erka iAmA

Ask Erka Koivunen anything for #CyberSecMonth

European Cyber Security Month (or National Cyber Security Awareness Month as it’s known in the US) is just around the corner. And considering the recent disclosure of Yahoo’s massive data breach, it seems like a good time for companies to give some consideration to their cyber security policies. One person glad to see it arrive is F-Secure Cyber Security Advisor Erka Koivunen. Erka, who’s advised people, companies, and even governments on how to protect themselves from online threats for years, wants to let people know that security is more than relying on the latest technologies or devices for protection. It’s just as much about processes and practices as it is about technology. That’s why Erka is participating in an “Ask me Anything” session on Reddit called “How to Create a Culture of Security.” Erka will answer your questions about what you, your colleagues, and your boss need to know about being hacked. Plus, Erka will be joined by Cosmin Ciobanu from the European Union Agency for Network and Information Security (better known as ENISA, the organized of European Cyber Security Month) to provide some additional insights on how to improve security in workplaces around Europe. This will be Erka’s second AMA, having previously fielded a range of questions about online privacy in an AMA conducted last Data Privacy Day. The AMA session will kick-off at 8 AM EST/3 PM EET on October 4th. We’ll update this blog post with the link as soon as it’s available, so check back here so you don’t miss out.

September 30, 2016
BY 
Connected

Wherever You’re Connected, You Should Be Protected

Protecting yourself on the internet used to be a lot simpler -- mostly because you weren't always on the internet. Now we can be online from when we wake up until when we go to sleep. We seamlessly shift from chatting to shopping to banking -- rarely sticking to one device or platform for too long. Most of us aren't just a Mac or PC or an Android anymore -- we're all of the above. “I, and I think most people, have a cross-platform household – I use several different devices with different operating systems on a daily basis," F-Secure security advisor Sean Sullivan explains. The old paradigm of just protecting your PC or your phone can leave your devices exposed to threats. And even the best security software in the world won't protect your public Wi-Fi connection from being snooped on, possibly exposing your most private details, including passwords. That's why we've launched F-Secure total security and privacy, which combines F-Secure SAFE and F-Secure Freedome. F-Secure SAFE is a multi-device internet security suite that protects all your devices. Freedome is a VPN offers a simple way to encrypt your communications over public Wi-Fi and change your virtual location to access geo-blocked sites and services while blocking malicious websites and online tracking. You can still purchase F-Secure SAFE and Freedome separately. And there have been recent improvements to both, including: Silent upgrades that ensure SAFE is automatically updated Parental controls now available on all supported SAFE platforms Ability to create Freedome Wi-Fi hotspots with Android devices while VPN is turned on "Buying separate products to protect iOS, Windows, Macs and whatever else isn’t just expensive, but it means you have to get used to different pieces of software designed to do the same thing," Sean explains. F-Secure total security and privacy is now available for a free trial here. If you're a current SAFE customer, you can't upgrade to total security and privacy but you should receive a discount offer for Freedome. "Bundling protective measures into packages to run on different devices is more economical and more user friendly, both of which are good for security.” Cheers, Sandra [Image by Hans Kylberg | Flickr]  

September 27, 2016
yahoo

What You Need to Know About the Yahoo Hack

Reports that half a billion Yahoo accounts were hacked in 2014 "by a state-sponsored actor" were confirmed today by the tech giant. This hack of "names, email addresses, telephone numbers, birth dates, encrypted passwords and, in some cases, security questions" is the largest in the company's history and one of the most consequential breaches of all time. Our security advisor Sean Sullivan told CNN what Yahoo users need to know right now: [youtube https://www.youtube.com/watch?v=kO-70yKF4bE] He also gave a longer interview to Data Breach Today about the wider implications of the hack. The most important takeaway from this attack is you should always use an extra layer of protection -- in this case Yahoo's two-factor authentication on all your accounts -- and never reuse any important password. Even though Yahoo's passwords stored your passwords with encryption, it's still possible for criminals to get access to them, especially if they are weak. A former Yahoo employee told Reuters that the answers to security questions were deliberately left unencrypted to help catch fake accounts more easily because fake accounts that used the same answers over and over. Sean always uses nonsense answers for so-called security questions so they aren't guessable by anyone who knows him or follows him on social media. He recommends you do the same. So what should you do now? Sean recommends you "walk, not run" to your Yahoo account to disable your security questions and change your password -- and change them on any other site where you've used them to something unique. Make sure you create non-human passwords -- not patterns like yahoo1985. Make them long and difficult to remember. If they're between 20 and 32 characters, they are nearly uncrackable, as our senior researcher Jarno Niemelä recommends. And to deal with all that complexity, use a password manager like our F-Secure KEY, which is free on one device. You can also store your nonsense answers to your security questions in there. Then turn on two-factor authentication, if you haven't already. If you're wondering who might have carried out such a massive attack, Sean does have a hypothesis. [Image by Christian Barmala | Flickr]

