected or trojanized applications to defeat anti-virus signature detection. They distribute their malware in different application names, and trojanizing versions of widely popular applications including the most popular app ever to come out of Finland—Angry Birds.

What’s especially sneaky about today’s malware is just how well it can hide itself.

F-Secure Labs Security Advisor Sean Sullivan explains: “Today what we’re seeing are malicious Android applications that have bundled legitimate apps such as Rovio’s Angry Birds Space. First the malicious “wrapper” tricks and manipulates the user into granting permissions that allow the malware to subscribe to premium rate services. But then… the malware actually dos install a working copy of the promised game. At this point there is little to be suspicious of and nothing to troubleshoot. The user gets the game that he was promised.”

How long might a user go without knowing he or she is infected? That remains to be seen.

[CC image by keith.bellvay]

Share this

Now think about this: 57% of the mobile phone users we surveyed said their mobile phone contains more important information their wallet. MORE!

Over the last few years, our mobile phones have grown from a useful toy to our digital connection to world. Think about what’s on your phone’s hard drive. Your have your email, your phone numbers and contacts, texts. What else? You use it to bank, shop, enjoy apps and, in some places, even as your digital wallet.

F-Secure Labs has pointed how phishing scams are newly effectively on mobile phones. Bad apps, mobile botnets and spyware are no longer theoretical threats. Mobile malware that is designed to to seek make money grows more sophisticated all the time.

Is your phone as protected as it could be? Here are 5 ways you can secure your phone

1. Do not click links in your email.
Phishing scams are more powerful on mobiles and links can lead to scams or possibly even bad apps. You’d never click on an attachment from a stranger in your email. Think of links in emails the same way whether you’re on your phone or your PC.

2. For apps, stick to trusted marketplaces and vendors.
Apple’s walled garden method of approving all the apps in the iOS store has created a level of security that hasn’t been available on for Android users. There have been somewhat rare instances of bad apps showing up in the Android Marketplace, which is now Google Play. In general if you stick to the official marketplace, check reviews and research vendors you’ve never heard of, you’ll have a good chance of only installing safe apps.

3. Never install software you did not seek out.
Did you know QR codes can trigger an app install on your phone? The likeliest way you’ll get mobile malware is by installing it. So if any app asks to install itself without you intentionally seeking it out, immediately cancel if possible.

4. Lock your phone and put a remote wipe app on it.
Would you leave your open wallet lying around? You should always lock your phone the same way you lock your PC when you aren’t using it. For extra protection consider a remote-wipe software such as our free Anti-Theft for Mobile. It gives you the power to lock and erase your phone wherever you are.

5. Keep your system updated and get a quality security app if available.
You phone is a little computer. Old software can have vulnerabilities that can lead to mobile malware trouble. Take any software update your provider or phone manufacturers offer. And keep your apps updates. For the kind of protection for your mobile you’ve grown to expect for your PC, consider mobile security software. You can try F-Secure’s Mobile Security for free.

Cheers,

Jason

Share this

But for most of us, we’re willing to trade a litte of our privacy for a service we like, or a little company.

Thorin Klosowski recently published a piece on Lifehacker called “Living in Public: What Happens When You Throw Privacy Out the Window”. In it, he describes how he, a very private person, decided to live his life in public.

For three weeks, Thorin shared his location through location-based social networks wherever he went. He made all of his activity on his favorite apps public. He allowed all of his Internet activity to be tracked by anyone who wanted to track it.

After three weeks, he asked a stranger to take a look at all of his activity and tell him what she thought. What she said and what Google thought about him (see what Google thinks about you here) turned out to be pretty accurate.

The reason that social networks are addictive, I’d argue, is that they are pretty good representations of who we are in real life. The problem arises as we share we may create evidence online that can look bad out of context—like those party pictures. The old notions of a private self that your boss doesn’t know are transforming drastically every day. Some of it is beyond your control. But there is a lot you can do.

The first thing to do is to think about the tools that may give away your privacy.

Here are a few:

• Social networks—Facebook, Twitter, LinkedIn. Do we need to mention Google+?
• Location-sharing services like Foursquare or posting pictures that include your location data on it.
• Browsing the Internet without turning off tracking tools.
• Allowing services like Google to track your history.
• Apps that encourage social sharing.

