5865481872_0eec688d6b_o

China Attacks, Backdoors, Wi-Fi Worms, and other Predictions for 2017

2017 is nearly here. People are looking ahead to the new year. And for cyber security experts, this inevitably involves thinking about what threats we’ll all have to contend with in the near future. The possibilities might seem incalculable. But experts know the past always offers clues about what attackers are focusing their attention on. Bad software launched one year become targets the next. New, insecure devices become security risks. And so on. So if you’re the betting type, here’s where you should put your money in 2017. “China will increase cyber espionage ops in the United States” Russia and their cyber espionage capabilities made headlines in 2016 thanks to their perceived involvement in the recent US presidential election. But China, and the prospect of them using cyber attacks to dig up dirt on the incoming administration, are the threat actors the US needs to start worrying about. It wasn’t too long ago that everyone was upset about China. The Office of Personnel Management hack disclosed in 2015 was reported to affect as many as 14 million people. It was enough for Obama to push back against China on cyber security matters. But the new administration seems to be blissfully unaware as to how and why nation-states use cyber attacks to develop their political interests. For example, the incoming national security advisor apparently once had an unauthorized internet connection installed in the Pentagon, basically eliminating the “air gap” used to safeguard one of the US’ most important national security centers. Stuff like this makes Michael Flynn a cyber attack victim waiting to happen. As for motive, a normal presidential transition would attract China’s attention, as they would like to catch “sneak peeks” or a “behind the scenes look” at the policies and positions of the incoming administration. But this wasn’t a normal election. Trump and his political network caused controversy throughout their campaign. Pulling that thread by digging up non-public dirt can help China gain leverage over Trump’s team, and actually unravel initiatives, policies, and positions that might run against their interests. And China has the motives and capabilities to make this happen in 2017. -Sean Sullivan, Security Advisor “We’ll see more DDoS attacks from the internet of things” The Mirai attacks against Dyn seemed to take many people by surprise. I think the shock value of the attack, which is how I interpreted the massive amount of media coverage the attacks generated, is a by-product of people either misunderstanding or underestimating the threat posed by the proliferation of insecure internet of things (IoT) devices. All new technologies enter this phase where early adopters begin using them in ways not foreseen by original manufacturers. IoT devices are in this part of their adoption cycle. We’re seeing certain “design flaws” that aren’t apparent when testing these products in a lab or under controlled testing conditions. That’s why we saw one company recall their webcams in the wake of the Dyn hack. They realized that the security flaw in that particular model was something that could be used by hackers, which wasn’t something they considered when designing the device. So I definitely think IoT devices will increasingly be used for Denial of Service attacks through 2017. But the good news is that I don’t think the problem will escalate beyond DDoS stuff until 2018, when we’ll probably see hackers working to attack device owners through their IoT gadgets. That gives the cyber security industry, regulators, and device manufacturers time to work together to protect the smart environments we’re creating. -Mika Stählberg, Chief Technology Officer “The backdoor debate will eat through Europe” Cryptography is one of the few counterweights to the security risks entrenched in the digital infrastructure we rely on today. It’s a cornerstone of security used to protect the information we entrust to digital environments. By using cryptographic means to safeguard information that’s stored or transmitted digitally, people can trust that their information stays safe from the prying eyes of spies, criminals, and even companies. Unfortunately, not everyone appreciates the benefits this type of security has for individuals, companies, and society. In recent years, governments have been exploring ways to essentially weaken the ability of IT companies to use cryptography. Apple’s spat with the FBI over encrypted iPhones is probably the best example of how policy makers and IT companies clash over this issue. A more significant (and recent) example is the approval of the so-called “Snoopers’ Charter” in the UK. In 2017, we’ll see a revitalized push for IT companies to accommodate surveillance needs by weakening the security of their products and services. Politicians in different European nations will follow France’s lead and discuss legal and technical ways to give governments the capability to monitor people’s digital activities. Proponents of these types of regulatory initiatives will clash with those who believe sacrificing security measures such as cryptography will increase everyone’s exposure to cyber crime, foreign intelligence gathering, government persecution, and more. I’ve testified in front of governments about these issues in the past. And I expect to do so again in 2017. -Erka Koivunen, Chief Information Security Officer “Someone will create the first Wi-Fi worm” 2016 saw some developments with internet of things security that I think gives some clues about how the threat landscape will shape up next year. The destructive capabilities of botnets and DDoS attacks certainly become more apparent. I think Mirai really highlighted the potential value of targeting internet-connected devices like IoT products and routers, and I think we’ll see this trend continue next year. Specifically, I think we might see the creation of “Wi-Fi worms” – a type of malware that could quickly spread through an urban area by using Wi-Fi to infect routers. Basically, an infected device would contain code that attempts to copy itself to routers via Wi-Fi connections. Once a router becomes infected, the worm then attempts to find and replicate itself to more routers. Now, I don’t necessarily foresee this being something used in attacks. It may be something developed as a proof-of-concept by researchers. But we’ve seen more attention being paid to routers and non-PC devices in the past few years. A Wi-Fi worm is a logical extension of what we’ve seen with Mirai, and I think current technologies and tactics have put this within reach. -Sean Sullivan, Security Advisor “Man and machine will dominate cyber security” Commodity malware is becoming less effective against the kind of endpoint protection we have nowadays. You might not think that based on some of the terrible security incidents that made headlines in 2016. But it’s true. It’s not just about malware anymore. Hackers can take run of the mill, commodified malware and find new and innovative ways to use it. Sometimes this involves social engineering their way into an account with a phishing email. Other times they’re able to find servers that have simply been forgotten by IT admins, and then use those as beach heads to penetrate networks. Combining artificial intelligence and human ingenuity is how the cyber security industry will combat these threats in the future. Tasks like risk analysis, penetration testing, threat assessments, incident response, and forensics, can all be innovated by leveraging the benefits of man and machine working together. And we’ll see industry players and even cyber security startups put a lot of focus on growing their expertise with this approach in 2017. -Andy “Cyber Gandalf” Patel, Senior Manager, Technology Outreach [ Image by Cambodia4kids.org Beth Kanter| Flickr ]