September 23, 2016
BY 

Latest Posts

Freedome

We recently invited  our active Twitter community to ask us anything that came into their minds about privacy, VPNs and all manner of related topics. The Twittersphere didn’t pull any punches, and among the great questions was one asking us to make our case for own existence: What are the reasons to pay for Freedome and not use some free privacy solution? Well, here’s a few we think you'll be interested in. 1. Connection speed / bandwidth Everyone wants security and privacy, but NOBODY wants it at the expense of a sluggish connection. Running a VPN takes a surprising amount of servers and bandwidth, and these resources have to come from somewhere. So if you don’t want your internet connection bottlenecked by a VPN server coughing out modem-speed traffic like an asthmatic robot, you might want to consider a paid option. Next to connection speed, bandwidth size is the biggest prequisite people tend to have. Maybe it's the fact that we're based in Finland where the concept of data caps is very uncommon, but putting any sort of bandwidth limit even into the free trial version of Freedome was never truly considered. Unlimited bandwidth for all! 2. Our business model is giving you privacy, not taking it away When any online service claims to be free to its users, there is often a catch. There are exceptions (like Troy Hunt’s awesome Haveibeenpwned to see if your passwords have leaked), but most will ultimately take payment…. in one form or another. This can come in the form of tracking you for advertising purposes, or even selling your bandwidth to hackers.  Be careful of free services and make sure you understand what you're giving in return. For instance, our iOS developers created the free F-Secure AdBlocker, and we were quite open about the fact that we were using the app to raise awareness of Freedome. Sometimes the trade-off is worth it for the customer, sometimes it is not. 3. Publicly listed company One of the threats facing consumers looking for a VPN are shady companies that operate in the privacy market. Freedome was conceived by a startup team within F-Secure, a company with a 25+ year spotless reputation among consumers. Without even considering ethical implications, making sure we keep the trust of our stakeholders is vital to our continued existence as a company. When you use a service to encrypt your traffic and handle your data, there is no choice but to place trust in that service. We try to be as open about our ways of operating as possible, but ultimately, the choice of where you place your trust is yours and yours alone. 4. Based in a country where the law is on privacy’s side If suspect business practices present one threat to consumers looking for privacy, so do the over intrusive governments in countries where VPN providers are based in. The U.K is working on the Investigatory Powers Bill (more often referred to as the "Snoopers Charter"), the U.S has an extremely spotty history in keeping their hands off people's Internet traffic, and Russia is increasingly tightening their control over what people say online.  Thankfully, Finland is considered a pioneer when it comes to consumer-friendly online privacy laws. It is a great benefit both for us as a company and our customers that we have the law on our side when it comes to putting digital rights of consumers first. 5. It's just a better and prettier app Being part of an established online security company like F-Secure gives us access to a lot of resources. When you pool this together with the startup mentality of the Freedome team, you get a new kind of security app that packs features unavailable in other similar products. Freedome uses F-Secure's own security cloud to access a constantly updated list of online tracking servers and malicious sites to block them from your protection. And finally, what Anni already touched upon in her video answer: It's light, intuitive and very easy on the eyes. Words like "VPN" and "encryption" might bring into mind a clunky & unfriendly interface, but we wanted to challenge that. Everything from setup to turning it on is done with a single button. [youtube https://www.youtube.com/watch?v=rX3FFNAl4hI?list=PLkMjG1Mo4pKL0JFjRTd4vCvK4An5QTp5D]

