Archive for Privacy

Windows 10 Reduces Your Privacy…..Here’s How To Gain It Back

Posted in Tips with tags , on August 4, 2015 by itnerd

On Windows 10’s launch day, I spoke about WiFi Sense which shares your WiFi access with others by default. That’s a serious lack of privacy. But there are other options that are just as bad as WiFi Sense and unless you made the effort to turn them off while installing Windows 10 by not using the “Express Settings” option during the installation of Microsoft’s latest OS, then you’ve given up a fair amount of privacy right out of the gate. But fear not! You can get it back if you’re willing to put in about 10 minutes of work to do it. Here’s what you need to do:

  • Go to the Settings app and click the Privacy button. Then you need to turn off everything but the SmartScreen Filter. This stops Microsoft from gathering info on how you use Windows 10 and offering you everything from tips to advertising. Plus it stops allowing Microsoft to use your usage of Windows 10 to improve the product. And if you’re wondering why I am telling you to leave the SmartScreen filter on, that is supposed to stop you from downloading malware or visiting websites known to be infecting PCs. But only if you’re using Internet Explorer, Edge, and apps from the Windows Store.
  • Next you have to stop apps from divulging your location. Inside the Privacy app, click Location and turn everything off.
  • At the bottom of the Privacy app, click Feedback. Then set the Feedback frequency to Never. What this does is stops Windows 10 from reporting back to 1 Microsoft Way every time an app crashes or anything else that might be considered to be negative happens to your computer.
  • The next thing to consider is if you want to disable Cortana or curtail what (she?) it can do. I admit that not everyone will want to turn off or limit how much Cortana is capable of. But consider that everything that you do with Cortana gets sent to the cloud which means that Microsoft is potentially collecting info. Now that’s no worse than Apple’s Siri which works exactly the same way. But if the way that Siri works bothers you, then Cortana should as well. To tweak Cortana or turn (she?) it off, hit the Start button. Type Cortana and the Start screen will be replaced by a grey search window. Click the cog icon to reveal Cortana’s settings pane. You can turn Cortana off from here or scale back what (she?) it can do.
  • The last thing is WiFi Sense. In my case, I simply turned it off as there is no logical reason why it should be on. I did that by going to the Start button and tying Wi-Fi and then clicking on Change Wi-Fi settings. In the settings app, click Manage Wi-Fi settings. You can then turn off WiFi Sense. But if you wish, you can tweak your settings to limit sharing to your Facebook, Outlook, or Skype contacts. But if I were you, just turn it off. You’ll thank me for that tip once hackers figure out how to leverage WiFi Sense for their own evil purposes.

Have you got any other Windows 10 tips? If so, please leave a comment and share what you know with all of us.

Mobile Apps Put “Billions” Of User Records At Risk

Posted in Commentary with tags , on June 17, 2015 by itnerd

It appears that if you use mobile apps, though which ones are in question, you might be exposing the data stored within them to being swiped. Here’s what I mean via The Globe And Mail:

Security researchers have uncovered a flaw in the way thousands of popular mobile applications store data online, leaving users’ personal information, including passwords, addresses, door codes and location data, vulnerable to hackers.

The team of German researchers found 56 million items of unprotected data in the applications it studied in detail, which included games, social networks, messaging, medical and bank transfer apps.

“In almost every category we found an app which has this vulnerability in it,” said Siegfried Rasthofer, part of the team from the Fraunhofer Institute for Secure Information Technology and Darmstadt University of Technology.

Team leader Eric Bodden said the number of records affected “will likely be in the billions.”

Here’s a description of the issue from the same article:

The problem, Bodden said, is in the way developers – those who write and sell the applications – authenticate users when storing their data in online databases.

Most such apps use services like Amazon’s Web Services or Facebook’s Parse to store, share or back up users’ data.

While such services offer ways for developers to protect the data, most choose the default option, based on a string of letters and numbers embedded in the software’s code, called a token.

Attackers, Bodden says, can easily extract and tweak those tokens in the app, which then gives them access to the private data of all users of that app stored on the server.

The good news is that nobody has actually used this exploit for nefarious purposes. Yet. But you know that this is coming now that this info is public. So what’s being done about this? Apple, Google, Amazon and Facebook are all apparently taking action. But app developers need to do the same. The fact is that with everyone and their dog using smartphones and tablets, this is a really, really big deal. Swift action needs to be taken by all concerned or this could get really ugly.

Password Service LastPass Hacked…. Users Asked To Change Master Password

Posted in Commentary with tags , , on June 16, 2015 by itnerd

I get that having multiple passwords for each and every online service that you use can be a pain. But it make you more secure which is why I keep encouraging users to do that. I also get that to keep yourself sane you may require a password management system to keep track of all those passwords. The problem with that is that if you pick something that is cloud based, you run the risk of it being hacked and your digital life being left in a state where it is under threat.