December 8, 2016
BY 
mikko_1

Is Anti-Virus Dead? AVAR 2016 Takes The Pulse

"For years, signature-based antivirus detection has been only a fraction of what security companies have been offering... If someone thinks that antivirus being dead is news then we don't know in what world they have been living in for the past five to six years," F-Secure's Timo Laaksonen said -- two years ago! But the question has remained a topic of constant debate among security researchers, which is why "Is AV dead?" was the theme of AVAR, an annual event organized by the Association of Anti-Virus Asia Researchers (AVAR) since 1998. This year, F-Secure hosted the event and our chief research officer Mikko Hypponen delivered a keynote at the three-day event in Kuala Lumpur that featured discussions that tackled the questions of AV's demise with sessions like "Is AV Dead - Or Just Missing in Action?" and "Advanced Endpoint Protection Says AV is Dead. Should you?" [youtube https://www.youtube.com/watch?v=GtegflcYGpo] When many people -- including Wikipedians -- mention antivirus they're referring to software that "used to prevent, detect and remove malicious software" by "relying heavily upon signatures to identify malware." What's a signature? Now you ask! Once a piece of malware is identified, "a signature of the file is extracted and added to the signatures database," which is either unique to the AV solution or shared with several providers via a common database. Highly professionalized modern malware is obviously designed to evade signature detection, which has existed for decades. "All technically minded people know that there aren’t any signature-only endpoint protection products on the market," F-Secure Labs' "Cyber Gandalf" Andy Patel explained in a recent post, on the News from the Labs blog. Andy notes that F-Secure's endpoint solutions employ four "non-signature" technologies that go beyond classic signature protection. He adds that "we actually have internal test configurations with signature-based technologies disabled and our products still do a great job at blocking emerging threats." Why should this matter to you, someone who doesn't reverse engineer malware for a living? Because given the billions of dollars being made in cyber crime and the billions being invested by nation-states in both offensive and defensive cyber tools, the average internet user's best hope for securing her data is finding security that's at least as advanced as the threats it faces. And any industry that doesn't constantly ask if its technology is becoming obsolete is probably already there. So is AV dead? Maybe. Or, as Timo noted years ago, it's been assimilated like a piece a much larger puzzle. Because this is the digital age and that's just what happens to most everything.  

December 5, 2016
BY 
wi-fi_security_booth_2

How Far Would you go to Get Free Wi-Fi?

