Father lecturing son in bedroom

F2P can cost parents thousands of Euros – read this to avoid it

This is really an old problem, but it’s in the headlines again. Pokémon Go is yet another example of a “free” game with a business model based on in-app purchases. These games are also known as F2P, standing for free-to-play. You can start playing, and get hooked, for free. But soon you run into a situation where you can’t proceed without buying virtual stuff in the game. The stuff you buy is virtual but the payment is very real money. This is no doubt a profitable model. Pokémon Go went straight to the top and for example Finland-based Supercell, maker of Clash of Clans, has constantly reported nice profits. This can naturally cause trouble for addicted adults, but the real problems arise when kids get hooked. There are numerous public stories about kids making purchases for hundreds or even thousands of Euros, often without even understanding how much they have spent. And the sinister part is that this can go on for a while until you get the credit card bill, and it’s too late. Your chances to get a refund are somewhere between slim and none. But how can this happen? Let’s take a look at the most common scenarios. Your kid has set up the new device and created the needed account with Apple or Google. Everything is fine until he or she needs an app that isn’t free. You enter your credit card on the kid’s device and make the purchase, but you don’t pay any attention to the security settings. This may give your kid carte blanche to buy anything he or she likes, and you pay the bill. You have entered your credit card but set up the kid’s store account so that a password only you know is required for every purchase. But there are some convenient settings that allow purchases without a password within a limited time window after the password has been entered. Kids learn very quickly to utilize this opportunity. Let’s assume the same setup as in the previous point, but with the correct security settings. Now the password is needed for every purchase. But the store account is still owned by the kid and the password can be reset. The password reset link will be sent to the kid’s mail or phone number. It’s carte blanche again with the new password. Ok, you create an account you own for the kids phone. It’s tied to your mail and phone number, so the password reset trick shouldn’t work anymore. You put down your phone and head for the toilet. Your kid has been waiting for the opportunity and initiates the password reset request. Your phone is there on the table wide open, with the reset link in the mail. You can figure out the rest yourself. And of course the simple alternative. You think the store password on your kid’s device is secret. But in reality it is either too easy to guess or someone has been looking over your shoulder. So there’s many things that can go wrong, but what can we do to avoid it? There are many ways to fight this problem, but this is in my opinion the best approach: Let the kid set up the store account on the device and set own passwords. Just like an adult would use a phone, except that there’s no payment method registered. Never enter your credit card number on the kid’s device. On Android, get familiar with Google Play Family. This feature enables you to purchase stuff for your kid on your own device. On iPhone, send apps or money as gifts. There may be applications that bypass the store and handle credit card transactions directly. This can typically be handled with vouchers or other prepaid payment methods instead. The application usually guides the users and list all supported methods. Let’s also take a look at the hard way. Follow these instructions if you for some reasons must have your credit card registered as a payment method on the kid’s device. Make sure the store is protected with a good password that only you know. Make sure the kid isn’t watching too closely when you enter it. Make sure the store is set up to require the password every time a purchase is made. Make sure the store account is attached to an e-mail only you have access to. Make sure the e-mail password is decent and not known to your kid. Make sure your phone’s security settings are decent. Use a PIN or password your kid doesn’t know and make sure it locks automatically quickly enough. Even better, do not have the e-mail of your kids store account on your phone. Access it through web mail when needed. So this is after all a quite complex issue. There are many variations and other ways to deal with the problem. Did I miss some simple and clever way? Write a comment if you think I did. And finally. Yes, there’s also many ways to lock the kids out of the store completely. This does no doubt solve some problems, but I don’t think it’s a good idea. They will after all live their lives in a world where digital devices and services are as natural as breathing. They deserve the opportunity to start practicing for that right now. Let them browse the store and discover all the fun stuff. And be part of the group and use all the same apps as their friends. Let them have fun with the phone and learn, even if they will learn some things the hard way. Don’t ruin it for them.     Safe surfing, Micke  