How can you limit the privacy you give away?

• Master the privacy settings on every social network you use.
  You always need to keep whom you’re sharing with in mind. And it’s always best to share under the premise that anyone in the world could come across your post. Settings for Facebook may be ‘Labyrinthian’. But settings generally resemble Twitter’s two basic choices: public or locked down. You should also enable two-step authentication tools when available, such as for Google.
• Avoid using private computers or open Wi-Fi networks when you don’t have a VPN running.
• Use strong passwords your friends can’t guess.
• Use tools that stop your web activity from being blocked. Klosowski has a good list of them in his post under the heading “Letting Websites Track and Collect All the Data They Want”.
• Avoid apps that encourage social sharing and turn off location data in your images.
• Keep ALL of your devices patched and protected with the latest system and security software. Our free Health Check makes that easy for your PC.
• Always think before you click publish, post or check-in.

For every free service we use, there is a cost. On the Internet that cost is usually privacy.

You can’t always expect people to respect your privacy. But you can always respect your own.

What tools am I missing that give away or protect your privacy?

Cheers,
Jason

(CC image by Lance Nielsen.)

Share this

What do these trojans do?

Our Chief Research Officer Mikko Hypponen explains, “They lock up your PC, claim that it was locked by the police as you had illegal content on your system and demand a payment to open up the PC.”

So, yes. Your files are literally held ransom (which is a great reason to always have some sort of backup).

The Trojans have claimed to be representing Bundespolizei, New Scotland Yard and the United States Department of Justice. (@Mikko has posted the examples shown here.) Of course, they are actually representing online criminals.

This story has been misreported to suggest that POLICE are actually behind them. Maybe this speaks to our willingness to listen to anyone pretending to be an authority—since who among us hasn’t ended up somewhere online we probably shouldn’t have been?

But, no. Do not be fooled. Criminals are simply exploiting our fear of authority to extort money.

The best way to prevent infection is to keep your PC and your system software patched and protected.

If you do see a screen that resembles one of the examples shown in the GIF above and you are an advanced computer user, you can use our Ransomcrypt Decryption Script.

As much as we all might fear the police, online, it’s the bad guys who are usually out to get us.

Share this

This Saturday, he used his feed to explain in just a few tweets why Internet security is so crucial.

A fellow Twitter user asked Mikko for evidence that people who use antivirus are less likely to be infected than people who do not.

Mikko picked a random sample that F-Secure blocks: 13ddbd794464b9dd47fdd5ad2cdc329f. He explained that it’s a version of the trojan Zeroaccess that’s blocked by nearly all major antiviruses.

And here’s what he found:

His next tweet was “We just saved 452 users whose computer would have been infected otherwise. Feels good man.”

That’s one day, one sample of the hundreds of thousands of malicious files we block. In just a few tweets, Mikko showed why what we do at F-Secure is so important and why following him on Twitter is such a constant treat.

Cheers,

Jason

Share this

Here’s what you need to do to secure your Mac:

1. Use our free tool that detects and removes the Flashback trojan.
Apple has not yet released a tool to remove Flashback. That’s why we’re offering this free tool that does two things very quickly. It detects Flashback and if you have it, it removes it. Follow the steps on the Labs’ blog now.

2. If you run an older version of Mac OS X, update to a current version.
Go to your Apple menu and select “Software Update”. If you can’t update to the most recent release, disable Java in your browser or uninstall Java. These instructions show you how to disable Java.

3. Consider a Mac antivirus.
Mac malware seems to come in fits. Check out this search of our Labs’ weblog to get a sense of how it’s becoming more common. You can hope that Mac’s control over the ecosystem will keep it relatively immune to malware in the future. Or you can take the same advice we offer for every computer you own, keep your system and security software updated. We, of course, offer an Mac Antivirus.

Cheers,

Jason

Share this

F-Secure Labs has laid out the steps to detect and, if necessary, remove the trojan. Advanced users should do that now. Start at step 1.

To prevent further infections, F-Secure Labs recommends all Mac users update, disable or remove their Java client plugin/installation. (Windows users, too. Actually. But for once, we’ll make this post almost entirely about Mac malware.)

