Tag Archives: Privacy

The Current State of Platform, Software and Device Security

The year 2012 and the better part of 2013 have witnessed the birth of new computing platforms, social network platforms and general computing trends that not only make the gadget and internet a better place, but also a more dangerous one. These innovations and developed habits expose us to a variety of threats that we must be aware of in order to survive in the modern digitally connected world.

Security

The release of new platforms gives both legitimate technology users and hackers something to look forward to. Users have to test new features and functionalities as hackers seek to exploit loopholes in the innovations’ firewalls. Since the adoption of new technology improves our efficiency, we will always be vulnerable to the accompanied hacker attacks and hope that the platform, gadget or software developer will release security patches as soon as security related bugs show up.

Are Security Risks Increasing or Decreasing?

As genuine developers come up with new software pieces, malicious developers are also at work trying to come up with re-engineered pieces that are better at breaching current and yet-to-come systems. This trend, confirmed by the attempts to improve on Skywiper/flamer to Stuxnet, gives system administrators something new to think about since they will be facing better-equipped criminals in the near future.

Even though the security trends of the future might strongly lean on the weaknesses of the new platforms and operating systems, we cannot overlook the birth of mobile devices. Since most people do not believe that, there are systems that can intrude the innate security of their mobile devices, cyber criminals might have an easier time in gaining access into the information people share through their devices.

With the number of possible additions to this list almost endless, the number of risks grows exponentially. The diversification of platforms and computing behaviors might give the average person an information overload that might force them to overlook some important security features or give cyber criminals more options to explore.

Do We Have a Choice?

Apart from the security issue, the manner in which we interact with other people is bound to change. The adoption of online solutions will greatly reduce personal level interactions while reducing the control we have over some of the information we might refer to as “personal.”

Nonetheless, the productivity per unit time is bound to increase since we no longer have to do all the hard work. The new systems and hardware products will take care of most of our needs despite the security and privacy risks, making them almost as important as the basic human needs. We will have no option but to live with the emergent vices and make the best out of the available virtues.

Your internet activities aren’t as safe as you thought

NSAThe idea of snooping on undersea cables is not alien in the world of counter-intelligence. In fact, it was in use by the US against the Soviet Union as early as 1970s. Even though such an escapade in the early 70s would only yield specific information, tapping into the current undersea fiber optic cables gives access to streams of highly valuable information. This is an opportunity that one of the most powerful agencies in the world, National Security Agency (NSA) might have found too lucrative to forego.

How your data can be captured

PRISM

The information regarding how NSA pulls out this alleged massive data “theft” remains hazy. While some sources claim that the agency makes use of a “prism” (hence the program’s codename) to split the light beams in the fiber optics cables into two , one for their own use and another to continue with its journey, experts argue that this is too complex a procedure to effectively sustain.

According to a Deutsche Welle report, it would be easier to do the tapping at regeneration points and sometimes landing stations since at these points the data is split out and more easier to tap into. Nonetheless, all sources seem to concur with the fact that probes and prisms are used to create a replica beam of the light without disrupting the “flow of the original Internet traffic.”

NSA collaborators

collaborator spys

Just like anything else that has ever been associated with NSA, the details about the scheme remain closely guarded with none of the allegedly associated entities accepting the responsibility. Many claim that NSA collaborates with internet service providers and landing country authority to gain access to the data trunk, allegations that most of these players vehemently denounce.

With no one accepting responsibility, not even Google or Facebook who allegedly collude with the agency to deliver detailed user information, it is hard to figure out how deep the intrusion is. There is the probability that NSA does not go through all the information it diverts. Nonetheless, experts like Tim Stronge from TeleGeography believes that if the PRISM is real, it has the power to tap into large amounts of data from different sources since data over the internet will take “the least congested route that is available to their providers.”

The way forward

The NSA internet backbone breach, if true, will not really get many internet users off guard. Even though NSA vehemently denounces the allegations and claims that it cannot even search its own emails, many internet users know that all the information they transmit online is bound to be stolen by one counter intelligence agency or another. Some argue that it makes the internet a safer place to be in; others believe that this is a direct violation of the fourth amendment of the United States constitution.