Using public Wi-Fi without a VPN is risky. Lots of people know that. Unfortunately, most don’t give a s**t. Think about it. People do all kinds of risky things even when they know they shouldn’t. They smoke, drink, eat too much. You get the idea. But when it comes to public Wi-FI, one of the biggest reasons people don’t care about the risks is because they don’t really know what they are. Well, we’re going to let you in on a little secret. Ready? Free public Wi-Fi isn’t actually free. In fact, every time you use it you’re exposing really personal stuff like your passwords, search history and waaaaay more. So why would anyone be interested in seeing your personal stuff? After all, it’s not like your name is Kim or Kanye, right? Long story short: So they can hack you. All it really takes is a few hundred dollars, some easy-to-buy software and a criminal mind. And it happens all the time. In fact, one in ten people will be the victim of an online crime. We took to the streets of New York to have some fun and prove a very important point. If people actually knew just how much intimate stuff they were giving away on public Wi-Fi, would they? Well, you’ll have to watch the hilarious video to find out. But let’s just say you’d be surprised just how far some people are actually willing to go to get online. In fact, some of the stuff people were willing to reveal in exchange for our free Wi-Fi password (no, we weren’t actually giving away free Wi-Fi) was so risque that it ended up on the cutting room floor. Risking it all for free Wi-Fi is ridiculous. Luckily, it’s also ridiculously easy to protect yourself with Freedome VPN.   https://www.youtube.com/watch?v=fN7z-XrSQyE