Today, we’re being provided a great example of that with the news that popular cloud based password management service LastPass was hacked. Here’s what the company said on their blog:

We want to notify our community that on Friday, our team discovered and blocked suspicious activity on our network. In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.

Lovely. Here’s what they are doing about it:

An email is also being sent to all users regarding this security incident. We will also be prompting all users to change their master passwords. You do not need to update your master password until you see our prompt. However, if you have reused your master password on any other website, you should replace the passwords on those other websites.

Because encrypted user data was not taken, you do not need to change your passwords on sites stored in your LastPass vault. As always, we also recommend enabling multifactor authentication for added protection for your LastPass account.

Now, if you need a product to keep track of your passwords, it should be local to your devices and not be cloud based. Such an application is eWallet which I reviewed here and while it does have the ability to sync over WiFi to keep all your devices up to date, it only does a sync to devices that are paired to each other, such as an iPhone and a Mac, and only on the same WiFi network. Your data doesn’t take a trip to the cloud so you don’t get exposed to this sort of hack.

In the meantime, if you’re a LastPass user, I’d strongly suggest taking their advice. Then I would strongly suggest reconsidering your password management strategy as this sort of hack could have catastrophic results for end users.

AdultFriendFinder Hacked… 3.5 Million Accounts Compromised

Posted in Commentary with tags , , on May 24, 2015 by itnerd

If you find your dates or whatever it is you’re into on AdultFriendFinder…. Not that there’s anything wrong with that…. You might have a reason to worry. About 3.5 million personally identifiable records were leaked from systems belonging to the adult oriented website which confirmed the breach after the hack first surfaced in April:

Word of Adult Friend Finder’s problems first surfaced last month. An IT consultant and Darknet researcher, who prefers to be known as Teksquisite, discovered the files on a forum in April. Salted Hash, looking to confirm her findings, discovered the same posts and files in short order.

The hacker claiming responsibility for the breach says they’re from Thailand, and started boasting about being out of reach of U.S. law enforcement because of location alone. As for local law enforcement, they’re confident they can bribe their way out of trouble, so they continued to post Adult Friend Finder records.

Using the handle ROR[RG], the hacker claims to have breached the adult website out of revenge, because a friend of theirs is owed money – $247,938.28. They later posted a $100,000 USD ransom demand to the forum in order to prevent further leaks.

In all, across 15 different CSV files, ROR[RG] posted 3,528,458 records. The files are database dumps with 27 fields in total; the most important being IP address, email, handle, country, state, zip code, language, sex, race, and birth date. Dates confirm that the data is at least 74-days old.

Here’s what AdultFriend Finder had to say:

“FriendFinder Networks Inc. has just been made aware of a potential data security issue and understands and fully appreciates the seriousness of the issue. We have already begun working closely with law enforcement and have launched a comprehensive investigation with the help of leading third-party forensics expert, Mandiant, a FireEye Company, the law firm of Holland & Knight, and a global public relations firm that specializes in cyber security.

“Until the investigation is completed, it will be difficult to determine with certainty the full scope of the incident, but we will continue to work vigilantly to address this potential issue and will provide updates as we learn more from our investigation. We cannot speculate further about this issue, but rest assured, we pledge to take the appropriate steps needed to protect our customers if they are affected.”

Sure you will. Either you were covering things up until you were forced to admit it, or you were asleep at the switch or your IT security sucks. That’s bad any way you slice it and users of the website should be outraged. The only good thing that they did was that they got Mandiant to look into this. Maybe they will whip your website into shape.

So, why am I being so harsh on AdultFriendFinder? Simple, this hack hurts people who really didn’t need the fact that they surf the Internet looking for Mr./Ms. Right or Mr./Ms. Right Now. Let me illustrate how this hurts people:

The problem that came to light was that, buried in the data, people were using their work email address to register for Adult Friend Finder. It was noticed by some folks I spoke with who were familiar with the data, that there were email addresses for folks serving in the US Army, US Airforce, Australian military as well as members of the Colombian, Brazilian and the Canadian Forces. That was just based on a cursory search.

Further to that end, according to the leaked data, government related email addresses showed that staffers from around the world had registered with their work email. Rather amazing that people would do such a thing.

So, why is this a problem? Well, an enterprising sort could track a person back through some simple searches. In one scenario someone would be possibly able to find a military personnel’s home address, current station, and…the names of his wife and children just as an example scenario.