Government cell phone monitoring shouldn’t come as a surprise

recording callsIn a recent announcement, it was shown that the National Security Association (NSA) has been “secretly” obtaining private information via Verizon Wireless. With permission through something known as “the blanket order,” Verizon has been handing over a variety of call-related data, such as call lengths, locations, and other unique identifiers.

As of yet, it’s stated that the calls themselves are not being recorded; the public is turning an angry eye toward both Verizon and the government for this invasion of privacy.

But is this really such a shock? How many of us read those fine-print contracts wireless providers require to be signed? Companies are legally allowed to do a number of questionable practices, data collection included.

As the saying goes, “knowledge is power,” and it seems as though the government is willing to go to extreme lengths to get it. Ages, races, and other target demographics can be reached with the right info, and obtaining said facts is the first step in expanding political popularity. Other non-surprise factors include every political movie ever, which almost always host a widespread privacy invasion. Not to mention the ease in which spying can be done these days. There are practically invisible recording devices, and even lasers that can detect conversations by measuring window vibrations.

In this case, however, the victims of surveillance just happened to be the owners of the recording devices.

What’s Next?

While it’s likely Verizon will suffer some serious image backlash (like we needed another reason to hate the 4G-pushing giant), the information they’ve collected is already obtained. It’s also likely that the information collection will continue, whether or not the public is ok with it.

But what else can be released? Are there other networks doing the same recording and sharing practices? Are calls actually being recorded – stored and listed to for terrorist-like activity by some full-time operators? Or is this simply as “harmless” as it seems from the outside looking in?

While it’s unclear as to why the government wants to know why you made a 90-second call at Burger King May 4th, or how often you travel away from home on calls, the consensus remains that the compilation is mega creepy. A surprise, perhaps not, but a definite invasion of citizens’ privacy.

That just leads us to ask: what other data is the government collecting through our personal electronic devices?

How to stay secure on public Wi-Fi

CoffeeShopWifi

Credit card numbers? Check. Website logins? Check. “Private” chats between cheating spouses? Double check.

Spend ten minutes in a coffee shop snooping on the “Free Public Wi-Fi!” and you’ll see all these things and more. Airports, libraries, parks? Same situation. Hotels are a little different, though. All the bandwidth is being taken up by people streaming porn, so there’s not much else going on.

Granted, this is the same type of traffic you’d see on a private, secure network, but in that setting you’re probably going to have a little better idea of who you’re sharing the network with and there are controls to keep potential criminals out.

Public Wi-Fi is exactly that, public. You are sharing it with everyone else in the local area, just like Jenny, that nice girl you went to highschool with who just wanted to feel pretty. For someone who’s interested in stealing financial information or identities, it’s an appealing target, mostly because it’s so easy to exploit. I wouldn’t even call it hacking, it’s more “collecting” – monitoring the network for unencrypted information and capturing the info that looks interesting.

Protect your neck

That being said, public Wi-Fi can be relatively safe to use if you take the appropriate steps to secure yourself and use a little common sense.

    • Starbucks is not a good place to balance your checkbook. Context is everything and there are certain places for doing certain things. Doing your online banking on public Wi-Fi is just a bad idea. Even if you’re taking steps to protect your laptop, there are too many factors that are out of your control to justify the risk. Restrict financial and other “sensitive” activities to networks you trust (like the one at your house).
    • Use a VPN service. A VPN (virtual private network) service will protect your internet traffic inside a secure tunnel out to the internet so that someone snooping locally won’t be able to see anything other than you connecting to the VPN service. Good VPNs aren’t free, but if you’re a heavy public Wi-Fi user, the cost is definitely worth the security you gain. I personally use a service called Cloak that works on Mac and iOS devices. If you’re not a super-awesome-Apple-user like me, I’ve also heard good things about StrongVPN.
    • Know what you’re connecting to. Although they can easily be spoofed to match the name of a real Wi-Fi network, it’s important to pay attention to the names of the wireless networks you use. Much in the same way that an e-mail titled “Free Money Waiting For YOU!” is probably spam, a wireless network named “Free Public Wi-Fi” is likely a scam.
    • Look at the physical signage wherever you are visiting. Starbucks uses AT&T to provide their Wi-Fi (It says so on the front door.), so the network there is called “attwifi”, not “starbuks” (The laziness that’s paired to Wi-Fi snooping is often paired with stupid.). Just being on the right public Wi-Fi for the location will keep you more secure. If you’re reading this thinking “Well, Mr. Smartypants, what if someone has exactly mimicked the name and setup of a real network and is performing a man-in-the-middle attack?” – see points 1 & 2.