September 30, 2016
erka iAmA

European Cyber Security Month (or National Cyber Security Awareness Month as it’s known in the US) is just around the corner. And considering the recent disclosure of Yahoo’s massive data breach, it seems like a good time for companies to give some consideration to their cyber security policies. One person glad to see it arrive is F-Secure Cyber Security Advisor Erka Koivunen. Erka, who’s advised people, companies, and even governments on how to protect themselves from online threats for years, wants to let people know that security is more than relying on the latest technologies or devices for protection. It’s just as much about processes and practices as it is about technology. That’s why Erka is participating in an “Ask me Anything” session on Reddit called “How to Create a Culture of Security.” Erka will answer your questions about what you, your colleagues, and your boss need to know about being hacked. Plus, Erka will be joined by Cosmin Ciobanu from the European Union Agency for Network and Information Security (better known as ENISA, the organized of European Cyber Security Month) to provide some additional insights on how to improve security in workplaces around Europe. This will be Erka’s second AMA, having previously fielded a range of questions about online privacy in an AMA conducted last Data Privacy Day. The AMA session will kick-off at 8 AM EST/3 PM EET on October 4th. We’ll update this blog post with the link as soon as it’s available, so check back here so you don’t miss out.

September 30, 2016
Connected

Protecting yourself on the internet used to be a lot simpler -- mostly because you weren't always on the internet. Now we can be online from when we wake up until when we go to sleep. We seamlessly shift from chatting to shopping to banking -- rarely sticking to one device or platform for too long. Most of us aren't just a Mac or PC or an Android anymore -- we're all of the above. “I, and I think most people, have a cross-platform household – I use several different devices with different operating systems on a daily basis," F-Secure security advisor Sean Sullivan explains. The old paradigm of just protecting your PC or your phone can leave your devices exposed to threats. And even the best security software in the world won't protect your public Wi-Fi connection from being snooped on, possibly exposing your most private details, including passwords. That's why we've launched F-Secure total security and privacy, which combines F-Secure SAFE and F-Secure Freedome. F-Secure SAFE is a multi-device internet security suite that protects all your devices. Freedome is a VPN offers a simple way to encrypt your communications over public Wi-Fi and change your virtual location to access geo-blocked sites and services while blocking malicious websites and online tracking. You can still purchase F-Secure SAFE and Freedome separately. And there have been recent improvements to both, including: Silent upgrades that ensure SAFE is automatically updated Parental controls now available on all supported SAFE platforms Ability to create Freedome Wi-Fi hotspots with Android devices while VPN is turned on "Buying separate products to protect iOS, Windows, Macs and whatever else isn’t just expensive, but it means you have to get used to different pieces of software designed to do the same thing," Sean explains. F-Secure total security and privacy is now available for a free trial here. If you're a current SAFE customer, you can't upgrade to total security and privacy but you should receive a discount offer for Freedome. "Bundling protective measures into packages to run on different devices is more economical and more user friendly, both of which are good for security.” Cheers, Sandra [Image by Hans Kylberg | Flickr]  

September 27, 2016
yahoo

Reports that half a billion Yahoo accounts were hacked in 2014 "by a state-sponsored actor" were confirmed today by the tech giant. This hack of "names, email addresses, telephone numbers, birth dates, encrypted passwords and, in some cases, security questions" is the largest in the company's history and one of the most consequential breaches of all time. Our security advisor Sean Sullivan told CNN what Yahoo users need to know right now: [youtube https://www.youtube.com/watch?v=kO-70yKF4bE] He also gave a longer interview to Data Breach Today about the wider implications of the hack. The most important takeaway from this attack is you should always use an extra layer of protection -- in this case Yahoo's two-factor authentication on all your accounts -- and never reuse any important password. Even though Yahoo's passwords stored your passwords with encryption, it's still possible for criminals to get access to them, especially if they are weak. A former Yahoo employee told Reuters that the answers to security questions were deliberately left unencrypted to help catch fake accounts more easily because fake accounts that used the same answers over and over. Sean always uses nonsense answers for so-called security questions so they aren't guessable by anyone who knows him or follows him on social media. He recommends you do the same. So what should you do now? Sean recommends you "walk, not run" to your Yahoo account to disable your security questions and change your password -- and change them on any other site where you've used them to something unique. Make sure you create non-human passwords -- not patterns like yahoo1985. Make them long and difficult to remember. If they're between 20 and 32 characters, they are nearly uncrackable, as our senior researcher Jarno Niemelä recommends. And to deal with all that complexity, use a password manager like our F-Secure KEY, which is free on one device. You can also store your nonsense answers to your security questions in there. Then turn on two-factor authentication, if you haven't already. If you're wondering who might have carried out such a massive attack, Sean does have a hypothesis. [Image by Christian Barmala | Flickr]

