How to Protect All of Your Devices

 Because of smart application development, most mobiles don’t face the plethora of threats that PC users do. But online criminals aim to change that. They’re working on malware for Macs, bad apps for Android and, of course, they can still hit you with a phishing scam on just about any web-connected device.

Here are a few precautions that will help protect you on all the laptops, desktop or mobile devices you use.

1. Keep your system and security software updated
This is a tip we always recommend for PCs. But it’s especially important on mobile devices and Macs too. Several important security updates have been included in recent updates of OS X. Our Mobile Security is available for Android, Symbian and Windows Phones. Research to find the best security for your device and keep it up to date.

2. Back up your device
A piece of content that exists only on one local hard drive is a piece of content at risk. Use some method of backup for your computers. If your phone has a backup capability enable it. If it’s available for your mobile, we recommend you use some remote lock software. Our Anti-Theft for Mobile is free. This way even if your device is out of your control, you can still protect your private data.

3. Get your software from a reliable source
For mobile phones, use official markets or vendors you know and trust. Never install software that suddenly appears on your computer or a mobile. You can give a criminal full access to your computer with the wrong click so take downloading and installing seriously. So don’t be afraid to take to cancel and research a product before installing it

4. Watch where you click, especially in emails
Most of us know never to open attachments we don’t expect in an email. But the links in an email can lead to a malicious site or a scam. Phishing scams have new power on mobile phones where we expect web pages to look strange and unfamiliar. Avoid clicking the links in emails you receive, especially from your bank. Go directly to the site you need to use or even call your bank directly if you have a question.

5. Keep your devices and accounts secure
Lock your computers and devices when you aren’t using them. And use a strong, unique password for all of the accounts that matter to you most.

The good habits you’ve picked up from being a smart PC user will benefit you however you connect to the web.

F-Secure’s new Safe Anywhere gives the world’s leading operators and ISPs the ability to protect PCs, Macs and mobile devices with one award-winning solution. Find out more about Safe Anywhere here.


CC image by LGEPR

More posts from this topic


What’s a Mirai Botnet Doing With My Router?

Mirai – malware designed to infect internet of things devices - is behind some of the biggest DDoS attacks in history. It knocked Twitter, Netflix, and other popular websites offline in October. And now, it looks like a variant of Mirai has been modified (or upgraded) to infect routers. Nearly a million people in Germany have lost their internet access over the past few days due to infected routers. News reports say that over 900,000 routers from Deutsche Telekom (DT), Germany’s largest telecommunications provider, were knocked off the internet over the past few days. The attack(s) are being attributed to Mirai based on their use of infrastructure seen in previous Mirai attacks. “Mirai was designed to infect IoT devices. And since IoT devices and routers have many of the same security issues, adapting Mirai to target routers seems worthwhile for attackers,” says F-Secure Security Advisor Sean Sullivan. “It takes a bit of work to adapt the malware, but since the code has been dumped online, it’s doable.” The Mirai variant hitting routers in Germany exploits a vulnerability in the firmware of particular models of Speedport and Zyxel routers. Previous Mirai variants have been more focused on IoT devices (most notably webcams), and brute forcing passwords to infect devices with malware. You can find a list of affected router models here. DT has apparently already developed a fix for this, which is impressive given the general industry-wide neglect of vulnerable firmware. But reports say that there may be as many as five million devices connected to the internet that are susceptible to the same attack used against DT routers. And this estimate doesn’t include devices with other security problems leveraged by Mirai, such as the use of weak default passwords set by manufacturers. How to Troubleshoot Bots Attackers infect devices with Mirai, and then connect tens or maybe even hundreds of thousands of infected devices together to create a network of bots (hence the term, botnet). Using botnets, attackers can do things like issue commands to infected devices, launch devastating DDoS attacks, install additional malware, or spread the infection through more networks (thereby increasing the size of their botnet). But fighting botnets isn’t a huge priority for anyone but ISPs. A phone, laptop, or webcam can be part of a botnet without really inconveniencing the device owner. However, that doesn’t mean bot infections should be ignored. Many bots, including Mirai, receive instructions from attackers. New instructions can give bots new capabilities, including having them attack device owners in more direct ways. And because Mirai (and bots like it) can infect non-traditional PCs, it’s more difficult to get rid of. Here’s a few things you can do to get rid of bot infections on devices that can’t run antivirus software. Reset your device Resetting routers and IoT devices infected by Mirai is enough to remove the infection. It’s a good first step. But this doesn’t fix the underlying problem, so you’ll remain vulnerable to future infections unless you take additional actions. And because Mirai spreads aggressively, you may only have a matter of minutes until you’re infected again. Change default passwords (if possible) Most people don’t change default passwords on their routers or IoT devices. This is a HUGE problem, since many of these devices use common passwords for the same model or line of products. And to make things worse, lists of default passwords are often available online. Many attackers know people don’t change passwords on their devices, and use that to help them plan attacks. Mirai is programmed to try logging in using popular passwords like “123456” and “password”, as well as passwords that have proven effective against specific devices (such as “admin” and “xc3511”). So change default passwords whenever possible. Contact device vendors/ISPs Some devices cannot be fixed easily. Sometimes passwords cannot be updated by users. Firmware often ships with vulnerabilities, requiring vendors to create and distribute patches. In these cases, ISPs or device manufacturers need to get involved. So make an effort to check their websites, and if needed, contact them. They may or may not help. DT is making an effort to restore service to customers affected by the recent outbreak. And after the massive Mirai attack on Dyn in October, a Chinese webcam manufacturer recalled some of its products that used passwords that could not be changed by users. In the worst case scenarios, people may be forced to actually throw out an infected device. “Like any new technology, it’s buyer beware,” says Sean. “Security researchers and even hackers have been talking about insecure IoT devices for years. Now the problems are starting to arrive, and they’ll most likely get worse before they get better.” There are multitude of other security measures you can take to protect things like routers and IoT devices. Some of the best ones include making sure Universal Plug n Play is disabled, checking that your DNS settings are configured correctly, and that you log out of devices’ admin portals after changing any settings. [ Image by Sascha Pohflepp | Flickr ]