August 16, 2016
BY 
Check your router with F-Secure Router Checker

QUICK TIP: Make sure your internet connection is clean

This has got to be the quickest Quick Tip of all. Literally. With just one click, it's too easy not to do. You know your computer can be infected. But did you know your router can, too? And because most people just aren't aware of it, if your router is compromised, it could stay that way a long time without you ever knowing. Unless, of course, you use our free Router Checker. No need to download anything. Just visit the page and click to start the check. Hacking your router is just one more method attackers use to display fraudulent advertising, spread malware, or steal your private account credentials. It's called DNS hijacking. When you type in a website name, say "cooldomain.com," you're directed to a DNS server that will find the website's IP address - say "44.567.54.69" for example, and display the website you need. But in a DNS hijack, hackers change your router's settings to direct you to a rogue DNS server. The rogue server will give a malicious IP address, purposely directing you to a website that may look like the one you want, but it's not. Here's an example: Let's say you want to log into your bank account. But unbeknownst to you, you're directed to a look-alike website that's not really your bank. You enter in your bank username and password. Now the attacker has your credentials, which he (or she) can use. F-Secure Router Checker makes sure the settings on your computers, phones, and routers connect to safe DNS servers. So what are you waiting for? Visit the F-Secure Router Checker page and click on "Check Your Router." It's too easy not to do.

August 12, 2016
NanHaiShu_blogpost_image

Hadn’t We Figured the Whole Email Attachment Thing Out?

  F-Secure Labs recently released an analysis of the NanHaiShu Remote Access Trojan, which they believe was used to target "government and private-sector organizations that were directly or indirectly involved in the international territorial dispute centering on the South China Sea." So what does it look like when you're hit with a cyber attack that may involve some of the most powerful nations on earth? This: Pretty harmless, right? But click on that attachment and you've invited hackers -- possibly even attackers backed by a nation-state -- into your network. An attachment owning fools in 2016? The first piece of internet security advice you ever heard was probably, "Don't click on attachments you weren't expecting!"So who'd click on that?! Employees at prestigious international law firms, government agencies and possibly even the world's most powerful political parties. So how is this happening? Maybe it's a lesson that doesn't sink in, no matter how many times you've heard it. Or maybe cyber criminals have just gotten so good at tricking us with them that, like so many old threats, it's new again. Give that this method of infection is being used by attackers at the highest levels of cyber espionage, we have to assume the latter. Where attackers used to send mass emails out with infected attachments hoping to infect just a small percentage of the recipients, these new attacks utilize "spearphishing" techniques. "These are communications that appear legitimate — often made to look like they came from a colleague or someone trusted — but that contain links or attachments that when clicked on deploy malicious software that enables a hacker to gain access to a computer," The Washington Post explained. These emails are carefully crafted or "socially engineered" to seem relevant. Often, as in the case above, they play on our greatest desires, such as money in the form or salary or bonus information. One big reason attackers have gotten so much better at targeting us is that so many of us have decided to make details about our lives public via social media. This is why hackers love your LinkedIn profile. So should you scrub your profile and hide in a time capsule to avoid these attacks? You should definitely be mindful that strangers know more about you than ever and be wary of of strange email that seems overly eager to get you to click on a link or attachment. But these threats are so pervasive and potentially harmful, that they need to be addressed at an organizational level. Our Labs team put together a Threat Intelligence Brief with several recommendations for avoiding RATs like NanHaiShu, including disabling the opening of email file attachments sent from unverified sources as an enforced policy for all installed email programs. That way, you're unlikely to be the weak link that attackers are always looking for.  