September 23, 2016
android_wi-fi

Many Android users (myself included) have long found it annoying that creating a working portable hotspot is not possible while using a VPN on the device that shares the connection.  From the user interface to the lines of code that power the app behind it, a driving principle of designing Freedome has always been to make the kind of VPN that only makes your online experience better, without hindering it in any way. Tethering with VPN is now possible This is why we are extremely happy - both personally and for our users - to announce that our new Android release (out now on Google Play) makes it possible to have Freedome turned on while sharing your connection with other devices. We are also the first (as far as we know) major VPN provider to make this happen. Instructions on setting up a portable hotspot The new update automatically allows you to create a portable hotspot with Freedome VPN, so the instructions are fairly simple. Download Freedome VPN on your Android Turn on the portable hotspot feature from your Android settings Keeping it simple, as usual! A note on privacy It’s worth noting for the sake of your privacy that the tethered device’s traffic will NOT go through the VPN tunnel of the device sharing the connection. According to Freedome Product Development Director Harri Kiljander: “Android does not allow tethered devices access to the VPN tunnel. This is a deliberate choice forced by Android for security reasons. For instance, when using VPN to access your employer’s network, they might not want your friends and family there. Also a VPN tunnel shared with others wouldn’t really be a private network anymore” In other words, remember to use Freedome on laptops and any other devices you connect to your own hotspots with. If you have any questions, drop us a line on Twitter. Enjoy!

September 23, 2016
webcam

If you don't want to read the manual for the new Wi-Fi-connected device you just installed in your home, do yourself a favor and at least check how to change the default password. A new report finds that more than 100,000 devices in the United Kingdom alone could be possibly be accessed by peeping strangers. How is this possible? "Two words," explains F-Secure security advisor Sean Sullivan. "Default settings." Most consumers don't seem to imagine that their baby monitor, web cam of Wi-Fi router might be targeted by a hacker. "That’s called security through obscurity and it just does not work," Sean explains. "There are 'deep-web' search engines --such as Shodan -- that routinely scan for devices on the Internet. And just about anybody can find interesting things there that shouldn’t be publicly accessible but are." Often all online intruders need to do is type in the password that the manufacture sent the device out with. "You need to change the webcam’s password to something complex and unique," he says. "Don’t worry about having to type it all the time, you’ll probably only need to configure the associated mobile app once. And then the app will remember the password for you." This one simple step will greatly reduce your risk of having your devices hacked. Still many of us won't do it. The time to get rid of this terrible habit of leaving default passwords untouched is now, before our homes become so overrun by Wi-Fi-connected devices that hackers begin to devote serious resources to this sort of intrusion and possibly find some convenient way to monetize it. So don't let your fear of not being able to remember the passwords for all these devices become the weak link in your security. "Once you’ve set your secure password, store it someplace safe for future use," Sean says. He suggests a using a password safe like F-Secure KEY or a piece of paper in a secure location in your home. Just don't store it anywhere in sight of a webcam that still is using its default password. [Image by DAVID BURILLO | Flickr]