December 2, 2016
BY 

Latest Posts

5865481872_0eec688d6b_o

2017 is nearly here. People are looking ahead to the new year. And for cyber security experts, this inevitably involves thinking about what threats we’ll all have to contend with in the near future. The possibilities might seem incalculable. But experts know the past always offers clues about what attackers are focusing their attention on. Bad software launched one year become targets the next. New, insecure devices become security risks. And so on. So if you’re the betting type, here’s where you should put your money in 2017. “China will increase cyber espionage ops in the United States” Russia and their cyber espionage capabilities made headlines in 2016 thanks to their perceived involvement in the recent US presidential election. But China, and the prospect of them using cyber attacks to dig up dirt on the incoming administration, are the threat actors the US needs to start worrying about. It wasn’t too long ago that everyone was upset about China. The Office of Personnel Management hack disclosed in 2015 was reported to affect as many as 14 million people. It was enough for Obama to push back against China on cyber security matters. But the new administration seems to be blissfully unaware as to how and why nation-states use cyber attacks to develop their political interests. For example, the incoming national security advisor apparently once had an unauthorized internet connection installed in the Pentagon, basically eliminating the “air gap” used to safeguard one of the US’ most important national security centers. Stuff like this makes Michael Flynn a cyber attack victim waiting to happen. As for motive, a normal presidential transition would attract China’s attention, as they would like to catch “sneak peeks” or a “behind the scenes look” at the policies and positions of the incoming administration. But this wasn’t a normal election. Trump and his political network caused controversy throughout their campaign. Pulling that thread by digging up non-public dirt can help China gain leverage over Trump’s team, and actually unravel initiatives, policies, and positions that might run against their interests. And China has the motives and capabilities to make this happen in 2017. -Sean Sullivan, Security Advisor “We’ll see more DDoS attacks from the internet of things” The Mirai attacks against Dyn seemed to take many people by surprise. I think the shock value of the attack, which is how I interpreted the massive amount of media coverage the attacks generated, is a by-product of people either misunderstanding or underestimating the threat posed by the proliferation of insecure internet of things (IoT) devices. All new technologies enter this phase where early adopters begin using them in ways not foreseen by original manufacturers. IoT devices are in this part of their adoption cycle. We’re seeing certain “design flaws” that aren’t apparent when testing these products in a lab or under controlled testing conditions. That’s why we saw one company recall their webcams in the wake of the Dyn hack. They realized that the security flaw in that particular model was something that could be used by hackers, which wasn’t something they considered when designing the device. So I definitely think IoT devices will increasingly be used for Denial of Service attacks through 2017. But the good news is that I don’t think the problem will escalate beyond DDoS stuff until 2018, when we’ll probably see hackers working to attack device owners through their IoT gadgets. That gives the cyber security industry, regulators, and device manufacturers time to work together to protect the smart environments we’re creating. -Mika Stählberg, Chief Technology Officer “The backdoor debate will eat through Europe” Cryptography is one of the few counterweights to the security risks entrenched in the digital infrastructure we rely on today. It’s a cornerstone of security used to protect the information we entrust to digital environments. By using cryptographic means to safeguard information that’s stored or transmitted digitally, people can trust that their information stays safe from the prying eyes of spies, criminals, and even companies. Unfortunately, not everyone appreciates the benefits this type of security has for individuals, companies, and society. In recent years, governments have been exploring ways to essentially weaken the ability of IT companies to use cryptography. Apple’s spat with the FBI over encrypted iPhones is probably the best example of how policy makers and IT companies clash over this issue. A more significant (and recent) example is the approval of the so-called “Snoopers’ Charter” in the UK. In 2017, we’ll see a revitalized push for IT companies to accommodate surveillance needs by weakening the security of their products and services. Politicians in different European nations will follow France’s lead and discuss legal and technical ways to give governments the capability to monitor people’s digital activities. Proponents of these types of regulatory initiatives will clash with those who believe sacrificing security measures such as cryptography will increase everyone’s exposure to cyber crime, foreign intelligence gathering, government persecution, and more. I’ve testified in front of governments about these issues in the past. And I expect to do so again in 2017. -Erka Koivunen, Chief Information Security Officer “Someone will create the first Wi-Fi worm” 2016 saw some developments with internet of things security that I think gives some clues about how the threat landscape will shape up next year. The destructive capabilities of botnets and DDoS attacks certainly become more apparent. I think Mirai really highlighted the potential value of targeting internet-connected devices like IoT products and routers, and I think we’ll see this trend continue next year. Specifically, I think we might see the creation of “Wi-Fi worms” – a type of malware that could quickly spread through an urban area by using Wi-Fi to infect routers. Basically, an infected device would contain code that attempts to copy itself to routers via Wi-Fi connections. Once a router becomes infected, the worm then attempts to find and replicate itself to more routers. Now, I don’t necessarily foresee this being something used in attacks. It may be something developed as a proof-of-concept by researchers. But we’ve seen more attention being paid to routers and non-PC devices in the past few years. A Wi-Fi worm is a logical extension of what we’ve seen with Mirai, and I think current technologies and tactics have put this within reach. -Sean Sullivan, Security Advisor “Man and machine will dominate cyber security” Commodity malware is becoming less effective against the kind of endpoint protection we have nowadays. You might not think that based on some of the terrible security incidents that made headlines in 2016. But it’s true. It’s not just about malware anymore. Hackers can take run of the mill, commodified malware and find new and innovative ways to use it. Sometimes this involves social engineering their way into an account with a phishing email. Other times they’re able to find servers that have simply been forgotten by IT admins, and then use those as beach heads to penetrate networks. Combining artificial intelligence and human ingenuity is how the cyber security industry will combat these threats in the future. Tasks like risk analysis, penetration testing, threat assessments, incident response, and forensics, can all be innovated by leveraging the benefits of man and machine working together. And we’ll see industry players and even cyber security startups put a lot of focus on growing their expertise with this approach in 2017. -Andy “Cyber Gandalf” Patel, Senior Manager, Technology Outreach [ Image by Cambodia4kids.org Beth Kanter| Flickr ]