How to Update or Disable Your Java in Mac OSX

Update
1. Go to the Apple in the upper left-hand corner.

2. Select “Software Update” from the menu.
3. The program will check for new software.
4. Update all of your software including Java.

Disable

Snow Leopard (Lion doesn’t come with Java by default)
1. In Finder, go to “Applications” folder.
2. From “Applications” go to “Utilities” to “Java Preferences”.
3. Uncheck everything in the General tab.

Safari
1. Open Safari.
2. From the Safari menu, select “Security”.
3. Uncheck “Enable Java”.

Chrome
1. Input the address “chrome://plugins“ into Chrome’s address bar.
2. Scroll down to “Java”
3. Click “Disable” for any instance of Java you see.
4. Use the same procedure to start using Java again, just click “Enable”.

Cheers,

Jason

Share this

To bring us some cheer, Karolina (shown here with her son), an F-Secure fellow from Poland, created this precious little Easter chick (click here to download it). We especially like it as it celebrates some of F-Secure’s successes over the last few years.

It’s a free, fun project to share with your family.

The best to you and yours,

Anna

Share this

This sweepstakes is now closed. Please ‘like’ our Facebook page for updates on more F-Secure news and promotions.

Congratulations to our winner, Earl.

For years, analysts predicted that all of our devices — PCs, laptops, DVD players, mobile phones — would merge into one all-purpose device that would handle everything we do digitally. Surprisingly we are seeing more and more that people are actually travelling with up to three devices — a phone, a tablet and a laptop. All three perform similar functions but provide vastly different experiences.

We’ve discussed the proper way to secure all your devices. So now we have a question for you: For mobile connections, do you use a tablet a mobile phone or both?

By answering this question in the comments below, you’ll be entered to win a Samsung Galaxy Tab 10.1 with F-Secure Mobile Security.

Just read the rules and post your answer in the comments below.

BONUS ENTRY: Want an extra chance to win? Click here and take our quick mobile survey then post the comment “SURVEY COMPLETED” in an ADDITIONAL comment below.

Thanks for your time,

Anna

CC image by 3 Sverige

F-Secure Internet Security 2012
MORE THAN MOBILE SWEEPSTAKES – COMPETITION RULES AND PRIZES

By entering the Safer Shopping Sweepstakes promotion you accept the Official Competition Rules and the Privacy Policy (http://www.f-secure.com/en_US/privacy.html).

If you do not accept these rules, please do not enter this promotion.

1. The sponsor of this promotion is F-Secure Corporation, located at Tammasaarenkatu 7, Po. Box 24, 00181 Helsinki, Finland (“Sponsor”).
2. The promotion will begin at 12:00 PM PDT on April 3 , 2012 and end at 12:00 PM PDT April 19, 2012.
3. This promotion is void where prohibited or restricted by law. No purchase is necessary to enter.
4. 2 prizes — Samsung Galaxy 10.1 16 GB with a retail value of $449.99 and 1 F-Secure Mobile Security with a retail value of $39.99 — will be given as prizes in this promotion at the close of the competition.
5. Only two (2) entries per person per Sweepstakes will be accepted. Each comment posted constitutes an entry. Further attempts made by the same person and entries generated by a script, computer programs, macro, programmed, robotic or other automated means will be disqualified.
6. The winner will be chosen randomly from the people who participated in the competition by commenting on the “More Than Mobile Sweepstakes” page. Sponsor will notify the winner via email. If the winner does not respond within seven (7) days, he or she will forfeit the prize and another winner will be randomly chosen. This prize is shipped to the winner within 45 days of the making successful contact with the winner.
7. The winners are responsible for any taxes associated with receipt of the prizes. Sponsor reserves the right to substitute the prizes with other prizes of equal or greater value if the prize is not available for any reason.
8. Odds of winning the prizes depend upon the total number of eligible entries received.
9. No purchase or software download is necessary to enter or win. Purchase or software download will not increase your chances of winning.
10. To enter, visit http://safeandsavvy.f-secure.com/2012/04/03/more-than-mobile-sweepstakes/ and comment on the post up to two times. To comment you must provide your email address, which will not be made public. Entries are the property of Sponsor and will not be acknowledged or returned. Comments made be edited by F-Secure without explanation. We are not responsible for the content posted or linked.
11. Any entrant who attempts to cheat or tamper with the More Than Mobile Sweepstakes shall be disqualified by the Sponsor’s sole discretion.
12. The name of the winner will be announced via the F-Secure Twitter channel http://twitter.com/FSecure, F-Secure Facebook page http://www.facebook.com/FSecure and F-Secure’s Safe and Savvy blog http://safeandsavvy.f-secure.com/ once the winner has been contacted. By entering, the entrant agrees that his/her name, country and/or picture can be published at F-Secure’s aforementioned channels if he/she wins.
13. By entering, entrants agree to release and hold harmless Sponsor and all of its representatives from and against any and all costs, expenses, claims, demands, proceedings, suits, actions and/or liabilities for any injuries, death, loss or damage of any kind arising from or in connection with i) the distribution of any prize, ii) entrants’ participation in and/or entry into the campaign, acceptance or use of any prize or unavailability of any prize. Prizes are provided “AS IS” without warranty of any kind from the sponsor.
14. Employees of Sponsor and family members of such employees are not eligible to enter.