August 11, 2016
BY 

Latest Posts

Father lecturing son in bedroom

This is really an old problem, but it’s in the headlines again. Pokémon Go is yet another example of a “free” game with a business model based on in-app purchases. These games are also known as F2P, standing for free-to-play. You can start playing, and get hooked, for free. But soon you run into a situation where you can’t proceed without buying virtual stuff in the game. The stuff you buy is virtual but the payment is very real money. This is no doubt a profitable model. Pokémon Go went straight to the top and for example Finland-based Supercell, maker of Clash of Clans, has constantly reported nice profits. This can naturally cause trouble for addicted adults, but the real problems arise when kids get hooked. There are numerous public stories about kids making purchases for hundreds or even thousands of Euros, often without even understanding how much they have spent. And the sinister part is that this can go on for a while until you get the credit card bill, and it’s too late. Your chances to get a refund are somewhere between slim and none. But how can this happen? Let’s take a look at the most common scenarios. Your kid has set up the new device and created the needed account with Apple or Google. Everything is fine until he or she needs an app that isn’t free. You enter your credit card on the kid’s device and make the purchase, but you don’t pay any attention to the security settings. This may give your kid carte blanche to buy anything he or she likes, and you pay the bill. You have entered your credit card but set up the kid’s store account so that a password only you know is required for every purchase. But there are some convenient settings that allow purchases without a password within a limited time window after the password has been entered. Kids learn very quickly to utilize this opportunity. Let’s assume the same setup as in the previous point, but with the correct security settings. Now the password is needed for every purchase. But the store account is still owned by the kid and the password can be reset. The password reset link will be sent to the kid’s mail or phone number. It’s carte blanche again with the new password. Ok, you create an account you own for the kids phone. It’s tied to your mail and phone number, so the password reset trick shouldn’t work anymore. You put down your phone and head for the toilet. Your kid has been waiting for the opportunity and initiates the password reset request. Your phone is there on the table wide open, with the reset link in the mail. You can figure out the rest yourself. And of course the simple alternative. You think the store password on your kid’s device is secret. But in reality it is either too easy to guess or someone has been looking over your shoulder. So there’s many things that can go wrong, but what can we do to avoid it? There are many ways to fight this problem, but this is in my opinion the best approach: Let the kid set up the store account on the device and set own passwords. Just like an adult would use a phone, except that there’s no payment method registered. Never enter your credit card number on the kid’s device. On Android, get familiar with Google Play Family. This feature enables you to purchase stuff for your kid on your own device. On iPhone, send apps or money as gifts. There may be applications that bypass the store and handle credit card transactions directly. This can typically be handled with vouchers or other prepaid payment methods instead. The application usually guides the users and list all supported methods. Let’s also take a look at the hard way. Follow these instructions if you for some reasons must have your credit card registered as a payment method on the kid’s device. Make sure the store is protected with a good password that only you know. Make sure the kid isn’t watching too closely when you enter it. Make sure the store is set up to require the password every time a purchase is made. Make sure the store account is attached to an e-mail only you have access to. Make sure the e-mail password is decent and not known to your kid. Make sure your phone’s security settings are decent. Use a PIN or password your kid doesn’t know and make sure it locks automatically quickly enough. Even better, do not have the e-mail of your kids store account on your phone. Access it through web mail when needed. So this is after all a quite complex issue. There are many variations and other ways to deal with the problem. Did I miss some simple and clever way? Write a comment if you think I did. And finally. Yes, there’s also many ways to lock the kids out of the store completely. This does no doubt solve some problems, but I don’t think it’s a good idea. They will after all live their lives in a world where digital devices and services are as natural as breathing. They deserve the opportunity to start practicing for that right now. Let them browse the store and discover all the fun stuff. And be part of the group and use all the same apps as their friends. Let them have fun with the phone and learn, even if they will learn some things the hard way. Don’t ruin it for them.     Safe surfing, Micke  

August 16, 2016
Check your router with F-Secure Router Checker

This has got to be the quickest Quick Tip of all. Literally. With just one click, it's too easy not to do. You know your computer can be infected. But did you know your router can, too? And because most people just aren't aware of it, if your router is compromised, it could stay that way a long time without you ever knowing. Unless, of course, you use our free Router Checker. No need to download anything. Just visit the page and click to start the check. Hacking your router is just one more method attackers use to display fraudulent advertising, spread malware, or steal your private account credentials. It's called DNS hijacking. When you type in a website name, say "cooldomain.com," you're directed to a DNS server that will find the website's IP address - say "44.567.54.69" for example, and display the website you need. But in a DNS hijack, hackers change your router's settings to direct you to a rogue DNS server. The rogue server will give a malicious IP address, purposely directing you to a website that may look like the one you want, but it's not. Here's an example: Let's say you want to log into your bank account. But unbeknownst to you, you're directed to a look-alike website that's not really your bank. You enter in your bank username and password. Now the attacker has your credentials, which he (or she) can use. F-Secure Router Checker makes sure the settings on your computers, phones, and routers connect to safe DNS servers. So what are you waiting for? Visit the F-Secure Router Checker page and click on "Check Your Router." It's too easy not to do.