November 30, 2016

Are ‘Free’ Browser Extensions Worth the Price?

Are you ok with advertisers having access to your web surfing? Are you ok with them knowing your search terms, translated texts, visited websites, and clicked Facebook profiles? If not, you might want to have a quick look at your browser extensions. Browser extensions are plug-ins designed to give web browsers additional capabilities. Toolbars giving you features such as specialized search functions, web page analytics, and similar capabilities are popular examples of browser extensions. In most cases, they’re freely available for download from websites, making them a great way to improve the user experience of your favorite web browser(s). But browser extensions found themselves in the spotlight last week after an investigation by Northern German Broadcasting exposed the data collection and sharing practices of the popular Web of Trust (WOT) browser extension. According to reports about the investigation, WOT, which was designed to inform users whether or not the websites they visit are trustworthy, was collecting and selling data about their user base. Now, this in itself isn’t news. Many companies that provide services based on crowdsourced information monetize the data they collect in one way or another. Basically, you pay for these products with your data. And WOT states that they collect and share user data in their privacy policy, so they’ve done their due diligence in disclosing this to users. However, the investigators claim that they were able to match “anonymized” data shared by WOT with specific individuals. And this highlights a significant problem with monetizing user data: completely anonymizing data is very difficult and is an ongoing challenge. WOT is not the first company to fall down this slippery slope. In 2006, an employee at America Online (AOL) released search data for hundreds of thousands of users. The data was anonymized by replacing names of users with numbers. But this wasn’t enough to protect the identity of affected AOL users. In less than a week, the New York Times was able to correctly link a user with their AOL search records. So anonymizing data isn’t as straightforward as it seems. But what does all of this have to do with browser extensions? Well, browser extensions are a common source of something called potentially unwanted applications (PUA). The criteria defining what is/is not a PUA can be quite intricate. But basically, PUAs are programs that have harmful effects for devices/users, but do not qualify as malware. They often mix genuine value with negative “side effects” that can be well-hidden or perhaps even undisclosed. This doesn’t mean browser extensions are automatically PUAs (in fact, some security solutions like F-Secure SAFE’s Browsing Protection are actually browser extensions). Web browsers will often provide a well-curated selection of browser extensions to help users find good ones that enhance the capabilities of browsers in order to improve the user experience. And since browsers are most people’s gateway to the internet, improving the experience offered by browsers can improve people’s experience across a wide range of online services and websites. So you shouldn’t be afraid to trust browser extensions, including things like WOT. They often have significant benefits to users. However, you should be aware of how “free” pieces of software (not just extensions, but basically any free software) stay afloat. Companies that develop these products and services need to make money of them. And if they’re not charging you or relying on other sources of revenue, they’ve probably found a way to build their business using your data. Contains information translated from Der Spion in meinem Browser. [Image by Terry Johnston| Flickr]