December 8, 2016
mikko_1

"For years, signature-based antivirus detection has been only a fraction of what security companies have been offering... If someone thinks that antivirus being dead is news then we don't know in what world they have been living in for the past five to six years," F-Secure's Timo Laaksonen said -- two years ago! But the question has remained a topic of constant debate among security researchers, which is why "Is AV dead?" was the theme of AVAR, an annual event organized by the Association of Anti-Virus Asia Researchers (AVAR) since 1998. This year, F-Secure hosted the event and our chief research officer Mikko Hypponen delivered a keynote at the three-day event in Kuala Lumpur that featured discussions that tackled the questions of AV's demise with sessions like "Is AV Dead - Or Just Missing in Action?" and "Advanced Endpoint Protection Says AV is Dead. Should you?" [youtube https://www.youtube.com/watch?v=GtegflcYGpo] When many people -- including Wikipedians -- mention antivirus they're referring to software that "used to prevent, detect and remove malicious software" by "relying heavily upon signatures to identify malware." What's a signature? Now you ask! Once a piece of malware is identified, "a signature of the file is extracted and added to the signatures database," which is either unique to the AV solution or shared with several providers via a common database. Highly professionalized modern malware is obviously designed to evade signature detection, which has existed for decades. "All technically minded people know that there aren’t any signature-only endpoint protection products on the market," F-Secure Labs' "Cyber Gandalf" Andy Patel explained in a recent post, on the News from the Labs blog. Andy notes that F-Secure's endpoint solutions employ four "non-signature" technologies that go beyond classic signature protection. He adds that "we actually have internal test configurations with signature-based technologies disabled and our products still do a great job at blocking emerging threats." Why should this matter to you, someone who doesn't reverse engineer malware for a living? Because given the billions of dollars being made in cyber crime and the billions being invested by nation-states in both offensive and defensive cyber tools, the average internet user's best hope for securing her data is finding security that's at least as advanced as the threats it faces. And any industry that doesn't constantly ask if its technology is becoming obsolete is probably already there. So is AV dead? Maybe. Or, as Timo noted years ago, it's been assimilated like a piece a much larger puzzle. Because this is the digital age and that's just what happens to most everything.  

December 5, 2016
wi-fi_security_booth_2

Using public Wi-Fi without a VPN is risky. Lots of people know that. Unfortunately, most don’t give a s**t. Think about it. People do all kinds of risky things even when they know they shouldn’t. They smoke, drink, eat too much. You get the idea. But when it comes to public Wi-FI, one of the biggest reasons people don’t care about the risks is because they don’t really know what they are. Well, we’re going to let you in on a little secret. Ready? Free public Wi-Fi isn’t actually free. In fact, every time you use it you’re exposing really personal stuff like your passwords, search history and waaaaay more. So why would anyone be interested in seeing your personal stuff? After all, it’s not like your name is Kim or Kanye, right? Long story short: So they can hack you. All it really takes is a few hundred dollars, some easy-to-buy software and a criminal mind. And it happens all the time. In fact, one in ten people will be the victim of an online crime. We took to the streets of New York to have some fun and prove a very important point. If people actually knew just how much intimate stuff they were giving away on public Wi-Fi, would they? Well, you’ll have to watch the hilarious video to find out. But let’s just say you’d be surprised just how far some people are actually willing to go to get online. In fact, some of the stuff people were willing to reveal in exchange for our free Wi-Fi password (no, we weren’t actually giving away free Wi-Fi) was so risque that it ended up on the cutting room floor. Risking it all for free Wi-Fi is ridiculous. Luckily, it’s also ridiculously easy to protect yourself with Freedome VPN.   https://www.youtube.com/watch?v=fN7z-XrSQyE

December 2, 2016
freedomexslush2016

Slush is Europe’s leading and the world’s’ coolest startup event. Over 15,000 top tech investors, starry-eyed startups and journalists brave the godawful Finnish November weather (blink and you miss the day’s sunlight) to give talks, pitch their ideas, form partnerships and finally wind down at the mythic Slush afterparty. But the greatest thing you walk away with is inspiration, and here are five eye-opening things we heard on day one. They are not conventional business tips, but instead give insight into the mindset of successful entrepreneurs and offer some exciting glimpses into what technology can do for us. Shark Tank billionaire gives advice to young people. “Buy less shit so you won’t be tied down to things and can live the life you want”. Chris Sacca was one of the early investors in companies like Twitter, Instagram and Uber, so this billionaires refreshingly anti-materialistic attitude driven by soft values was a welcome change from attitudes prevalent in the  business world. Sacca also called Finland’s free education system a huge competitive advantage and praised the value of liberal arts degrees. He was also clearly impressed with the main stage pyrotechnics! VP of Tinder on the shallowness of networking “When you go to an event, don’t try to make 50 contacts. Instead try making 5 friends”. Young Silicon valley superstar Ankur Jain did not like the concept of networking, and the fact that people's first question to others is often "what do you do?" This question makes you feel like you are being assessed for your value to the asker, not for who you are as a person. That's quite insightful coming from a 26-year old who would definitely impress everyone with HIS answer to "what do you do?" Tesla Motors and SpaceX board member is the most down-to-earth investor in the world “Us investors should mostly act as cheerleaders to the companies we invest in". Steve Jurvetson, who sits on the board of  companies like Tesla Motors and SpaceX, came to our Speaker Studio after an impressive keynote, and talked a lot about how investors often exaggerate their contributions to startups. He even mentioned an unnamed company that prides itself in being the "first VC to invest in Apple", while conveniently omitting the fact that they pulled all their funding well before Apple went public. He was an incredibly humble guy and we all have tremendous respect for him. Jamie Siminoff on how not focusing on profit made a company profitable “When we started focusing on our mission instead of profit, profits followed soon after”. Jamie Siminoff is the founder of U.S startup Ring talked about the ups and downs of being a serial hardware entrepreneur. His struggling startup was about to go under, but when their experiment done with LAPD became a national news story (in summary, installing their doorbells in a neighborhood dropped burglary rates by 50%), things changed. Their mission of making homes safer proved to be their success (Ok, the 28 million investment from Richard Branson probably helped too). Risto Siilasmaa talks about a technology-driven approach to completely revolutionize healthcare. “It’s about promoting and maintaining health, rather than treating sickness”. Medical startups had a large presence at Slush, and we heard similar sentiments throughout the day . Nokia recently acquired  digital health wearable Withings, and hearing about Risto's  vision on the future of digital health made us feel a bit less worried about growing old! See our full interview on the subject with the most successful tech entrepreneur in Finnish history below.   https://www.youtube.com/watch?v=26DGKk5UwuI&t=118s    