August 12, 2016
NanHaiShu_blogpost_image

  F-Secure Labs recently released an analysis of the NanHaiShu Remote Access Trojan, which they believe was used to target "government and private-sector organizations that were directly or indirectly involved in the international territorial dispute centering on the South China Sea." So what does it look like when you're hit with a cyber attack that may involve some of the most powerful nations on earth? This: Pretty harmless, right? But click on that attachment and you've invited hackers -- possibly even attackers backed by a nation-state -- into your network. An attachment owning fools in 2016? The first piece of internet security advice you ever heard was probably, "Don't click on attachments you weren't expecting!"So who'd click on that?! Employees at prestigious international law firms, government agencies and possibly even the world's most powerful political parties. So how is this happening? Maybe it's a lesson that doesn't sink in, no matter how many times you've heard it. Or maybe cyber criminals have just gotten so good at tricking us with them that, like so many old threats, it's new again. Give that this method of infection is being used by attackers at the highest levels of cyber espionage, we have to assume the latter. Where attackers used to send mass emails out with infected attachments hoping to infect just a small percentage of the recipients, these new attacks utilize "spearphishing" techniques. "These are communications that appear legitimate — often made to look like they came from a colleague or someone trusted — but that contain links or attachments that when clicked on deploy malicious software that enables a hacker to gain access to a computer," The Washington Post explained. These emails are carefully crafted or "socially engineered" to seem relevant. Often, as in the case above, they play on our greatest desires, such as money in the form or salary or bonus information. One big reason attackers have gotten so much better at targeting us is that so many of us have decided to make details about our lives public via social media. This is why hackers love your LinkedIn profile. So should you scrub your profile and hide in a time capsule to avoid these attacks? You should definitely be mindful that strangers know more about you than ever and be wary of of strange email that seems overly eager to get you to click on a link or attachment. But these threats are so pervasive and potentially harmful, that they need to be addressed at an organizational level. Our Labs team put together a Threat Intelligence Brief with several recommendations for avoiding RATs like NanHaiShu, including disabling the opening of email file attachments sent from unverified sources as an enforced policy for all installed email programs. That way, you're unlikely to be the weak link that attackers are always looking for.  