© 2011 F-SECURE CORPORATION. ALL RIGHTS RESERVED.

Canon PowerShot SX130 IS

Share this

“We never expected anyone to believe that we’d risk alienating our user base in the midst of our company’s IPO. But when we laid the seeds for what we hoped would become a legendary April Fool’s six months ago, many people ate them right up.”

During the first stages of the so-called Timeline, thousands of people signed up as Facebook developers just to play with the new look.

“We thought then, we better come up with something operational, just to keep it going. Then it just kept snowballing and snowballing till today.”

Facebook says that those who have opted into the new look will be allowed to keep it. The rollback will begin at the end of business April 1.

“When people and companies started uploading content from their entire lives, at first we were worried,” Zuckerberg wrote. “We were sure no one would do that. Then analysts saw this further proof of the site’s stickiness. The FTC actually complimented us for once on the privacy measures. At the end of the day, someone should have ended this thing months ago. But here we are on April 1.”

Many Facebook members are cheering the news. Others are smirking. Several of the 45,567 members of the “Timeline Must GO AWAY” Facebook group announced that they had never really believed it was coming. “H8ers can H8 but I was right,” said user Maggie Simpson.

We at F-Secure had taken the Timeline extremely seriously offering “4 Things You Should Do as Soon as You Get Your New Timeline”.

We’ll now add a fifth thing to the list: Blush.

Cheers,
Jason

Share this

Are we letting our ecological footprint grow out of control? What kind of planet we want leave to the next generations?

A warming planet alters weather patterns, water accessibility and food suplies. It also threatens a sustainable way of life for us and the world’s wildlife. At F-Secure, we believe it’s our responsibility to leave our children and their children an environment where they can thrive.

Earth Hour is a global call to action for individuals, businesses and governments around the world to unite against the climate change.

F-Secure will participate in this weekend’s Earth Hour movement. All of the lights in our Helsinki headquarters will be turned off between 20.30 and 21.30 local time on Saturday evening. It’s a small step but an important reminder that we can all do our part individually and together.

We invite you to join Earth Hour to help protect the irreplaceable earth we all share.

This earth will grow cold,
a star among stars
and one of the smallest,
a gilded mote on blue velvet

I mean this, our great earth.

This earth will grow cold one day,
not like a block of ice
or a dead cloud even
but like an empty walnut it will roll along
in pitch-black space …

You must grieve for this right now
–you have to feel this sorrow now–

for the world must be loved this much
if you’re going to say “I lived” …

-Nazim Hikmet

Cheers,

Ulla

CC image by  Mișu Trașcă

Share this

Share this

As Billy on our Facebook page points out, asking for a private password would certainly violate the rights of citizens of the European Union. And even in a country where this might be legal, it seems to violate every notion of both privacy and security.

As a basic rule, you should not share your passwords with anyone. For the accounts that matter to you the most, you should choose a unique password that cannot be guessed. We recommend this system.