When in doubt, bail out

Ultimately, if you doubt the safety or validity of a Wi-Fi network, don’t use it. It may come as a surprise to some people, but there are other things to do in public than surf the internet. If you’re presented with obviously unsafe options for wireless, maybe it’s a good time to strike up a conversation with one of the people around you. Read a book. Or maybe you should just sit quietly and contemplate your existence and how to become a better person.

Image Credit: Ed Yourdon

5 ways to fight spam in your iCloud email account

Apple iCloudI have been an iCloud email user for a while, even before “iCloud” existed (iCloud is Apple’s online email service and other online tools). I was originally a MobileMe and .mac user. Until recently, my iCloud email addresses were relatively free from spam. However, for the past few weeks I have been getting five to ten spam emails a day and I didn’t even sign up for anything.

A search of internet discussion boards shows that I am not the only one with a recent onslaught of junk in my iCloud account. So is there anything that can be done about it? Well, there are a few steps you can take to help reduce the junk in your iCloud inbox.

Don’t click ‘Unsubscribe’ links

First, and most importantly, do not click any unsubscribe links in any of these spam emails. This will, most likely, just open the door to more junk. These links basically tell the senders that your email address is real and is read by a human.

Help report spam to Apple

The second thing you can do is help Apple improve its server-side filters by emailing the emails to them. You do this by forwarding the email from your desktop app as an attachment to spam@me.com. This is Apple’s spam address. To do this from Mail on your Mac select the email and choose “Forward as attachment” from the Messages menu. Address the email and send it off.

Add spam filter rules to iCloud

A third part of the plan includes setting rules through the iCloud webmail settings. If you log into your email through iCloud.com, locate the gear icon in the top right of the screen. Clicking that will present you with a menu of options. “Rules” will be one of these options. Choose that and you will see a window where you can set up rules.

If your junk emails have similar words in the subject, you can set up a rule to send emails with that subject to the “Junk” folder or the “Trash” folder. If the emails seem to be coming from the same email address, as many of mine have been, you can set the parameter based on that email address. It is very easy to do and setting the rules online instead of your mail program will prevent many of these emails from even making it into your inbox of the program you use.

rules

Flag spam as ‘Junk’

For those spam emails that still manage to sneak through your filters, you can mark them as “Junk” in the Apple Mail program or the webmail interface . iCloud is supposed to learn what is junk and what is not based on how you mark emails. I don’t know how well it works, but it is better than doing nothing.

Buy spam filtering software

Finally, there is the pay option. There are several spam filter apps for the Mac and several online spam filtering services. SpamSieve is an app I have used in the past.

Conclusion

There have been small flurries of spam through Apple’s email services in the past and it eventually works itself out. Hopefully it will do so again. If not, you now have some weapons to help fight spam in your iCloud account.

Have any tips for fighting iCloud spam? Share them in the comments below!

Image courtesy: Bas Boerman

Would you trade in your social media passwords for a job?

The practice of employers looking up social media profiles of prospective employees is nothing new. It’s a great way to learn a lot about a person from the things that they choose to broadcast to the public. However, there comes a point where this all may go a little too far — specifically when a potential employee’s profile is set to private.

