Posts in Social media

facebook login

Open up your favorite web site and you can see what this is about right away. There are in many cases two options, an ordinary log-in and “Log in with Facebook”. Have you been using the Facebook option? It is quite convenient, isn’t it? I was talking to a journalist about privacy a while ago. One of the hints that ended up in the final story was that it isn’t necessary a good idea to link your other accounts to Facebook. And that raised questions. Some people have wondered why it is so, and pointed out that we at F-Secure also provide that option in our portal for F-Secure SAFE, MY SAFE. So let’s take a closer look. Is it good, bad or ugly? Here’s the important points: Facebook acts like an authentication service in this scenario. One single password opens the door to many services. This is indeed convenient and reduces the need to remember a lot of different passwords. But you should use different passwords on every service to reduce the damage if a password is leaked. That could happen for example in a phishing scam. Using Facebook’s log-in everywhere is putting all your eggs in the same basket. The worst thing you can do is to use the same user ID and password on all your sites, but *not* the Facebook function. A leak in any of them could give the attackers access to all your systems. Using the Facebook login instead is in this case a way to *improve* security. Facebook's servers are well secured, a leak from them is highly unlikely. It may reveal private info from Facebook to the other service unnecessarily. Most of us just click OK when Facebook asks for permission to give data to the other service, without thinking about what we really approve. Facebook will get yet another sensor to profile you. They will know that you use a certain service, when and how often you use it, and on what kind of device and where in the world you are when using it. Most people are on Facebook under their real name, but you may want to use other services more anonymously. If you don’t want it to be publicly known that you use a particular service, then you shouldn’t use your real-name Facebook account to log in. Remember that privacy on-line is not just about how much private data you reveal. It’s also very much about whom you reveal it to and how fragmented your digital footprint is. Preventing different services from consolidating your data improves your privacy. So should I use this feature at all? Maybe, it depends. There are some downsides, but it's a convenient way to log in, that can’t be denied. But first, the security-savvy approach is to instead use separate strong passwords on every site and a password manager. It’s a little bit of work when you set it up, but it is really the most secure approach. Don't use Facebook log-in for critical services. Those are sites containing sensitive information or where you make payments. They always deserve a strong unique password. But there's also a large number of sites that aren't that critical. Your on-line newspaper for example. If crooks get your Facebook password then your compromised newspaper account will be the smallest of your problems. Go ahead and use Facebook log-in for those if you find it convenient, but keep in mind the privacy concerns listed above. It's all about how picky you are about privacy. And don’t forget to review the permissions you have givens to apps and sites in Facebook. Go to Settings / Apps and you see the list of approved apps. Remove anything that sounds fishy, that you can’t remember approving or that you aren’t using frequently. Don’t be afraid to remove too much. The worst thing that can happen is that an app or site stops working and asks you to give it Facebook permissions again. Open all remaining apps and review what permissions they have. Think about what they do for you and if they really need all their permissions. Fix the permissions if needed. To wrap up. The Facebook log-in feature is not a security problem. Facebook's security system is solid and your security is not in jeopardy if you use it. But I still recommend separate passwords for the critical sites. The question marks are on the privacy front instead. Linking sites together contributes to forming a more comprehensive digital footprint. It's up to you to decide how worried you are about it. With this info you should be able to make an educated decision about where Facebook log-in can and can't be used.   [caption id="attachment_8629" align="aligncenter" width="266"] Jamendo's permissions in Facebook. This is the basic permissions most well-behaving apps/sites ask for. If the site asks for more, consider carefully if it really is needed.[/caption]   Safe surfing, Micke     Images by C_osett and Facebook screen capture

