yahoo

What You Need to Know About the Yahoo Hack

Reports that half a billion Yahoo accounts were hacked in 2014 "by a state-sponsored actor" were confirmed today by the tech giant. This hack of "names, email addresses, telephone numbers, birth dates, encrypted passwords and, in some cases, security questions" is the largest in the company's history and one of the most consequential breaches of all time. Our security advisor Sean Sullivan told CNN what Yahoo users need to know right now: [youtube https://www.youtube.com/watch?v=kO-70yKF4bE] He also gave a longer interview to Data Breach Today about the wider implications of the hack. The most important takeaway from this attack is you should always use an extra layer of protection -- in this case Yahoo's two-factor authentication on all your accounts -- and never reuse any important password. Even though Yahoo's passwords stored your passwords with encryption, it's still possible for criminals to get access to them, especially if they are weak. A former Yahoo employee told Reuters that the answers to security questions were deliberately left unencrypted to help catch fake accounts more easily because fake accounts that used the same answers over and over. Sean always uses nonsense answers for so-called security questions so they aren't guessable by anyone who knows him or follows him on social media. He recommends you do the same. So what should you do now? Sean recommends you "walk, not run" to your Yahoo account to disable your security questions and change your password -- and change them on any other site where you've used them to something unique. Make sure you create non-human passwords -- not patterns like yahoo1985. Make them long and difficult to remember. If they're between 20 and 32 characters, they are nearly uncrackable, as our senior researcher Jarno Niemelä recommends. And to deal with all that complexity, use a password manager like our F-Secure KEY, which is free on one device. You can also store your nonsense answers to your security questions in there. Then turn on two-factor authentication, if you haven't already. If you're wondering who might have carried out such a massive attack, Sean does have a hypothesis. [Image by Christian Barmala | Flickr]

September 23, 2016
BY 
android_wi-fi

How to Create a Portable Hotspot on Android with VPN on

Many Android users (myself included) have long found it annoying that creating a working portable hotspot is not possible while using a VPN on the device that shares the connection.  From the user interface to the lines of code that power the app behind it, a driving principle of designing Freedome has always been to make the kind of VPN that only makes your online experience better, without hindering it in any way. Tethering with VPN is now possible This is why we are extremely happy - both personally and for our users - to announce that our new Android release (out now on Google Play) makes it possible to have Freedome turned on while sharing your connection with other devices. We are also the first (as far as we know) major VPN provider to make this happen. Instructions on setting up a portable hotspot The new update automatically allows you to create a portable hotspot with Freedome VPN, so the instructions are fairly simple. Download Freedome VPN on your Android Turn on the portable hotspot feature from your Android settings Keeping it simple, as usual! A note on privacy It’s worth noting for the sake of your privacy that the tethered device’s traffic will NOT go through the VPN tunnel of the device sharing the connection. According to Freedome Product Development Director Harri Kiljander: “Android does not allow tethered devices access to the VPN tunnel. This is a deliberate choice forced by Android for security reasons. For instance, when using VPN to access your employer’s network, they might not want your friends and family there. Also a VPN tunnel shared with others wouldn’t really be a private network anymore” In other words, remember to use Freedome on laptops and any other devices you connect to your own hotspots with. If you have any questions, drop us a line on Twitter. Enjoy!