Lawmakers in the US have tried to make sharing a password to a content site such as Netflix illegal. But might there be some instances where you’d want to share your password.

For instance, 1 out of 10 people in the United Kingdom reported that they included their passwords to their online accounts in their will. And certainly some couples share their passwords with each other. And some parents make sure they know their kids’ passwords. These personal reasons for sharing passwords are up to a family’s discretion.

But when it comes to professional life, no one needs to know your password – including your boss.

Can you think of a situation when you’d share your password with an employer?

Cheers,

Jason

CC images by woodleywonderworks

Share this

Mobile Threats Motivated by Profit, 2004-2011

“The most credible threat is coming from hackers who want to profit monetarily with their attacks. And right now we’re seeing more profit-motivated mobile malware than ever before,”  F-Secure’s Chief Research Officer Mikko Hypponen said, in the Mobile Threat Report Q4 2011 (Available here).

Since 2009, more than half of mobile malware has been profit-motivated. Do you remember  what was happening in the mobile world around 2009? The Android mobile platform emerged and has since replaced Symbian as the mobile OS most often targeted by mobile malware.

From the Mobile Threat Report: “Android malware continues to expand rapidly in the fourth quarter of 2011, with malware originating from Russia forming a significant presence in the scene.”

Mobile Threats by Platform, 2004-2011

You’ll notice that while the iOS platform that powers Apple devices has expanded exponentially but it has not experienced a boom in new malware targeting it. F-Secure Labs has credited the security approvals required for placement in Apple’s AppStore for keeping malicious apps to a minimum. Mobile malware that affects jailbroken iPhones but the Labs does not expect an iOS malware boom.

What does a boom in malware look like?

Notice a trend? That’s why we recommend that you secure your Android phone the way you do your PC. You can try our Mobile Security for free.

Cheers,

Jason

Share this

Since the winter of 2011, Facebook has been slowly rolling out its new profile look to the nearly one billion people who use the world’s largest social network.

Facebook has indicated every user will be forced to move over to the new profile look called Timeline. All Facebook brand pages now have the look but Facebook is still rolling it out to profiles. (To get it now, go here and click “Get it Now.”) Some will be annoyed by this change, of course. They’ll note that the old profiles worked and there are some unforeseen consequences that raise privacy issues. This inevitable when Facebook makes changes that affect so many people.

But the world’s largest network seemed to learn a valuable lesson from its vanquished competitors Friendster and MySpace: change happens. Unless they continually give users fresh new social experiences, their users will move on.

The Timeline is definitely new. Looking at the Timeline from a social media security and privacy perspective alone, I say that the new Timeline and the updated privacy settings Facebook put in place in late 2011 are both improvements.

The average Facebook user is “friends” with well over 100 people. Add that to the 100 pages more users like and you have an account that is out of hand. Sensing this, Facebook has made it easier than ever to unlike the people and pages you no longer wish to connect with.

The rollout of the Timeline gives you the perfect opportunity to take control of your Facebook and edit your account. (It also gives you a space to post a cool cover photo, which is completely optional.)

Here’s what you need to do now:

1. Decide if you want to hit the “reset button”.
The goal of Timeline is to make your life story available to as many people as you are willing to share it with. Facebook has reduced its privacy options to three levels.

They’ve eliminate “Friends of Friends”, which leaves some of your posts in a limbo. To make up for this, they’ve added what I call the “reset button”. You can with one click turn all of your past public and “Friends of Friends” posts into “Friends Only”. If you do this, you can reverse it. You’ll have to adjust each post or picture individually.

If you are a privacy minded person, hitting this button is a great idea and a great way to start your new Timeline. To do this:

a. Go to the arrow in the upper right corner and select “Privacy Settings”.
b. Next to “Limit the Audience for Past Posts” click “Manage Past Post Visibility”.
c.Then click “Limit Past Posts”.

2. Audit your Friends.
The best way to get a better news feed free of spam and distractions is to only people who share content you’re interested in.