November 12, 2015
facebook

I’m sure you have run into it if you work at a company with an organized IT function. They provide you with a computer, but they control it and set restrictions on what you can do with it. This is justified. Keeping the systems patched and updated is necessary to maintain security. Not to talk about maintenance of the anti-malware. But security is not the only driver for controlling the computers. Productivity is another. The web is usually wide open and employees can surf wherever they like. Entertainment, social media, news, hobbies, work-related issues, they are all there in the same web. Trying to limit web access to just work-related content is a really hard task. Practically impossible in most cases. And on top of that, you can always pull out your smartphone, if the mean IT-folks have created nasty restrictions on the employer-owned device. Employers’ worries about security and productivity are demonstrated in a Bloomberg article. It’s a bit dated already, but probably still quite accurate. The list of banned apps can be divided in three groups. Cloud services makes it easy to share company secrets. Entertainment is time-consuming and addictive. And finally Facebook representing social media. Banning Facebook is interesting. Social media has quickly grown to be one of our most commonly used communication platforms. Is it really fair to shut this off for the whole workday? But Facebook can on the other hand be very addictive. I’m sure there are employees who spend far too much time there. But the question is if an effective ban of Facebook really would improve productivity? No-one can work 8h flat out without any breaks. Personally I feel that micro-breaks, like checking Facebook, helps me stay focused and get the work done. So let’s see what you think. What’s your relation to Facebook at work time?   [polldaddy poll=9172266]   Safe surfing, Micke   Photo by momo  

November 10, 2015
Back to the Future Tuesday

Many people have fond memories of the Back to the Future saga – a series of movies chronicling the adventures of Marty McFly through time. In the three films, he uses a time machine to travel to various points in the past and future, encountering various challenges that he must overcome in order to return to his correct time of 1985. In the second film, he travels from 1985 into the future, arriving on October 21, 2015. That’s today. Back to the Future 2 has spawned some interest regarding the way it portrayed the future, which is now our present. Some of the ideas, such as the efficient weather service, remain pure science fiction. But others are slowly becoming reality. For example, Nike has filed a patent for shoes with automatic laces very similar to the ones sported by McFly in the film. And a company based in California worked with Tony Hawk to design a working hoverboard similar to the ones used by different characters in the film. One scene stands out for different reasons though – it forecasts the erosion of privacy while communicating online. It’s an entertaining scene (I particularly enjoyed Needles), but given the increasing adoption of Smart TVs by consumers, it’s easy to imagine this scenario coming to a living room near you. [protected-iframe id="89ec0f9bf01d62c895c99a2d5668272e-10874323-81725797" info="https://www.youtube.com/embed/Km6bFBSVty4" width="560" height="315" frameborder="0" allowfullscreen=""] According to F-Secure Security Advisor Sean Sullivan, the idea of having your boss eavesdrop on you isn’t so crazy. In fact, they already have the tools they need to make this a reality – although it probably won’t happen to you in the same way it did to McFly. Here’s a few observations Sean made about the scene. “In Back to the Future 2, your boss intercepts your call. In real life, your friend shows him your Facebook comments.” Sensitive information gets posted to social media channels all the time. A careless Facebook post is more likely to cost you your job, or at least some embarrassment, than having your calls intercepted by your boss. “In Back to the Future 2, AT&T posts information about you during your calls, like your favorite food. In real life, you post pictures of food you like to Instagram.” Social media profiles contain lots of personal information, and lots of communication services are beginning to offer user profiles. This makes little personal details like this readily available. It’s completely realistic to assume these details are known to people you communicate with online, even if you don’t know the person well. “In Back to the Future 2, McFly joins Needles' scam by swiping a card. In real life, you probably forget your password and don’t get pressured into joining Needles.” But soon there’ll be an app for that. Apple Pay and other select apps are beginning to use fingerprint scanning as a form of authentication. As these technologies become more prominent, so will apps and services that use them. As for having video calls intercepted, that’s currently relatively simple to do (as demonstrated by last summer’s Great Politician Hack), but Sullivan says there are still much easier ways to lose control over information. “It’s trivial for someone to intercept and monitor VoIP calls, but your boss isn’t very likely to bother doing that when there’s so many other ways to find out what you’re up to.” [ Image taken outside F-Secure Headquarters 10 Min Ago ]