Associated Press reports that some job seekers have been asked during the interview to hand over their Facebook passwords. Justin Bassett, a New York statistician, was asked to disclose his Facebook login credentials to the interviewer. Bassett withdrew his application.

Others weren’t directly asked for their passwords, but they were asked to log in to their Facebook account so that the interviewer could have a peek.

While most job candidates would decline to give out their passwords, there are some job seekers who are so desperate for a job, they have no choice but to hand over such information to the company.

In 2010 a security guard at the Maryland Department of Public Safety and Correctional Services was asked for his login information so the agency could check for any gang affiliations. The security guard handed it over saying, “I needed my job to feed my family.”

Orin Kerr, a George Washington University law professor and former federal prosecutor says that this practice is “an egregious privacy violation” and “it’s akin to requiring someone’s house keys.”

Surprisingly, this is all completely legal, but legislation is being proposed in Illinois and Maryland, with more states possibly joining in later.

Personally, I have nothing to hide when it comes to my social media profiles. If an employer wants to look at my Facebook profile, they can do so, but I will never give my password away to anyone. However, I probably wouldn’t mind logging into my Facebook and letting them surf around for a bit while I at least watch (as long as they were just looking at my profile and not digging into my settings), although that does sound extremely juvenile and definitely says something about the maturity of the company.

What about you? Would you let a potential employer have your password or at least log in for them so they can look around?

Privacy: Ghostery helps you elude online trackers in all browsers

Ghostery browser add-on
Ghostery shows you who is tracking you and let's you stop them.

Browser cookies are the black helicopters of the Internet age. Everyone seems to believe they’re only used for a secret, evil purpose.

I guess it depends on your definition of evil. Companies use cookies  to store information about Internet users. That information is coupled with other data collected via “tags, web bugs, pixels and beacons that are included on web pages in order to get an idea of your online behavior.” That idea helps them deliver ads and marketing messages to you online. Probably the biggest problem is that this is done without you knowing that you’re building a customer profile simply by reading blogs and watching videos.

Ghostery is a free browser add-on that exposes who is tracking your behavior and allows you to block them. It is available for Firefox, Safari, Google Chrome, Opera, Internet Explorer and Apple iOS. That’s right – you can use it on your iPhone.

When setting up the add-0n, it’s easiest to go with a broad brush by blocking all third-party extensions and cookies. It doesn’t seem to do any harm (depending on your definition of harm).

For example, it blocks almost all the social media sharing buttons you see on web content. So if you use them a lot to “Like” pages, tweet stories and add to social bookmarking services, you’re going to miss them. But it’s easy enough to allow the functions you want by clicking on the ghost icon at the bottom of your browser. That will bring up an info box that tells you what is blocked and lets you unblock it. You can also click through to get information on the service that is tracking your behavior.

That window also lets you temporarily turn off the blocking. Once you do that, Ghostery still identifies the trackers and gives you the same information.

One of the benefits seems to be increased browser speed. Sometimes the blocking takes time but overall pages load faster without the third-party extensions.

Another casualty is advertising. Some ads are blocked. Sometimes the space is there but no ad can be seen. Annoying pop-over ads still appear but don’t show any advertisement. I still have to close out the ad space to continue reading.

Other than that, I don’t seem to be missing any functionality, except my online banking site seems to be glitchy while Ghostery is blocking trackers. Pausing the blocks lets me do what I need to do though.

I see two problems for publishers though:

First, Ghostery can block your analytics – Google Analytics and Omniture for example. That means your stats could take a hit even if you’re only tracking traffic to pages not who is reading them.

Second, if you run a metered paywall – a limit to the number of pages that can be viewed for free – Ghostery can let readers bypass those limits since they rely on information in cookies. But it doesn’t break down paywalls that protect certain pages.

What I like about Ghostery

I don’t need a tin foil hat anymore. The add-on makes me feel invisible to all kinds of tracking. Since not all of it is evil, I have the ability to accept the services that I want to use. It’s easy to use and worth the time to install.