Now that you have the Timeline, you can access your friends list easier than ever. Best of all: by simply scrolling over their images, you can unlike anyone quickly. Here’s how:

a. Go to your Timeline and click on your Friends navigation.
b. Put your mouse over any of your Friends’ names. This box will come up.
c. Put your mouse over the “Friends” box.
c. You can choose “Unfriend” or if you don’t want the person to have any idea you don’t want his or her updates, just click on “Show in News Feed”. This will automatically unsubscribe you from their updates. You can get pretty granular about which updates you want. This makes your Facebook life infinitely more complicated.

Facebook is simplest when you think of friending as an all or nothing thing. Either you want to stay in touch with someone or you don’t. If you don’t, unfriending is the best bet.

Go through your entire Friends list and get rid of anyone you don’t want to be in contact with. You can always go back and friend someone again if you make a mistake.

3. Audit your “Likes”
Unfortunately, Facebook does not make it so easy to stop following the pages you’ve liked.

Click on the Likes button. If the page happens to fit into the categories of music, books, movies or television, you can easily put your mouse over the page name, then the “Liked” button and choose unlike.

If you want to unlike any of the other pages you’ve liked, you have to scroll down the Likes page. There you’ll see the pages you’ve liked listed by the year you liked them. To unlike these pages, you have to open them in a new tab and click and the “Like” button there. Then click unlike. This process can take a long time.

Why did Facebook make it so easy to unlike friends and not pages? You probably would guess, as I have, that they’re doing businesses a service. The ads business buy on Facebook often use people who like a page to target their friends. Facebook is a business and this is a design that helps that business more than it helps you. Still, it’s worth taking a look at the pages you’ve liked to decide which you want to get rid of.

4. Audit your apps
Facebook’s new Timeline aims to make the music and media you consume part of your profile. For this reason, some apps—such as Spotify and Goodreads—have the ability to post directly on your Timeline.

Apps, like most software, come with terms and conditions most people skip over. Often, we have no idea how much access an app has to our private data. That’s why it’s always a good time to edit your apps to get rid of ANY that you are not using. Here’s how to do it.

a. In the upper right corner of your Facebook page, click on the arrow
b. Select “Privacy Settings”.
c. Scroll down to “Apps and Websites” and click on “Edit Settings”.
d. Under “Apps You Use” click on “Remove unwanted or spammy apps.”
e. Click the little blue x on the far right for any app you do not use.

Share this

What is Ransomware?

It is malware that upon infection expands Internet Explorer to a full screen (F11). Ransomware then displays a message claiming to be from a local police unit. The message usually states that your computer has been used to browse sites containing child and animal abuse. It also might claim that your PC has been used to send e-mail spam on topics related to terrorism. Or you may be accused of piracy. Thus your computer has been locked until a fine is paid.

It’s scary and the Labs has seen it in Finland, Germany and various other European countries. As with all malware, if it works, it will end up all over the world eventually.

The Labs reminds you: “If your computer is ever compromised by Ransomware, do not pay anything to the malware authors.”

In almost all cases, paying the fine does not free up your computer anyway. Also remember that neither the Finnish police nor any other Police in the world uses Paysafe, Ucash, PayPal or any other prepaid billing systems for fines. If any message is demanding your credit card or any other payment method it is most certainly a scam and not legitimate government official.

How can you prevent ransomware?

1. Keep your PC updated with the latest system and security software. Our Health Check makes that easy.

2. Especially update your Acrobat PDF reader to the latest version, or switch to another PDF reader.

3. Update your Java runtime. Or, if you do not need Java, it is highly advisable to uninstall it. If you do need Java, at least consider disabling it within the browser when not in use. Or, switch to Google Chrome which will ask before Java is executed from unknown sites.

Cheers,

Anna

Share this

Many users see the permissions apps ask for as something we just have to click through in order to get to the software they want. But these permissions have real world consequences. You’re giving developers an opening to your contacts, your communication and more.

The best solution is to stick to official marketplaces and developers you trust. And always check the permissions when you’re installing an app.

You can go back and check the permissions on your Android apps by going to going to Settings > Applications > Manage Applications. Select your application and then scroll down. Don’t like the permissions you’ve granted? Delete the app.