October 21, 2015
Logging into Facebook in public

When you log into Facebook, you could see this this message warning you that a government-backed entity of some sort is trying to get into your account: This isn't the site's first attempt to use its gatekeeping power to address security concerns. Facebook detects malware on your computer and if it finds any, you're directed to one of several free online scanners -- including our free online scanner -- to clean your PC before you can log in. What's new about this warning is that it suggests a culprit -- a government, which could possibly even be your government. It's remarkable how accepted the idea is that state-backed organizations are carrying out cyber attacks so regularly that there's a Facebook prompt specifically dedicated to the threat. But it's indicative of the times we live in. F-Secure Labs has warned about cyber threats from state-backed actors for years. "We do this because these types of attacks tend to be more advanced and dangerous than others, and we strongly encourage affected people to take the actions necessary to secure all of their online accounts," Facebook's Chief Security Officer Alex Stamos explained in a post announcing the new prompt. Our Security Advisor Sean Sullivan calls the feature a "good first step." Why? "Facebook is widely used among human rights advocates and attorneys," he told TrustedReviews. "When advocates report being targeted, I suspect that Facebook's security team is readily able to cross-reference IP addresses which interact with and target various accounts. And so Facebook is then able to draw connections between people that might benefit from such notifications." Some in the media have spread some alarm about the feature. Russia Today -- an English-language media outlet sponsored by the Russian government -- framed the feature as an attempt to get your phone number. The article features several references to the NSA, alluding to the revelations former contractor Edward Snowden began releasing in 2013. (This is ironic given F-Secure Labs' recent report on The Dukes, which makes the case that the Russian government is involved with or abetting cyber attacks of its own that extend beyond surveillance into actual espionage.) So does Facebook just want your phone number? Nope. "The feature doesn’t require a phone number," Sean told me. "If you have an Android phone, iPhone, or an iPod touch – you can simply use the Facebook app to generate the approval codes." The suspicions being raised by non state-sponsored media could be tied to Facebook's constant efforts to get you to offer it your mobile phone number to activate security features. Our Chief Research Mikko Hypponen often points out that by pairing your profile with your phone number, websites can unlock a treasure trove of demographic data about you that makes you even more valuable to sell to advertisers. We cannot say for sure that Facebook does this. If you have a spare day or two, you can read through Facebook's Terms and Policies to find out. "Both Facebook and Twitter (and other sites) often ask me for my phone number for the sake of 'security,'" Sean told me. "And while yes, it does offer some security enhancements, in the name of transparency, I wish they also mentioned the other uses." Be aware that if you want to use two-factor authentication to secure your account but don't want to give the site your number, you do have options. It's good to be suspicious about sharing your phone number, but it's also smart to be doubly suspicious when privacy concerns are being stoked by an arm of the Russian government. In the past few years, Facebook -- which used to be constantly ridiculed for its privacy and security concerns -- has really stepped up its game in simplifying its privacy settings, preventing spam and controlling the spread of bad links. This is another promising step from a security team that seems eager to both protect its users and to make us all aware of the growing threat of state-backed attacks.

October 20, 2015
SONY DSC

Have you thought of one funny thing? Internet is the Eldorado of anonymity, yet most people are on Facebook under their real name. Facebook has an authentic identity policy, but it is not really enforced. You can sign up under any name you like and they don’t make any attempts to verify it. But Facebook is typically an extension to your real-life social network, so it is natural to sign up with a name your friends know. Yet another example that guiding users towards something in a natural way is so much more effective than laws and mandatory policies. So you can use a false name if you like, but most people use their real names, established nicknames or well-known artist pseudonyms. (* All these names have one thing in common. They may or may not be what’s written on the driving license, but they all have a strong link to the person’s social network in real life. And that’s what really matters. Most people don’t deviate from their real names to be anonymous. Quite the opposite, using well known pseudonyms can make them easier to recognize. The coin always has two sides. Truly anonymous accounts are used for harassment, libel, fraud, scams, identity theft, you name it. Facebook’s real name policy has been in effect for years and this is probably the primary targets they had in mind. It works so that anyone can report other users. Facebook will ask the users to provide some kind of identification, and keep the account closed otherwise. But this issue became headline news lately when it became clear that the policy itself can be used to harass others. Representatives for minorities, like Native Americans and drag performers, became the target of numerous reports. Their names were not meant to be anonymous, they were artist names and Native American names. This is why EFF reacted and published a petition to change Facebook’s rules. They have a long list of problems in the current policy. Many valid points, check it out. One of the main problems on the net is the lack of verified identities. The symptoms are a wide range of issues ranging from fraud to pranks. But one of the most visible effects is the deteriorating debate culture. We have all run into discussion forums that have turned into arenas for venting hate and mental illnesses. You can run into that on Facebook too, but not to the same extent as in other forums. And the reason is clear. People may use pseudonyms, but they are not anonymous to their real-life social network. It’s easier to express hateful opinions in writing than when talking face to face. But you still have to stand behind your opinions on Facebook. Your friends know it’s you no matter what name you use. I think this is a good thing that makes Facebook a better place. But the real name policy can’t take credit for it. It’s the nature of Facebook itself that keeps the debate at a more civilized level. So a community with a pretty strong real name culture is no doubt an asset. But EFF is also making many good points about why the policy goes wrong. So I have two questions for you today. What kind of name are you using and what do you think about real names on Facebook?   [polldaddy poll=9126338]   [polldaddy poll=9126341]   Safe surfing, Micke   PS. LinkedIn is by the way another example of a service where it really doesn’t make much sense to appear under a false name, unless you’re a sockpuppet.   Image by Vincent Diamante   (* Facebook estimate themselves that about 9% of the profiles “aren’t real” in some way. About 1,5% are violating Facebook's policies. More info here.  