December 1, 2016
460263181_598085a805_o

Mirai – malware designed to infect internet of things devices - is behind some of the biggest DDoS attacks in history. It knocked Twitter, Netflix, and other popular websites offline in October. And now, it looks like a variant of Mirai has been modified (or upgraded) to infect routers. Nearly a million people in Germany have lost their internet access over the past few days due to infected routers. News reports say that over 900,000 routers from Deutsche Telekom (DT), Germany’s largest telecommunications provider, were knocked off the internet over the past few days. The attack(s) are being attributed to Mirai based on their use of infrastructure seen in previous Mirai attacks. “Mirai was designed to infect IoT devices. And since IoT devices and routers have many of the same security issues, adapting Mirai to target routers seems worthwhile for attackers,” says F-Secure Security Advisor Sean Sullivan. “It takes a bit of work to adapt the malware, but since the code has been dumped online, it’s doable.” The Mirai variant hitting routers in Germany exploits a vulnerability in the firmware of particular models of Speedport and Zyxel routers. Previous Mirai variants have been more focused on IoT devices (most notably webcams), and brute forcing passwords to infect devices with malware. You can find a list of affected router models here. DT has apparently already developed a fix for this, which is impressive given the general industry-wide neglect of vulnerable firmware. But reports say that there may be as many as five million devices connected to the internet that are susceptible to the same attack used against DT routers. And this estimate doesn’t include devices with other security problems leveraged by Mirai, such as the use of weak default passwords set by manufacturers. How to Troubleshoot Bots Attackers infect devices with Mirai, and then connect tens or maybe even hundreds of thousands of infected devices together to create a network of bots (hence the term, botnet). Using botnets, attackers can do things like issue commands to infected devices, launch devastating DDoS attacks, install additional malware, or spread the infection through more networks (thereby increasing the size of their botnet). But fighting botnets isn’t a huge priority for anyone but ISPs. A phone, laptop, or webcam can be part of a botnet without really inconveniencing the device owner. However, that doesn’t mean bot infections should be ignored. Many bots, including Mirai, receive instructions from attackers. New instructions can give bots new capabilities, including having them attack device owners in more direct ways. And because Mirai (and bots like it) can infect non-traditional PCs, it’s more difficult to get rid of. Here are a few things you can do to get rid of bot infections on devices that can’t run antivirus software. Reset your device Resetting routers and IoT devices infected by Mirai is enough to remove the infection. It’s a good first step. But this doesn’t fix the underlying problem, so you’ll remain vulnerable to future infections unless you take additional actions. And because Mirai spreads aggressively, you may only have a matter of minutes until you’re infected again. Change default passwords (if possible) Most people don’t change default passwords on their routers or IoT devices. This is a HUGE problem, since many of these devices use common passwords for the same model or line of products. And to make things worse, lists of default passwords are often available online. Many attackers know people don’t change passwords on their devices, and use that to help them plan attacks. Mirai is programmed to try logging in using popular passwords like “123456” and “password”, as well as passwords that have proven effective against specific devices (such as “admin” and “xc3511”). So change default passwords whenever possible. Contact device vendors/ISPs Some devices cannot be fixed easily. Sometimes passwords cannot be updated by users. Firmware often ships with vulnerabilities, requiring vendors to create and distribute patches. In these cases, ISPs or device manufacturers need to get involved. So make an effort to check their websites, and if needed, contact them. They may or may not help. DT is making an effort to restore service to customers affected by the recent outbreak. And after the massive Mirai attack on Dyn in October, a Chinese webcam manufacturer recalled some of its products that used passwords that could not be changed by users. In the worst case scenarios, people may be forced to actually throw out an infected device. “Like any new technology, it’s buyer beware,” says Sean. “Security researchers and even hackers have been talking about insecure IoT devices for years. Now the problems are starting to arrive, and they’ll most likely get worse before they get better.” There are multitude of other security measures you can take to protect things like routers and IoT devices. Some of the best ones include making sure Universal Plug n Play is disabled, checking that your DNS settings are configured correctly, and that you log out of devices’ admin portals after changing any settings. [ Image by Sascha Pohflepp | Flickr ]