Apps are playing an increasingly large role in our lives. Phones have apps. Browsers have apps. Even your apps have apps. You should regularly check your Facebook Apps and your Twitter apps, for instance, and remove any that you are not using. If you invite an app in to your life, it’s your job to make sure that it behaves.

Cheers,

Jason

CC image by Johan Larsson

Share this

Here are a few precautions that will help protect you on all the laptops, desktop or mobile devices you use.

1. Keep your system and security software updated
This is a tip we always recommend for PCs. But it’s especially important on mobile devices and Macs too. Several important security updates have been included in recent updates of OS X. Our Mobile Security is available for Android, Symbian and Windows Phones. Research to find the best security for your device and keep it up to date.

2. Back up your device
A piece of content that exists only on one local hard drive is a piece of content at risk. Use some method of backup for your computers. If your phone has a backup capability enable it. If it’s available for your mobile, we recommend you use some remote lock software. Our Anti-Theft for Mobile is free. This way even if your device is out of your control, you can still protect your private data.

3. Get your software from a reliable source
For mobile phones, use official markets or vendors you know and trust. Never install software that suddenly appears on your computer or a mobile. You can give a criminal full access to your computer with the wrong click so take downloading and installing seriously. So don’t be afraid to take to cancel and research a product before installing it

4. Watch where you click, especially in emails
Most of us know never to open attachments we don’t expect in an email. But the links in an email can lead to a malicious site or a scam. Phishing scams have new power on mobile phones where we expect web pages to look strange and unfamiliar. Avoid clicking the links in emails you receive, especially from your bank. Go directly to the site you need to use or even call your bank directly if you have a question.

5. Keep your devices and accounts secure
Lock your computers and devices when you aren’t using them. And use a strong, unique password for all of the accounts that matter to you most.

The good habits you’ve picked up from being a smart PC user will benefit you however you connect to the web.

F-Secure’s new Safe Anywhere gives the world’s leading operators and ISPs the ability to protect PCs, Macs and mobile devices with one award-winning solution. Find out more about Safe Anywhere here.

Jason

CC image by LGEPR

Share this

Our corporate product F-Secure Client Security has just won the BEST PROTECTION 2011 AWARD by AV-TEST. AV-TEST is an independent testing organization that evaluated 7 corporate protection products throughout 2011.

All of our security products, including F-Secure Internet Security 2012, are based on the same technology as the award-winning F-Secure Client Security, which is why this is a time to be proud.

This award means we are continuing the success we have had in the past years with our security products. And now we are also the leader in protecting corporate customers.

While I’m being immodest, I can’t forget to add that F-Secure Internet Security 2012 has also won many awards, including AV-Comparative’s Top Rated -award, and 1st positions in com! -magazine’s comparative review and CHIP Magazine’s comparative reviews in Germany, Netherlands and Italy.

And to be even bolder, we plan on continuing to improve our security products so we can stay ahead of all the threats facing our customers.

Find out how you can get best protection for your business with F-Secure Client Security.

And if you don’t yet have our award-winning Internet Security protection, try it for free.

Cheers,

Anna

Share this

The fact is millions, if not billions, of relationships have begun online. And that number is growing as the lines between offline and online merge.

Online dating is an especially interesting issue for us because it merges many of the issues we think about most: security, online safety, content control and social networks.

The fact is by “putting yourself out there” online, you do open yourself to risks you might avoid otherwise. You may also open yourself up to the person you’ll spend your whole life with. If you want to give it a try or try it again, we recommend a few precautions.

1. Trust your instincts.
A rule of dating that is often mocked is “Be yourself.” It’s so vague and unhelpful. But what people seem to be saying is “Trust you gut.” If something gives you a bad feeling, if you regret signing up for a site, if you regret making a date, step back. The great thing about dating online is that you’re increasing your options. So don’t worry about blowing one opportunity. If something gives you a bad feeling, back off and apologize. Don’t be afraid to cut off contact or even erase emails before you open them. It’s your gut, protect it.

2. Remember that the Internet never forgets.
Anything you do online creates some sort of data trail. Any message you send can be made public. Any picture you post can be reposted. In the past, only celebrities had to worry about their private activities being made public. Now we all do. So imagine that anything you share could go public and definitely close any accounts once you’re done using them.