October 14, 2015
20150915_073308813_iOS

You are precious. You are very valuable. At least to companies dealing in advertising and customer profiling. The value of you and your peers make giants like Google and Facebook tick, with a combined revenue of about $78 billion. I’m sure most of you understand this value. But how many are really making smart choices to guard it? If you’re on Facebook, you may have seen posts like this: “Your Friday night. Tina wants to sleep. Jan destroys furniture. Aaron wakes up handcuffed. Wilhelm starts a drinking competition.” Clicking the image takes you to nametests.com, or a localized version in your own language. Once there you can create your own test that reveals funny things about you and your friends. It’s obvious that these test are more entertaining than scientific. And this site can’t be blamed for lacking fantasy! Who thinks you’re sweet? How many children will you have? Who should you write a love song for? Who of your friends belong in your stuffed animal collection? Stuffed animal collection! OMG. LOL. :) You can find out all this and much more with the tests at nametests.com. The site is operated by a German company named Socialsweethearts, that claim to have over 1500 tests in more than 40 languages! OK, just another funny and harmless site that creates virally spreading posts and cashes in on advertising, you might think. But let’s take a closer look at what’s going on here. Many of the test involve your friends, revealing whom would be or do something. And to provide this they must know who your friends are, right? So it’s perfectly legit when a dialog pops up asking for access to your Facebook account and friends list. Wait! This is where you should stop and think. Let’s rephrase what’s going on. You purchase an automatically generated joke about you and your friends and pay by allowing them access to your friend list and Facebook wall, including all your past, current and future posts. A good deal? No, I don’t think so. And on top of that, you pay with knowledge about all your friends too, but without asking them for permission. Ok, Socialsweethearts is a German company, and Germany has strong privacy laws. I think there is a pretty good chance that this company isn’t misusing your data shamelessly, even if they definitively has the technical opportunity to do so. But this is pure luck. I bet that virtually none of the folks using these tests actually checked the background of the company and made an educated decision to trust it. Did you? But on the other hand. Pretty much all the giants that make billions on our private data are from the Americas. Europe has totally lost this race. A German company entering the same business successfully would be bright news, sort of. Bad news for your privacy but good news from European business perspective. So don’t worry too much if you have used the services on nametests.com. But this is anyway an excellent opportunity to clean up the list of apps that have access to your data. In Facebook, go to Settings and choose Apps in the menu to the left. Now you see a list of all apps and sites that have been granted access. Some of them are no doubt legit, for example apps that should be able to post to your wall. But the permissions will stay when you stop using something. And some permissions are only needed on a one-time basis, but they will stay on the list. Nametests.com belongs to that category and should be erased. Go through the list and remove anything you don’t need. If you see something that you don’t understand the meaning of, it’s safest to remove it too. Permissions can always be added back and apps that lose their permissions will notify you and ask you to grant new permissions. Happy cleaning, Micke   [caption id="attachment_8485" align="alignnone" width="300"] This is what it looks like when nametest.com want's permission to access your data in Facebook.[/caption]   Images: Screenshots from nametest.com and facebook.com  