September 23, 2016
BY 
webcam

QUICK TIP: Change the Default Passwords on Your Webcams and Baby Monitors

If you don't want to read the manual for the new Wi-Fi-connected device you just installed in your home, do yourself a favor and at least check how to change the default password. A new report finds that more than 100,000 devices in the United Kingdom alone could be possibly be accessed by peeping strangers. How is this possible? "Two words," explains F-Secure security advisor Sean Sullivan. "Default settings." Most consumers don't seem to imagine that their baby monitor, web cam of Wi-Fi router might be targeted by a hacker. "That’s called security through obscurity and it just does not work," Sean explains. "There are 'deep-web' search engines --such as Shodan -- that routinely scan for devices on the Internet. And just about anybody can find interesting things there that shouldn’t be publicly accessible but are." Often all online intruders need to do is type in the password that the manufacture sent the device out with. "You need to change the webcam’s password to something complex and unique," he says. "Don’t worry about having to type it all the time, you’ll probably only need to configure the associated mobile app once. And then the app will remember the password for you." This one simple step will greatly reduce your risk of having your devices hacked. Still many of us won't do it. The time to get rid of this terrible habit of leaving default passwords untouched is now, before our homes become so overrun by Wi-Fi-connected devices that hackers begin to devote serious resources to this sort of intrusion and possibly find some convenient way to monetize it. So don't let your fear of not being able to remember the passwords for all these devices become the weak link in your security. "Once you’ve set your secure password, store it someplace safe for future use," Sean says. He suggests a using a password safe like F-Secure KEY or a piece of paper in a secure location in your home. Just don't store it anywhere in sight of a webcam that still is using its default password. [Image by DAVID BURILLO | Flickr]

September 22, 2016

Latest Posts

yahoo

Reports that half a billion Yahoo accounts were hacked in 2014 "by a state-sponsored actor" were confirmed today by the tech giant. This hack of "names, email addresses, telephone numbers, birth dates, encrypted passwords and, in some cases, security questions" is the largest in the company's history and one of the most consequential breaches of all time. Our security advisor Sean Sullivan told CNN what Yahoo users need to know right now: [youtube https://www.youtube.com/watch?v=kO-70yKF4bE] He also gave a longer interview to Data Breach Today about the wider implications of the hack. The most important takeaway from this attack is you should always use an extra layer of protection -- in this case Yahoo's two-factor authentication on all your accounts -- and never reuse any important password. Even though Yahoo's passwords stored your passwords with encryption, it's still possible for criminals to get access to them, especially if they are weak. A former Yahoo employee told Reuters that the answers to security questions were deliberately left unencrypted to help catch fake accounts more easily because fake accounts that used the same answers over and over. Sean always uses nonsense answers for so-called security questions so they aren't guessable by anyone who knows him or follows him on social media. He recommends you do the same. So what should you do now? Sean recommends you "walk, not run" to your Yahoo account to disable your security questions and change your password -- and change them on any other site where you've used them to something unique. Make sure you create non-human passwords -- not patterns like yahoo1985. Make them long and difficult to remember. If they're between 20 and 32 characters, they are nearly uncrackable, as our senior researcher Jarno Niemelä recommends. And to deal with all that complexity, use a password manager like our F-Secure KEY, which is free on one device. You can also store your nonsense answers to your security questions in there. Then turn on two-factor authentication, if you haven't already. If you're wondering who might have carried out such a massive attack, Sean does have a hypothesis. [Image by Christian Barmala | Flickr]

September 23, 2016
android_wi-fi

Many Android users (myself included) have long found it annoying that creating a working portable hotspot is not possible while using a VPN on the device that shares the connection.  From the user interface to the lines of code that power the app behind it, a driving principle of designing Freedome has always been to make the kind of VPN that only makes your online experience better, without hindering it in any way. Tethering with VPN is now possible This is why we are extremely happy - both personally and for our users - to announce that our new Android release (out now on Google Play) makes it possible to have Freedome turned on while sharing your connection with other devices. We are also the first (as far as we know) major VPN provider to make this happen. Instructions on setting up a portable hotspot The new update automatically allows you to create a portable hotspot with Freedome VPN, so the instructions are fairly simple. Download Freedome VPN on your Android Turn on the portable hotspot feature from your Android settings Keeping it simple, as usual! A note on privacy It’s worth noting for the sake of your privacy that the tethered device’s traffic will NOT go through the VPN tunnel of the device sharing the connection. According to Freedome Product Development Director Harri Kiljander: “Android does not allow tethered devices access to the VPN tunnel. This is a deliberate choice forced by Android for security reasons. For instance, when using VPN to access your employer’s network, they might not want your friends and family there. Also a VPN tunnel shared with others wouldn’t really be a private network anymore” In other words, remember to use Freedome on laptops and any other devices you connect to your own hotspots with. If you have any questions, drop us a line on Twitter. Enjoy!