3. Secure your PC.
When using any social network, you should make sure all the applications and your security software are patched and protected. (Our Health Check makes that easy.) Also keep in mind that by putting your email out in the world, you’re making yourself more vulnerable to email scams. For this reason we recommend never clicking on the links in emails.

4. Get the low down.
Talk to your friends who have tried out online dating. Ask them for their tips and regrets. If you don’t feel comfortable chatting with someone you know, Match.com has a nice list of all the possible safety precautions you should be taking. Also, Google the people you’ll be meeting, and their email addresses. You may be surprised at what you find.

5. Go the extra mile.
The Electronic Frontier Foundation recommends, “Get a throw-away email address, avoid using your name, and avoid paid sites that would elicit your credit card number and billing information. To maintain the highest levels of privacy, consider taking steps to obfuscate your IP address, such as using a VPN.” Also, you should use https on secured networks whenever possible. Keep in mind that any site you trust with your data is only as good as its privacy policy and its word.

Cheers,

Jason

CC image: Julien Haler

Share this

Here’s how Facebook states the ownership of your content in its terms and conditions:
You own all of the content and information you post on Facebook, and you can control how it is shared through your privacy and application settings.

So, by posting content or information, you grant Facebook the license to use your content in accordance with your privacy and application settings. That means unless you’ve set the setting for a piece of content for “Custom” > Only Me”, someone can see it.

If someone can see your content on Facebook, they can likely copy it or capture it in some way. You’ll still own the content, but you may have lost control of it. In fact, even if you delete your pictures on Facebook, they still may not be technically deleted.

Your name and image are even set up by default to show up in Facebook’s advertising shown to your friends. (To adjust this, go to “Account Settings”> “Facebook Ads” > “Edit social ad setting”.)

This why a good rule of thumb is: Don’t post anything on Facebook you would not like to see go public, even if your settings are completely locked down.

(And if you’re in the US, you should take extra care not to post anything negative about your employer using your employers’ computers or mobile devices.)

The issue of who controls our content is likely to become more controversial as the cloud makes it possible to store, sync and share content from any PC or device any time. People want access and the ability to share. But they want to do so without giving up control of their irreplaceable images, videos and documents.

This is why F-Secure has created Content Anywhere.

Content Anywhere is a safe personal cloud service provided through operators and ISPs that makes accessing your content wherever you are easy. With Content Anywhere, Internet providers will move beyond being ‘data pipeline’ to become the ‘king of the content cloud.’

We’re looking forward to sharing more about the our move into safe cloud technology, which we believe is the future of sharing and enjoying your content in a smart and secure way.

Cheers,

Jason

CC image credit: jurvetson

Share this

Banking Trojans have been around since at least 2007 and they have become part of our everyday lives. In recent months, ZeuS Trojans have targeted to Finnish banks, resulting in financial losses for hundreds of customers. The success of these trojans has been startling and similar attacks are occuring around the globe.

How does a ZeuS Trojan work?

First, a trojan has to find a computer that is not fully protected. Once it infects a PC, the malicious software sits waiting until it is activated when a customer establishes an online connection to his or her bank.

When this happened to customers in Finland, they saw a message that said, “We are sorry, there is an error and we are working to fix it.” At that point the attack is a success. Personal information provided by the customers can then be exploited and cash transfers can then begin. Often customers do not even realize that they’ve been attacked until long after the transfers are made.

F-Secure’s Labs’ Threat Research Team has been investigating banking trojan cases for more than half of a decade. F-Secure’s Security Advisor Sean Sullivan says: “While Finnish banks have excellent safeguards and protections, we should remember that some of those protections are almost 20 years old. Cyber criminals have had plenty of time to work out new strategies.”

What can we do to protect ourselves?

Here’s Sean’s advice:

1) Don’t panic. It’s a real problem, but no more so than getting your pocket picked in the real world.

2) Keep your software up to date, and uninstall that which you don’t use. (e.g., Java). We recommend F-Secure’s Internet Security 2012, of course.

3) If you feel there’s something unusual about your online banking experience, call your bank and chat with their support. They are more than happy to help you!

Cheers,

Anna

CC image by: BFS Man

Share this