September 21, 2015
Hide Your LinkedIn Connections

Hiding your LinkedIn connections is easy. Click on your profile pic in the upper fight hand corner and select "Privacy & Settings". You'll probably be asked to log in again, which is smart of LinkedIn. Then under "Privacy Controls" select "Select who can see your connections". You'll see this screen: Select "Only You". You can also hide a specific contact. Here are some more LinkedIn privacy settings you may want to check, including how to make it so people don't know if you've viewed their page. So why would you want to hide your connections? If you're in industry where your contacts are an asset -- like sales -- or an industry where your connections can easily be turned into targets -- like security -- you may simply not want to make life easier for your competitors or the bad guys. The paradox of discussing privacy on social networks most of us aren't on social networks to not be noticed. Your social graph -- your network of online friends -- can be used to fight hackers or encourage them. And if you're person likely to be targeted, such as CEO, you need to take additional precautions to prevent threats like whaling. Another reason you may want to hide your "friends" on sites on sites like Facebook or LinkedIn is that they could be used to factor in things like your credit score, in the near future. We honestly don't know the long-term implications of exposing ourselves and our networks on the internet. But it's always good to know what you can control, so you have a better idea of what you can't.

September 16, 2015
5825408292_11759e3304_o

Kaisu who is working for us is also studying tourism. Her paper on knowledge of and behavior related to information security amongst young travelers was released in May, and is very interesting reading. The world is getting smaller. We travel more and more, and now we can stay online even when travelling. Using IT-services in unknown environments does however introduce new security risks. Kaisu wanted to find out how aware young travelers are of those risks, and what they do to mitigate them. The study contains many interesting facts. Practically all, 95,7%, are carrying a smartphone when travelling. One third is carrying a laptop and one in four a tablet. The most commonly used apps and services are taking pictures, using social networks, communication apps and e-mail, which all are used by about 90% of the travelers. Surfing the web follows close behind at 72%. But I’m not going to repeat it all here. The full story is in the paper. What I find most interesting is however what the report doesn’t state. Everybody is carrying a smartphone and snapping pictures, using social media, surfing the web and communicating. Doesn’t sound too exotic, right? That’s what we do in our everyday life too, not just when travelling. The study does unfortunately not examine the participants’ behavior at home. But I dare to assume that it is quite similar. And I find that to be one of the most valuable findings. Traveling is no longer preventing us from using IT pretty much as we do in our everyday life. I remember when I was a kid long, long ago. This was even before invention of the cellphone. There used to be announcements on the radio in the summer: “Mr. and Mrs. Müller from Germany traveling by car in Lapland. Please contact your son Hans urgently.” Sounds really weird for us who have Messenger, WhatsApp, Facebook, Twitter, Snapchat and Skype installed on our smartphones. There was a time when travelling meant taking a break in your social life. Not anymore. Our social life is today to an increasing extent handled through electronic services. And those services goes with us when travelling, as Kaisu’s study shows. So you have access to the same messaging channels no matter where you are on this small planet. But they all require a data connection, and this is often the main challenge. There are basically two ways to get the data flowing when abroad. You can use data roaming through the cellphone’s ordinary data connection. But that is often too expensive to be feasible, so WiFi offers a good and cheap alternative. Hunting for free WiFi has probably taken the top place on the list of travelers’ concerns, leaving pickpockets and getting burnt in the sun behind. Another conclusion from Kaisu’s study is that travelers have overcome this obstacle, either with data roaming or WiFi. The high usage rates for common services is a clear indication of that. But how do they protect themselves when connecting to exotic networks? About 10% are using a VPN and about 20% say they avoid public WiFi. That leaves us with over 70% who are doing something else, or doing nothing. Some of them are using data roaming, but I’m afraid most of them just use whatever WiFi is available, either ignoring the risks or being totally unaware. That’s not too smart. Connecting to a malicious WiFi network can expose you to eavesdropping, malware attacks, phishing and a handful other nasty tricks. It’s amazing that only 10% of the respondents have found the simple and obvious solution, a VPN. It stands for Virtual Private Network and creates a protected “tunnel” for your data through the potentially harmful free networks. Sounds too nerdy? No, it’s really easy. Just check out Freedome. It’s the super-simple way to be among the smart 10%.   Safe surfing, Micke   PS. I recently let go of my old beloved Nokia Lumia. Why? Mainly because I couldn’t use Freedome on it, and I really want the freedom it gives me while abroad.   Image by Moyan Brenn  

August 24, 2015