August 11, 2016
2244532816_2f513f87c1_z

The lesson of almost every big cyber security story of the last year from Ukraine, to the Democratic National Committee to the South China Sea is that everything can be hacked. “Owning an election is gold; being able to influence it is silver; knowing the outcome in advance is bronze,” F-Secure cyber security advisor Erka Koivunen told us. It already appears that there has been some attempt to influence the 2016 election by releasing embarrassing email messages from the Democratic National Committee. So will whoever was behind that attack now go for the gold? And if they do, could they actually steal a presidential election? America's elections are managed on the local level, which means there are thousands of different electoral different systems involved with a single presidential election. That sounds daunting but in two out of the last four elections, the winner was decided by a victory in a single state, which limits the scope significantly. So if a nation-state wanted to intervene in the U.S.'s election and knew which candidate it wanted to win, it would either have to hack several different state's systems or focus on the three swing states that Republican candidate Donald Trump believes will decide the next election -- Florida, Pennsylvania and Ohio. All three key swing states use DRE voting machines for at least some of their voting -- only Ohio requires that the machines provide a paper trail that verifies the votes. Ryan Maness, a visiting fellow at Northeastern University, told Wired that the machines in these three states are in "relatively good shape." It's probably easier to hack a busy office network like the DNC, especially one that hasn't been told it's likely a target of a nation-state attack, than a voting machine because you can rely on the greatest vulnerability possible -- people. But if an attacker can get inside the network of a nuclear facility that's not connected to the internet, it's quite possible that voting machines that dozens if not hundreds of people have access to can be compromised. But the real issue with a cyber attack is that proximity isn't required. This year, Dave Levin, a security analyst was arrested for hacking the elections website of Lee County, Florida. "Yeah, you could be in Siberia and still perform the attack that I performed on the local supervisor of election website," he said in a video explaining why launched the attack. "So this is very important." But hacking a website or online database is one thing. Owning the actual machines is another. "Just based on the fact that many of these voting machines have been around for years, just based on that I could tell you old vulnerabilities that exist in the system,” Tim Monroe, an independent cybersecurity consultant, told BuzzFeed News. If there were some suspicion of a hack, there are some failsafes. Florida audits all its election votes, as does Ohio, which automatically recount provision if the election is close enough “Pennsylvania is of the most concern,” Maness said, “based on the fact they have so many paperless DREs in use.” Trump has suggested that the November election would be "rigged" but his implications have thus far mostly been connected to an attempt to sway the voting with things like debates purposely scheduled to minimize the audience. But even before Trump made the "rigged" suggestion, the U.S. Department of Homeland Security had proposed taking new steps to secure electronic voting. “We should carefully consider whether our election system, our election process is critical infrastructure, like the financial sector, like the power grid,” Jeh Johnson, Secretary of Homeland Security, told reporters. “There’s a vital national interest in our electoral process.” White House Press Secretary Josh Earnest, real name, recently responded to a question from reporters about the security of voting machines by relying on the security by variety argument. “That varied infrastructure and those different systems also pose a difficult challenge to potential hackers,” Earnest said. “It’s difficult to identify a common vulnerability.” So it's clear is that vulnerabilities exist. The question is whether or not a nation-state is willing to invest the resources necessary to go for the gold. [Image by Eric__I_E via Flickr]    

August 5, 2016
Dukes malware, Russian malware, social media malware

Everything old is new again. That's a key point our chief research officer Mikko Hyppönen keeps making when discussing the current online threat landscape. And it's especially relevant when it comes to one of the most controversial stories of the 2016 United States presidential election -- the hack of the Democratic National Committee. If it turns out that a foreign government is actually attempting to meddle a domestic election, this would not be something history has never seen before  -- even if the methodology, brazenness and scale of the meddling might feel new and ominous. F-Secure cyber security advisor Erka Koivunen points out that nation states have long been involved in "information warfare and the age-old use of misinformation, deception and false flag activities." Hacker Andrés Sepúlveda says says he traveled throughout Latin America "rigging major political campaigns." Sepúlveda claims that he "led a team of hackers that stole campaign strategies, manipulated social media to create false waves of enthusiasm and derision, and installed spyware in opposition offices, all to help [Mexican president] Peña Nieto, a right-of-center candidate, eke out a victory." And the idea that our growing reliance on information technology makes democracy uniquely vulnerable has been inspiring rumors of attempts to hack U.S. presidential elections for more than a decade, even sparking the imagination of those who believe that Anonymous may have prevented the hack of the 2012 election. Koivunen explained before that if you're involved with politics in 2016 that has international import, you have to assume you're being hacked. Hacking of high level political officials especially during a presidential election is now as predictable as the cyber attacks that inevitably pop up around every Olympics. But "hacked" is such a broad term it's important to distinguish the degrees of hacking. "Owning an election is gold; being able to influence it is silver; knowing the outcome in advance is bronze," Erka says. We have no idea if someone is trying to hack the election systems of a crucial U.S. swing state. But it seems that someone is trying to influence the 2016 election. Wikileaks, the organization that released the data from the DNC hack, has admitted that it timed this leak to do maximum damage the Democratic party nominee Hillary Clinton. And certainly every country in the world is trying to get all the intelligence they can that will help them prepare for the first new U.S. president in eight years. Certainly, the United States would be doing the same thing. What makes the DNC hack particularly newsworthy is that evidence of Russian cyber espionage -- including F-Secure Labs investigation into "The Dukes" gang -- makes is easy to accuse Russians of meddling in the election. And what's even stranger is that one of the U.S. major party candidates seems to be welcoming Russian involvement, at least as a sarcastic jest. So did the Russians hack the DNC, as some experts claim? This is why nation states love cyber attacks: attribution is very difficult to pin down. "Were the Russians in the DNC network? Sure," Mikko tweeted. "Did they plan to do this hack to support Trump? I don't think so." The goal is simply to capture as much information as possible so you can at least win a "bronze," as Erka calls it. "I think the Russians are in the network of the Republicans as well," Mikko added. "They wouldn't be doing their job if they weren't." So why did the information come out? Perhaps they saw a chance to win a "silver." Since they'd already been outed, they decided that they emails were "too good not to use." With the leap from bronze to silver the potential rewards and risks grow exponentially. So does this mean they might go for the gold? Wouldn't you, if you had the opportunity?