September 23, 2016
webcam

If you don't want to read the manual for the new Wi-Fi-connected device you just installed in your home, do yourself a favor and at least check how to change the default password. A new report finds that more than 100,000 devices in the United Kingdom alone could be possibly be accessed by peeping strangers. How is this possible? "Two words," explains F-Secure security advisor Sean Sullivan. "Default settings." Most consumers don't seem to imagine that their baby monitor, web cam of Wi-Fi router might be targeted by a hacker. "That’s called security through obscurity and it just does not work," Sean explains. "There are 'deep-web' search engines --such as Shodan -- that routinely scan for devices on the Internet. And just about anybody can find interesting things there that shouldn’t be publicly accessible but are." Often all online intruders need to do is type in the password that the manufacture sent the device out with. "You need to change the webcam’s password to something complex and unique," he says. "Don’t worry about having to type it all the time, you’ll probably only need to configure the associated mobile app once. And then the app will remember the password for you." This one simple step will greatly reduce your risk of having your devices hacked. Still many of us won't do it. The time to get rid of this terrible habit of leaving default passwords untouched is now, before our homes become so overrun by Wi-Fi-connected devices that hackers begin to devote serious resources to this sort of intrusion and possibly find some convenient way to monetize it. So don't let your fear of not being able to remember the passwords for all these devices become the weak link in your security. "Once you’ve set your secure password, store it someplace safe for future use," Sean says. He suggests a using a password safe like F-Secure KEY or a piece of paper in a secure location in your home. Just don't store it anywhere in sight of a webcam that still is using its default password. [Image by DAVID BURILLO | Flickr]

September 22, 2016
Self-driving bus and security

Recently we had the unique opportunity to do something few people in the world have ever done - go for a ride on a "robot bus." A self-driving bus has taken to the open road in Helsinki as a test project, and it's not far from the F-Secure headquarters. Harri Santamala of Metropolia University of Applied Sciences is project leader, and he was keen to meet the cyber security experts at F-Secure. I went along with the guys to film our ride in Periscope. The city of Helsinki has the ambitious goal of making car ownership completely unnecessary within a decade, and the self-driving bus is part of that plan. This particular bus pilot is literally one of the first open road demos worldwide. And anyone who wants to can jump on board for a ride into the future of transportation. "On the open road we can learn more in week than we can on a closed road in a year," says Santamala. We waited at the "robot bus stop" under the sun - a perfect day for a ride along the waterfront. The bus arrived, somewhat resembling a breadbox on wheels. We climbed in and off we went, rolling along at 11km per hour (it's capable of doing 40). A couple of cars passed us, impatient at our pace. An "operator" stood at the ready as a failsafe in case anything should go wrong. Looking years into the future, when self-driving tech is mature - will a human need to be involved at all? Harri compares the tech to an elevator: In the beginning, elevators used to have human operators to push the buttons and control the ascent and descent. Nowadays elevators have no special operators, but there is still a remote person on call in case anything should go wrong. "The worry was if you give the power to regular people they're just going to crash it into the floor or something," said Janne Kauhanen of F-Secure Cyber Security Services. "But then we figured out a way where the person in the elevator can't drive it into a wall, even if he wants to. You just press a button for a floor and the automation takes you to that floor. So if there were no legal requirements to have an operator in charge, why would you need that? The vehicle could just make the driving decisions independently without the need for anybody to control it." A future of self-driving cars sounds pretty amazing. Traffic accident deaths could become a thing of the past, like dying of smallpox. When traffic is automated, traffic jams could become part of the "good ol' days" too. No more being stuck in rush hour traffic. But there are still plenty of security issues to figure out. And while the most obvious one is making sure a hacker can't take control of the vehicle remotely, F-Secure security advisor Sean Sullivan adds that in the case of an automated bus network, denial of service attacks would also be a major concern. "If the goal is to have such good public options that I don't need to own a vehicle, then I'm screwed if the public option is unavailable," says Sullivan. "So, it would be a natural target for an extortionist to threaten the city or the organization running the service." Sullivan says vehicles on set routes could probably deal with common DDoS worries. But a system that attempts to provide on-demand services would be cloud-based, so the bus would need to be able to talk with its C&C server. "Scaling such services will require a robust network and good security to prevent any unauthorized control." You can catch the Periscope video of our self-driving bus ride here.  