November 15, 2016

Tricks Not Treats: The 5 Scariest Online Threats

The first known use of the term "trick or treat" was found in a November 1927 edition of Blackie, Alberta's Canada Herald: Hallowe’en provided an opportunity for real strenuous fun. No real damage was done except to the temper of some who had to hunt for wagon wheels, gates, wagons, barrels, etc., much of which decorated the front street. The youthful tormentors were at back door and front demanding edible plunder by the word “trick or treat” to which the inmates gladly responded and sent the robbers away rejoicing. "No real damage" from "youthful tormentors?" Sounds a lot like the early days of hacking. Unfortunately those days are long over. “It’s a business,” F-Secure's Chief Research Officer Mikko Hyppönen told Wired UK. “There’s a whole structure there that’s needed,” F-Secure's "Cyber Gandalf" Andy Patel told ITPRO. “An individual can’t just go in and do this now; it’s not a one man job… these are companies.” The cyber crime "industry" has raked in hundreds of millions and possibly even billions of dollars. And it does it, in general, by counting on people to make mistakes. “People do stupid stuff,” Mikko explained. “You cannot patch people.” The first step to avoiding a threat is knowing it exists. So this Halloween as you search for treats online, look out for these tricks. Ransomware F-Secure Labs has warned about malware that holds your digital files hostage to demand a ransom for most of the last decade. But it's in the last year that the threat has burst into the mainstream and become something you can't go a few weeks without hearing about it on the news. How do you avoid this trick? Keep your system software updated and run security software at all times. Make regular backups of every file that matters on your computer and never click on attachments and links in emails that you weren't expecting. Find My iPhone Scam This scam answers the question, "How can losing your iPhone get any worse?" People who use the "Find My iPhone" app have been targeted by criminals who've gotten ahold of their phones with a scam that allows the crooks to gain access to the device and -- possibly -- the owner's most intimate financial details. How do you avoid this? Check the URL before entering any confidential data. Or as Apple says, "You should never enter your Apple account information on any non-Apple website." Phishing Scams As cyber criminals have gone pro, they've gotten better at using old tactics that we thought had faded away -- like email attachments and phishing scams. Like the trick that gives crooks access to stolen iPhones, a phishing scam just tricks you into entering your private credentials into the wrong site. And it then uses those credentials to hack your email, financial accounts, etc. Checking URLs before entering data is crucial because with the explosion of photo editing software and skills, it's now easier than ever to make a fake site look real. Experts believe that one wrong click to a fake site led the chair of a major presidential campaign to expose his entire inbox to the world. Having someone else leak your password Millions and millions of passwords have been leaked in 2016, some from breaches of data that took place years ago. It might not sound scary that your Yahoo! password from 2005 is now public, except if you are still using that password today on a critical account. This is why you need to use strong, unique password for each important account. Yes, remembering all that is almost impossible. So consider using a tool like F-Secure's KEY to manage your passwords. KEY is free to use on one device. Haunted IoT devices As our homes are getting smarter by connecting almost everything to the internet, they're also getting haunted -- by cyber criminals. A botnet is a network of computers that have been hacked and "enslaved." Security expert Brian Krebs was recently hit by a monster attack on his site that he believes was powered by a botnet powered by "'Internet of Things,” (IoT) devices — routers, IP cameras and digital video recorders (DVRs) that are exposed to the Internet and protected with weak or hard-coded passwords." What can you do? So much of this problem requires manufacturers to improve their security. But you can help by keeping every device updated with the latest software from the manufacturer and always changing your default passwords.  [Image by Daniel Lewis | Flickr]

October 21, 2016