Ghostery
Ghostery blocks some ads from being displayed

[Download Ghostery]

How to download a full backup copy of Wikipedia

I’ve spent plenty of time making jokes about what would happen if Wikipedia went offline in our modern, internet-dependent world – planes dropping out of the sky, no knowledge of any events before 2007, dogs walking their owners – but in all seriousness, any Wikipedia outage will affect millions of students, educators, scientists, and everyday people looking for answers to both simple and complex questions.

You’re not totally out of luck though; in this article, I’ll show you how to maintain access to Wikipedia’s information even after the site goes offline. Not only will this be useful during deliberate blackouts (like in the January 2012 protest of SOPA and PIPA), but it could come in handy in the future when presented with network difficulties, power outages, or even new internet legislation.

How to download a backup copy of Wikipedia

Before you get started, please note that the standard English backup of Wikipedia is about 7.5 gigabytes. Even on a fast connection, this database can take several hours to download depending on the amount of traffic on Wikipedia’s servers. It is safe to assume that Wikipedia’s servers will be hit with record amounts of traffic if a known blackout is approaching, so if you want to download a copy, start downloading as early as possible.

First off, don’t worry – it is both legal and free to download a backup of all content available on Wikipedia for personal use, mirroring, informal backups, offline use, or database queries. All text content in Wikipedia is licensed under the Creative Commons Attribution-ShareAlike 3.0 License and the GNU Free Documentation License. Images fall under different terms, but in this guide we’re just going to be downloading the text.

While the downloadable version of Wikipedia’s database is massive, there are a few limitations: Only current revisions of articles will be downloaded, and no discussion or user pages are included.

Step 1

Download the English language Wikipedia dump. You can download the latest version of this file directly from Wikipedia or via BitTorrent (unofficial).

You can also download the Simple English Wikipedia, which is much smaller than the full Wikipedia (about 75 megabytes).

Step 2

The Wikipedia database dump is not very useful on its own, so next you’ll need to download the free application WikiTaxi (Windows only) to view Wikipeda on your computer.

(Mac users can check out Wiki Offline for about $10, but in this guide I will only be covering WikiTaxi for Windows.)

WikiTaxi is a “portable” application so you don’t have to install anything. All you need to do is extract the downloaded .zip file and you’re finished.

Step 3

After extracting WikiTaxi and your Wikipedia database download has finished, open the WikiTaxi Importer (WikiTaxi_Importer.exe). Browse to the location of the Wikipedia database you downloaded in Step 1, and then select a location to save the new WikiTaxi-formatted database file. Click Import Now! when finished.

Step 4

Close the WikiTaxi Importer and open the main WikiTaxi application (WikiTaxi.exe). Click the Options button and select Open a *.taxi Database. Locate the database you created in Step 3 and select Open.

That’s it! You now have full, offline access to Wikipedia.

 

How I Circumvented Network Authentication (And Got Caught in the Process)

While I’ve never personally worked in the IT field, I have a number of friends who have, and I can appreciate their efforts to keep a network secure and functioning well. Sometimes, though, the cost of network security can be pretty annoying.

The university where I work is home to a top-notch group of IT guys that keep the wheels greased for over 15,000 network users. Just like many other universities, the IT department instituted a network authentication system to do several things, one of which being to cut down on illegal filesharing. This system included user login and a horrible little program called SafeConnect by Impulse.

Put simply, SafeConnect is a watchdog program that is forcibly installed on your system before you are allowed Internet access. It monitors to see that you have anti-virus software installed that is up to date, keeps tabs on your device preferences, and (as far as I can tell) was specifically designed to be a major pain in the butt.

 

If you’re like me, you probably don’t like to be forced to download third-party software. Also, if you’re like me, you probably don’t want to have your name associated with everything you do online. Finally, if you’re like me, you probably have an e-deathwish and don’t care what happens to your e-career when you do e-stupid things. Luckily, there are ways to avoid both SafeConnect and network authentication at many universities, and possibly fulfill a deeply seated wish to get yourself expelled.

Derp. I am not a fan.