September 21, 2016
pi

This summer has ended with a few database breaches that have leaked more than a hundred million passwords onto the internet. And, as usual, it feels like there's nothing we can do about it -- except check to see if you've been pwned. Ah, but there is something you can do to prepare for the next breach, explains F-Secure Labs lead researcher Jarno Niemelä. 'The trick is to use really long random string for a password," he tells us. "The password length should be at least 20 characters, but preferably 32." Criminals who are attempt to crack the password databases use various forms of attacks based on words found in the dictionary. This method usually works quite well because so many users pick terrible passwords. "Humans in general are really bad password generators," Jarno says. "No matter how unique you think that your password is, it’s components are still likely to be in some dictionary, and powerful cracking cluster will come up with exactly right combination." But there are a few catches for this tip -- and two of them depend on the security practices of the service you're using. First, the site or app has to accept long passwords, and then the developers behind the software have use any kind of "hashing" for the passwords they store. Hashing employs an algorithm to hide passwords so they're not stored in clear text. It's a relatively basic practice that you can figure most reputable companies will employ. (And Jarno actually recommends developers take further steps to protect passwords.) "So as you as a customer cannot affect what kind of password storage the service providers are using," he says. "But can still frustrate all but the most advanced attackers efforts by using long enough random passwords." So now you may be thinking, "Great! I have uncrackable passwords. They're also impossible to memorize." Jarno recommends "some form of password storage" -- like F-Secure KEY, which you can use on one device for free. Many password lockers like KEY will help you generate extra long passwords, too. "Also it might be a good idea to use an unique user name per service, and maybe unique email for critical services," Jarno says. "The unique user name will give you added privacy as you cannot be tracked easily across services." He gives this advice to his own kids to use as they play online games. Jarno also teaches his kids to limit their digital footprint by regularly changing their username or any alias for any game that makes their identities visible. "Better teach them the basics of good OpSec -- operational security -- when they are young." [Image by fdecomite | Flickr]

September 14, 2016
search

Two of the top five sites on the internet are search engines, which makes a lot sense. We depend on them to find everything from the news to toothpaste to a place to eat dinner. According to internetlivestats.com, Google processes over 3.5 billion searches worldwide every day. Its rival Bing is rising to become the second largest search engine, accounting for 33% of all search queries performed. Now here’s the interesting part. Given these billions and billions of queries, can you be sure that all these search results 'harmless'? When you are clicking on a link Google, Bing or Yahoo! gives you, how do you know you are about to visit a site that is safe? You can't That's why you take simple precautions to make sure you don’t unintentionally visit malicious sites. The most convenient way to stay safe while using search engines is by using a free website safety rating service, such as F-Secure Search. F-Secure Search pre-screens the search results returned by a search engine and gives each result a safety rating. Harmful sites that try to violate your privacy or harm your device are clearly marked, so you know which sites are safe and which to avoid, even before you click on a link! Adult content is automatically blocked from search results, so you have peace of mind when your children are using F-Secure Search. Also, all communication between you and F-Secure is encrypted, so there’s no room for snooping. To help you keep both your personal details and your PC protected from malicious sites, simply go to search.f-secure.com and start using it today. You can also use F-Secure Search as the default search engine in your browser. And while we're you're thinking about surfing safely, take a minute to make sure your browsers are up-to-date. With a safe browser and safe results, you'll be surfing safer than ever.