Now, I could say that anyone who is dumb enough to use their work e-mail address to register on this site deserves to have their privacy invaded. But that’s wrong. Nobody needs to have their privacy invaded. Ever. Hopefully the low lives who are responsible get caught and jailed as hacks that violate the privacy of people should not be tolerated.

Woman Gets Fired Because She Deleted App From Her Workplace That Tracked Her 24/7

Posted in Commentary with tags on May 11, 2015 by itnerd

A California woman is suing her former employer for invasion of privacy, labor infractions, and wrongful termination after she was fired. Here’s the shocking part. She was fired because she installed a GPS-enabled app called Xora that tracked her every move. As in 24/7 around the clock even when she was not working.

Wow.

Here’s a snippet from ARS Technica who broke the story:

Plaintiff Myrna Arias, a former Bakersfield sales executive for money transfer service Intermex, claims in a state court lawsuit that her boss, John Stubits, fired her shortly after she uninstalled the job-management Xora app that she and her colleagues were required to use. According to her suit (PDF) in Kern County Superior Court:

After researching the app and speaking with a trainer from Xora, Plaintiff and her co-workers asked whether Intermex would be monitoring their movements while off duty. Stubits admitted that employees would be monitored while off duty and bragged that he knew how fast she was driving at specific moments ever since she installed the app on her phone. Plaintiff expressed that she had no problem with the app’s GPS function during work hours, but she objected to the monitoring of her location during non-work hours and complained to Stubits that this was an invasion of her privacy. She likened the app to a prisoner’s ankle bracelet and informed Stubits that his actions were illegal. Stubits replied that she should tolerate the illegal intrusion…..

Intermex did not immediately respond for comment.

She’s looking to get something north of $500K from her ex-employer.

My take? If this isn’t the ultimate in invading someone’s privacy, I don’t know what is. I really hope that Intermex comes out on the wrong end of this lawsuit and/or the bad press that this is generating hurts them financially. There’s no way that this can be considered to be acceptable behavior by an employer.

You can bet that I’ll be watching this for further developments.

Bell Stops Tracking Its Users For Profit

Posted in Commentary with tags , on April 14, 2015 by itnerd

You might remember that Canadian telco Bell Canada was tracking their users online activities unless they opt out of the program so that they could create detailed profiles about them for advertisers. And to make a few bucks off of that as well. That seems to have come to an end for now. The Canadian Privacy Comissioner has told Bell that what they’re doing is not cool:

In a report made public last Tuesday, [Privacy Commissioner Daniel] Therrien’s office ruled the program violated federal privacy laws, and should be limited to only those customers who explicitly volunteer to be tracked.

Bell initially blew the commissioner off. But they changed their tune when the report was made public. The telco is now going stop tracking users and delete the data that they’ve collected. That’s cool. Except for the fact that Bell is also going to reintroduce the program and ask users to opt in. Honestly, I would never do that and I cannot see why anyone else would. Which is why Bell made it an opt out program rather than an opt in program. But at least its legal now. Hopefully the Privacy Commissioner is keeping an eye on them to make sure that they don’t do anything else that violates privacy laws in Canada.

New Zealand Customs Officials Want Your Passwords And Encryption Keys

Posted in Commentary with tags on March 20, 2015 by itnerd

Seeing as I just came back from that part of the world a week ago, news that New Zealand Customs officials wanting to have the power to compel travelers to hand over passwords to electronic devices as well as encryption keys. The thing that has got people upset is that they would not require reasonable suspicion to do so. Though the person who runs NZ Customs says that’s not its intention. Here’s what New Zealand Customs Services chief executive Carolyn Tremain had to say:

“The reality is we have 11 million people crossing the border and a limited amount of resources which we are always going to prioritise by taking a risk-assessment approach. We are not saying every 10th person would be inspected.”

She also goes on to say that countries including Canada do this now. My understanding is that in Canada, this is only done if there are reasonable and probable grounds to do so. So it’s not quite the same thing. But perhaps someone in the know could clarify this.

Here’s why this isn’t going to have the desired effect for New Zealand or anyone else who thinks this is a good idea. People will just travel with clean computers, smartphones, etc, and download anything they need while in the country from their Dropbox account or some other cloud service. Or they will back up their laptop or smartphone to the cloud, wipe the devices, cross the border, and restore it in their hotel room. That’s very easy to do these days. Either way, Customs will never see it and they will not stop a single evil doer.

Now I don’t have a problem if you give customs officials the ability to get access to laptops and smartphones when you suspect that someone has done something wrong. But to have the blanket ability to do so is the wrong approach. New Zealand really needs to rethink this as it’s really not a good idea.

Follow

Get every new post delivered to your Inbox.

Join 344 other followers