July 29, 2016
18528198069_eb3bf5e72f_o

You might know what a VPN (Virtual Private Network) is. But if you’re like many people out there, you probably don’t use one. You should though. And when you finish this blog post, you’ll know why.   A VPN is a private network established over the internet. That might sound complicated, so simply put, a VPN provides security for your device’s internet connection. The layer of security VPNs provide is how you make sure that data you send and receive is encrypted and safe from trackers, hackers and anyone else trying to intercept your data while it’s in transit.   Companies and schools use VPNs to let people connect to local networks from anywhere. And you can also use a VPN to stay anonymous whether you’re at home, at work or school, or using an untrusted public network. And as an added bonus, of course, a VPN also lets you change your virtual location, which can mean unrestricted access to a whole world of content.   So why is online anonymity so important? Who better to answer that than two real Freedome VPN users. And while we can assure you these guys are both real, in keeping with the theme of anonymity, let’s just call them “John” and “Doe”.   “Anonymity is important because I really see it as a human right. Like if I’m looking for things that are really personal, I have the right to stay private and keep that information private,” says John, a university student who’s been using Freedome VPN for three months and counting.   Doe, who is 29 and in the IT industry, has used VPNs before, but recently switched to F-Secure’s Freedome. For him, using a VPN isn’t just about protecting himself today: it’s an investment in the future.   “I’ve never had problems myself, but we know for a fact that there are organizations and people out there right now who are looking to get their hands on our information and identities for whatever reason. This is definitely going to be a bigger problem in the future, and I want to be prepared,” says Doe.   Both John and Doe say that most of their friends in the tech industry are using VPNs right now. But unfortunately, there are lots of people out there who aren’t.   “I really wish people were more aware of the fact that they’re potentially giving away parts of their identity and privacy every single time they go online without a VPN,” says Doe.   John agrees.   “If you think about how people are feeding more and more of their personal information into a wider and wider range of sites, services etc., it’s obvious that the potential risks to our privacy are also increasing,” he says.   John and Doe definitely know what they’re talking about and we couldn’t agree more. There’s never been a better time to take control of your online anonymity. So check out the Freedome VPN site for videos and more info. And don’t forget to tap or click to get yours! [Image by Blue Coat Photos | Flickr]