September 12, 2016
Some important quotes from Edward Snowden

It's been over three years since Snowden blew the whistle on the NSA, but in the grind of daily life, it's easy to forget why the issue of mass surveillance is still an important one. In a recent Vice News episode, "State of Surveillance," Snowden hit on three points that help boil the issue down in pretty simple terms. As the new Snowden movie opens this weekend, it's a good time to share his quotes - for anyone who needs a reminder of why the issue of mass surveillance still matters. Why we should care about mass surveillance in the first place: Because you never know what will happen...or how your data could one day be used against you. "Even if you trust the government today, what happens when it changes?" Snowden says. "Suddenly, everybody's vulnerable to this individual. And the systems are already in place. What happens...when eventually, we get an individual who says 'You know what? Let's flip that switch and use the absolute full extent of our technical capabilities to ensure the political stability of this new administration.'" Snowden says we need to figure out if we want the future to be a "quantified world" where everywhere we go and everyone we talk to is indexed, analyzed, stored, and used, maybe even against us. "Or will we recognize the danger of that and embrace the fact that people should have space to make mistakes without judgment, to have sort of the unconsidered thought or conversation with your friend? But if that was recorded in a database, where you say, 'I think Donald Trump should be kicked off a cliff,' and Donald Trump becomes president someday and everybody who said that ends up getting thrown off a cliff, that's a very dangerous world." The whole point of mass surveillance programs is to catch terrorists. Here's why Snowden says that doesn't work: Because when you collect everyone's data, you miss the stuff that matters most. Snowden: "I was working at the NSA during the Boston Marathon bombings investigation. As it was playing on the news, myself and colleagues were in the cafeteria. We turned to each other and said, 'I'll bet you anything we already knew about these guys in the databases.' And in Paris, I'm certain the same conversation happened. "This is really the legacy of mass surveillance - the fact that when you're watching everyone, you know who these individuals are, they're in the banks. You had the information you needed to stop, to prevent even the worst atrocities. But the problem is when you cast the net too wide, when you're collecting everything, you understand nothing. We know for a fact that (mass surveillance) is not effective for stopping terrorist attacks and it never has been." He cites two White House-appointed independent commissions that were assigned to review mass surveillance programs after his disclosures. Both found that mass surveillance has not stopped terrorist attacks and both recommended these programs be ended. If they're ineffective, then why don't politicians stop these programs? Because no one wants to shoulder the blame for new terror attacks, even if the blame is misplaced. "It's clear that the public opposes the majority of these policies. And yet politicians, because the word terrorism is involved, they can't justify being the one to stand up (against surveillance policies) because they know there will be another terrorist attack." If they lead the charge to stop the policies, when the next attack comes, they know they'll be blamed by their political opponents, Snowden says. "And they're right. Of course their political opponents will do this, it's the easiest thing in the world to do. And unfortunately it's quite effective. Because we live in a time where the politics of fear are the most persuasive thing on the table." Watch the Vice News episode yourself to get in the mood for the movie.   Image courtesy of askyog, flickr.com

September 12, 2016
Cyber Security Base

Cyber security is becoming a huge industry. After all, the data breaches, cyber espionage, and ransomware infections you read about the news are hardly good things. Companies are now making big investments in putting a stop to these problems. That means jobs. And cyber security jobs are generally pretty good. One recent study points out that cyber security jobs pay almost 10% more than other IT positions. And because more companies are hiring more cyber security specialists, and because the cyber security industry is expanding rapidly, it’s a good time to start thinking about getting into the field. Cyber Security Base with F-Secure is a course series created by F-Secure and the University of Helsinki. The series aims to get potential cyber security experts into the workforce by giving them the basic training they need for entry-level cyber security positions. The course series, conducted through the University of Helsinki’s MOOC, is open to the general public as well as existing IT students. The material will be taught in English and can be completed entirely online, making it useful for people all over the globe. There are no formal prerequisites required for enrollment. However, a basic understanding of coding, how the internet works, and internet security are necessary to understand the course content. Participants can expect to learn about the following topics: Building secure software systems Using tools to analyze flaws in software EU legislation relevant to cyber security Performing risk and threat assessments on existing systems The course series is well suited to people with an active interest in information technology, students currently pursuing a computer science degree, or current IT professionals interested in specializing in cyber security. Participants that perform well and complete the series will have the skills necessary to work as junior consultants in the cyber security industry. Cyber Security Base with F-Secure begins on October 25th, 2016. Anyone interested in the course series can sign up here for updates and other news.

September 11, 2016