September 22, 2016
Self-driving bus and security

Recently we had the unique opportunity to do something few people in the world have ever done - go for a ride on a "robot bus." A self-driving bus has taken to the open road in Helsinki as a test project, and it's not far from the F-Secure headquarters. Harri Santamala of Metropolia University of Applied Sciences is project leader, and he was keen to meet the cyber security experts at F-Secure. I went along with the guys to film our ride in Periscope. The city of Helsinki has the ambitious goal of making car ownership completely unnecessary within a decade, and the self-driving bus is part of that plan. This particular bus pilot is literally one of the first open road demos worldwide. And anyone who wants to can jump on board for a ride into the future of transportation. "On the open road we can learn more in week than we can on a closed road in a year," says Santamala. We waited at the "robot bus stop" under the sun - a perfect day for a ride along the waterfront. The bus arrived, somewhat resembling a breadbox on wheels. We climbed in and off we went, rolling along at 11km per hour (it's capable of doing 40). A couple of cars passed us, impatient at our pace. An "operator" stood at the ready as a failsafe in case anything should go wrong. Looking years into the future, when self-driving tech is mature - will a human need to be involved at all? Harri compares the tech to an elevator: In the beginning, elevators used to have human operators to push the buttons and control the ascent and descent. Nowadays elevators have no special operators, but there is still a remote person on call in case anything should go wrong. "The worry was if you give the power to regular people they're just going to crash it into the floor or something," said Janne Kauhanen of F-Secure Cyber Security Services. "But then we figured out a way where the person in the elevator can't drive it into a wall, even if he wants to. You just press a button for a floor and the automation takes you to that floor. So if there were no legal requirements to have an operator in charge, why would you need that? The vehicle could just make the driving decisions independently without the need for anybody to control it." A future of self-driving cars sounds pretty amazing. Traffic accident deaths could become a thing of the past, like dying of smallpox. When traffic is automated, traffic jams could become part of the "good ol' days" too. No more being stuck in rush hour traffic. But there are still plenty of security issues to figure out. And while the most obvious one is making sure a hacker can't take control of the vehicle remotely, F-Secure security advisor Sean Sullivan adds that in the case of an automated bus network, denial of service attacks would also be a major concern. "If the goal is to have such good public options that I don't need to own a vehicle, then I'm screwed if the public option is unavailable," says Sullivan. "So, it would be a natural target for an extortionist to threaten the city or the organization running the service." Sullivan says vehicles on set routes could probably deal with common DDoS worries. But a system that attempts to provide on-demand services would be cloud-based, so the bus would need to be able to talk with its C&C server. "Scaling such services will require a robust network and good security to prevent any unauthorized control." You can catch the Periscope video of our self-driving bus ride here.  

September 21, 2016
pi

This summer has ended with a few database breaches that have leaked more than a hundred million passwords onto the internet. And, as usual, it feels like there's nothing we can do about it -- except check to see if you've been pwned. Ah, but there is something you can do to prepare for the next breach, explains F-Secure Labs lead researcher Jarno Niemelä. 'The trick is to use really long random string for a password," he tells us. "The password length should be at least 20 characters, but preferably 32." Criminals who are attempt to crack the password databases use various forms of attacks based on words found in the dictionary. This method usually works quite well because so many users pick terrible passwords. "Humans in general are really bad password generators," Jarno says. "No matter how unique you think that your password is, it’s components are still likely to be in some dictionary, and powerful cracking cluster will come up with exactly right combination." But there are a few catches for this tip -- and two of them depend on the security practices of the service you're using. First, the site or app has to accept long passwords, and then the developers behind the software have use any kind of "hashing" for the passwords they store. Hashing employs an algorithm to hide passwords so they're not stored in clear text. It's a relatively basic practice that you can figure most reputable companies will employ. (And Jarno actually recommends developers take further steps to protect passwords.) "So as you as a customer cannot affect what kind of password storage the service providers are using," he says. "But can still frustrate all but the most advanced attackers efforts by using long enough random passwords." So now you may be thinking, "Great! I have uncrackable passwords. They're also impossible to memorize." Jarno recommends "some form of password storage" -- like F-Secure KEY, which you can use on one device for free. Many password lockers like KEY will help you generate extra long passwords, too. "Also it might be a good idea to use an unique user name per service, and maybe unique email for critical services," Jarno says. "The unique user name will give you added privacy as you cannot be tracked easily across services." He gives this advice to his own kids to use as they play online games. Jarno also teaches his kids to limit their digital footprint by regularly changing their username or any alias for any game that makes their identities visible. "Better teach them the basics of good OpSec -- operational security -- when they are young." [Image by fdecomite | Flickr]

September 14, 2016