July 28, 2016

Many people feel that some platforms are more secure than others. And while there may be some truth in that, what’s far more common is that operating systems offer users security features that people choose to use, or ignore. As Micke has pointed out in the past, behavior is often more important for security than product features. So someone with an Android device that updates all the software, sets it up to keep the device and data in their control, and knows how to avoid risky behavior that hackers look for will keep their data safer than an iPhone user that’s never even looked at the settings for their device. And based on what we saw at AltConf2016 – a developer event that mirrored Apple’s last WWDC – it looks like many iPhone and iPad users are making some pretty basic security faux pas. So here’s a few tips iPhone and iPad users can use to protect their devices and data. Don’t forget to forget Wi-Fi networks Unlike Android and Windows Phone, iOS devices don’t let you see your Wi-Fi history. It might not seem like it, but periodically cleaning out your Wi-Fi history is important. We’ve shown in the past that many people configure their devices to automatically connect with Wi-Fi hotpots they’ve connected with before. This leaves them exposed to hackers spoofing Wi-Fi hotspots (which is surprisingly simple and inexpensive to do). So if you’re an “auto-connector”, you should always remember to “forget” public Wi-Fi networks that you use in the odd café, hotel, or restaurant you visit. Because iOS devices don’t let you see your network history, you can’t pick and choose old networks you want to forget. So iOS users have two options: either forget a Wi-Fi network before you leave and walk out of range, or do a periodic network reset to clean out your entire network history. Don’t name your device after yourself During AltConf2016, F-Secure set up a Wi-Fi hotspot to see whether or not people would connect to any available free Wi-Fi. And as we’ve seen in the past, people take their Wi-Fi wherever they can get it. While many people connected and disconnected frequently, it was clear that lots of those people seem to name their device’s after themselves – approximately 80% of the devices that connected included a first name as part of the device identifier. And out of that 80%, 70% of them were iOS devices (Android and OS X devices constituted the remaining 30%). Now, hackers won’t really need this information to “pwn” their victims. But little tidbits like these are great for scams that use social engineering. Fraudsters and tricksters can use something as simple as this to manipulate people as part of a larger scam. It’s tough to say why personalizing devices seems more popular among iOS users than their Android/Windows counterparts. And having unique device names helps keep them separate on, say, a family’s Wi-Fi network that can have multiple people using it at any one time. But using initials or some other way to differentiate them is a better way to personalize your device without necessarily giving tech-savvy fraudsters the opportunity to learn something they can use to scam you. Use app restrictions (they're not just for kids) Earlier in the year, F-Secure Security Advisor Sean Sullivan recommended people change their iOS settings to take advantage of the various restrictions you can use. You can check out his blog post about it here, but basically, using iOS’ restrictions can create safeguards against malicious apps or attacks that try to trick your device into sharing information without your knowledge. Attackers use apps and processes that can run without requiring direct action from users (such as cloud storage services) to steal data. It’s something often seen as part of corporate cyber attacks, so it’s especially important to do this if you use your iPhone or iPad for work. And as my colleague pointed out in this recent blog post, you should already be using two-factor authentication and strong, unique passwords. [Image by Kārlis Dambrāns | Flickr]

July 25, 2016
amazon Echo, voice-activated, internet of things

What's easier than typing, clicking or even swiping left? For most of us, speaking. Until we can get actual USB ports in our brain, our mouths may be the quickest way to make our our desires known to our devices. And as it Internet of Things develops, we're going to be doing more and more talking to machines, including our thermostat, light bulbs and possibly even our drones. Fans of Siri and the Amazon Echo are already familiar with the benefits of a conversational interface. But, as with any new technology that gains widespread adoption, privacy and security concerns are inevitable. We spoke to F-Secure's Cyber Gandalf Andy Patel about what users of voice-activated technology should know as they make the leap into this newer realm of connectivity that has long been imagined by science fiction visionaries from Philip K. Dick to Star Trek's Gene Roddenberry. So are these voice-activated devices listening all the time? Yes. In order for a device to react to a voice command without the user pressing a button to activate the feature, the device must listen all the time. How could this be used against us? If a device streams voice data to a server for processing, a few privacy and security implications arise. If the data is being streamed in an insecure way, it can be intercepted by a third party. If the speech data is stored insecurely, it can become compromised in the case of a data breach. It can also potentially sold to a third party. Speech is processed into text. That text might be stored, it might be associated with its source, and it could also be leaked. When the speech processing service returns data to the device that requested the processing, it could also be intercepted. Are the any real privacy concerns for owners of voice-activated devices? Some companies outsource their speech recognition services and cannot properly account for the processes and collection methods used by those companies. Along those lines, just last year, Samsung TV voice recognition made the news for recording owners' chatter. Voice command systems can also be maliciously hijacked. Last year, a group of French researchers demoed a method for remotely controlling Siri from a distance, using sounds that triggered Siri’s voice control, but that couldn’t be recognized by a human. So what will voice-activated technology look like in five or ten years? Big names are interested in voice control because they attach it to AI and machine learning systems -- which are, in turn, fed by the Big Data they’ve collected -- for an interactive experience. The end goal would be a scenario where you could ask your computer to perform arbitrary tasks in the same manner as on Star Trek.

July 21, 2016