Disclaimer: You probably know where this is going. Before you consider doing this for yourself, understand that while I performed these steps and survived to tell the story, my circumvention of the university network authentication system landed me in the Dean’s office for a rather eventful discussion with the Network Administrator present to see me squirm.

Step 1: Change your TCP/IP fingerprint

If you’re running Windows, your computer will be detected by the network as a valid candidate for SafeConnect. Fortunately, there is not a Linux-friendly version of the software. Changing the TCP/IP fingerprint will allow your computer to be detected as a Linux box and you can avoid that pesky download forever. You can achieve this manually by digging into the guts of your registry…or take a much easier route of using a nifty piece of software called OSfuscate.

With OSfuscate, you can change your fingerprint to just about any platform

Step 2 (optional): Change your MAC address

MAC addresses are hardwired into the network adaptor of your computer and are often used to filter rogue computers from a network. Spoofing a fake MAC address is not very difficult, and there are easy-to-follow tutorials here and here. I mark this step as optional because it is not essential for circumventing login. However, if you plan to do anything nefarious on a network, it’s best not to get an authentic MAC address banned from use.

In your Device Manager, visit the Advanced tab of your Network Adaptor.

Step 3: Change your Browser User-Agent

At this point, if you’ve changed your TCP/IP fingerprint and uninstalled SafeConnect, firing up a browser should give you a typical network login screen. The interesting thing about most university networks is that they typically don’t require authentication of gaming consoles like a Playstation 3. If your university is anything like mine, its second tier of authentication (after SafeConnect) is identifying the User-Agent of the browser in use. If it detects a game console, it lets it pass through without authentication.

 

If your login looks like this, this tutorial will probably work for you.

 

 

Spoofing a user-agent on a browser can be fairly easily accomplished with a Firefox plug-in or by modifying your desktop shortcut to Chrome.

Once your user-agent is spoofed, it is likely that you can now do anything online… semi-anonymously.

The User-Agent Switcher plug-in for Firefox in action

 

Step 4: Get discovered, deal with consequences

So, as the saying goes, all good things must come to an end. You see, network admins have a nose for this kind of behavior, and while I don’t know the specific tools that are used to detect it, you will eventually get caught. Chances are also quite good that circumventing network authentication is against your Student Code of Conduct.

 

You, crying, because you ignored my warnings and got caught.

In the end, this is a good exercise for those interested in network security, but a poor long-term defense against doing naughty things online.

Kids, keep your noses clean. SafeConnect and other forced software downloads may be lame, but risking expulsion to cover your e-tracks is just plain dumb.

3 Secure Ways to Store Your Passwords

If you’re anything like me, you probably have all your passwords jammed into a text file or stored in your browser somewhere for easy retrieval when you need them.  While convenient, you may want to consider more secure ways to store your passwords to prevent your account(s) from being hacked.

The following applications and services are free, easy to use, and absolutely capable of protecting your sensitive data from peering eyes.

KeePassX

KeePassX is perhaps the most popular method of storing passwords and is an open-source application available for Windows, Mac, and Linux.  It can store a variety of usernames, passwords, URLs and more in a single, encrypted database. Being compatible across multiple platforms, the database can be easily exported, moved, and imported into KeePassX on other computers.

Password Dragon

You may consider Password Dragon a lightweight version of KeePassX. Also open-source and compatible with Windows, Mac, and Linux, Password Dragon stores all of your passwords in an BlowfishJ-encrypted database that you can access with a master password.  You can also bypass the GUI and access your passwords via command line.

PassPack

You may be a bit weary of the concept of storing passwords online, but this can be an excellent option for those that need to be able to access data from any location, on any device.  PassPack offers both free and professional accounts for individuals or businesses, and allows you to securely share your passwords with anyone you wish.  For the security-conscious, PassPack provides disposable logins for use on public computers and two-factor authentication with a virtual keyboard to deter keystroke-logging programs.

So now that you know that there are free applications out there dedicated to providing you with an easy, secure method of storing your passwords, stop using Notepad and put your Post-its away!