November 30, 2016
wi-fi_security_new_michelle

Imagine you open your mail and find a letter from the IRS saying you owe them thousands of dollars. The letter also says you’ve collected tens of thousands of dollars in tax returns over the past five years. There’s only one problem – the “you” they’re talking about is actually someone else. You pick up the phone and call the number on the letter. Obviously there’s been a mistake, and you’re confident it will be cleared up by the time you hang up the phone. But it’s not. Actually this is only the beginning. Your heart pounds as you explain that you’ve been on medical disability for the past six years and haven’t made any tax claims or collected any money. The person on the other end of the line listens and then says five words you never thought you’d hear: “Someone has stolen your identity.” From that point on your life becomes a living hell. And there’s nothing you can do about. The statistics are staggering. One in ten people will become the victim of an online crime. And many of those crimes happen on public Wi-Fi. Some victims “just” lose money. But if a hacker gets their hands on your social security number, you can lose way more than that. And that’s exactly what happened to Michelle, a nurse from Queens, New York. We recently asked Michelle and other real victims of identity theft to share their stories and tell us how it really feels to have your identity stolen. Get your tissues out and watch now as Michelle opens up about her experience as a sobering warning to the rest of us. After the interview, Michelle said she’d be happy if her story saves other people from having to go through the nightmare of identity theft. It happened to Michelle. But it doesn’t have to happen to you. Click here to see why public Wi-Fi is so risky and protect yourself with Freedome VPN. https://www.youtube.com/watch?v=l7xfavnro1g&t=92s

November 25, 2016
7405511146_10a3bd2e7b_b

Holiday shopping has become such a tradition that it now has its own international holiday. Two of the them, actually. In Finland, for instance, where only American expatriates might celebrate Thanksgiving, Black Friday has become an annual celebration of great deals. It's now the unofficial beginning of the holiday season -- much as it is in the U.S. where most people have the day off to fight off their turkey comas. In recent years, Black Friday has increasingly absorbed Thanksgiving Thursday and customers have often had to fight off each other to get to the best deals. Cyber Monday, the online version of Black Friday, has alway never had any borders. And even though you don't have other shoppers breathing down your neck, the pressure to get a deal before it's sold out -- or before your boss notices you're shopping at your desk -- can be similarly intense. Under that kind of pressure, you're not going to be crushed by a crowd but you could be ripped off by a crook. You need to start with a secure device, but even that may not be good enough to outsmart all online criminals. So here are three things you can do to prepare yourself for these "holidays." Give yourself a shopping-only browser Download a browser you don't currently use right now. It doesn't matter if it's Firefox, Chrome, Safari or Internet Explorer. Start with it fresh and use it only for online purchasing and banking. Now, disable Java. If you must Adobe Flash in this browser, make sure you have "background updates" on. Now close this browser and ONLY use it when you're making an actual transaction. Don't let anyone lead you around Social media and online ads designed to get you to a checkout screen as quickly as possible. You should resist that urge. Avoid clicking on links in deal emails and doing your shopping through a search engine. Go directly to an online retailer whenever possible and use its native search. Then when you're ready to buy cut and paste the URL into your shopping-only browser. Now, before you enter any private financial details, check the URL and make sure you see HTTPS and that little lock in the browser. Always use a VPN, especially when shopping through Wi-Fi These two steps aren't just tips, they're a discipline. They require practice and focus. And they aren't easy if you've never done them before. But the bad news is that even if you master them, you could still be vulnerable if you're shopping over an unsecured network. That's why you should always run a VPN, especially when you're on public Wi-Fi.Because it's holiday season and we're a business, we have a holiday special on our only high-rated VPN. This isn't just the best offer we'll make all year; it's a chance to practice what we just preached.If you're interested cut and paste this link (https://campaigns.f-secure.com/freedome/blackfriday/en_global/) into your shopping-only browser. Cheers, Sandra [Image by Robert Couse-Baker | Flickr]  

November 24, 2016
britain_privacylaw_hero_artboard-7-copy

A turbulent U.S. election season. Ongoing tragedy in the Middle East. A Brexit vote result that threatens to tear apart the very fabric of European unity. Turkey continues to chip away at personal freedom, and Russia shows its increasing unwillingness to indulge dissenting opinions. It’s been one tumultuous year, but at least there are no more nails left to hammer into the coffin of 2016... right? Sadly, there is one more nail. Last week, the UK parliament passed the Investigatory Powers Bill (nicknamed the Snoopers’ Charter), an intrusive law that gives the government unprecedented authority to conduct surveillance and gather data on its own citizens, who will only be able to circumvent this by encrypting their traffic and data. Here’s a short rundown on what the bill includes: Web and phone companies have to keep records of all websites visited by their users for 12 months. They must have capability to instantly intercept any data passing through their networks Not only law enforcement have access to the data, but a huge number of government departments. Here is a full list. Ministers authorize data collection, but a panel of seven judges has the power to veto decisions, except in “urgent cases” (notice the vague wording there). Oversight of the new system will be handled by one senior judge, not three as previously. The media, privacy advocates and the technology industry have reacted with almost unanimous condemnation. Here are four critical points of view, including our own as a VPN provider: 1. What does your Internet history reveal about you? - The Independent In its heavy-handed critique of the law, the Independent mentions the unprecedented erosion of personal privacy. Everything including your medical concerns, religious beliefs and sexual preferences will now have to be stored in a file with your name on it. With the large amount of government agencies having potential access to this information, how long before it's abused? 2.  The law has passed with barely a whimper - The Guardian In its article on the subject, the Guardian rightfully points out the lack of effort from part of the opposition and the privacy movement to get the law passed. With the Labor Party in internal chaos and a public that is still reeling in from other cataclysmic events this year, the government had to make very few concessions to their plan. 3. The most intrusive surveillance system in the west - Edward Snowden The world's most known whistleblower and rightful hero of the privacy movement weighed in on the subject with some sobering tweets, which included this quote: "It is the most intrusive and least accountable surveillance regime in the West". This perspective is crucial to counter any arguments that this is just a natural step for a government to protect the rule of law. It's not. Countries like Germany have recently passed laws extending the powers of intelligence agencies, but the Snoopers’ Charter makes it seem mild in comparison. 4. No direct obligations are imposed on VPN providers - F-Secure Freedome While it's easy to view this topic in a negative light, there is a three-letter silver lining to all this: VPN. The law does not directly mention providers like us, and we will continue to offer the public a way to essentially bypass this intrusive form of mass data collection. We will also do everything we can to challenge anything that would prevent us from providing encryption to UK customers. It's also the opinion of F-Secure's legal experts that the bulk data collection proposed in the law would be found excessive by the European Court of Justice. What effect this will have depends largely on Brexit. So, is free speech dead? Maybe not, but it has definitely suffered a serious injury. 18th century philosopher Jeremy Bentham designed a prison called the Panopticon, where prisoners were given zero privacy and were made very aware of someone potentially watching them every second. He theorized that the simple fear of being observed at all times would eliminate anti-authoritarian thoughts and turn the prisoners into obedient citizens. The Snoopers' Charter can end up having similar effects on us as individuals. However, it's not possible not pleasant to imagine a world full of only obedient citizens where controversial ideas would stop existing because of fear of who might be listening. Protect your privacy, encrypt your connection and don't let the modern day Panopticon get the best of you!

November 23, 2016