How to protect your data privacy on social networks

Studies have said public speaking makes as many as 3 out of 4 people anxious. But that was before Facebook.

The 650 million people on Facebook suggest that most of us are getting over—or want to get over—that fear of communicating (or at least sharing pictures) in public. In just a few years, Twitter, YouTube and Facebook have given billions of people the chance to connect to an audience they would never had access to before.

But now that you’re becoming comfortable in public, you may begin to wonder: Am I revealing too much? In a world with the NSA, TMZ and Wikileaks, do I have any privacy? Is it possible to be a public person and still protect my information from being misused?

Friday January 28 is Data Privacy Day 2011, an international celebration of the dignity of the individual represented through personal information. Protecting your irreplaceable data is our mission and we take this mission very seriously. (Here is F-Secure’s Privacy Policy.)

The risks

The more visible, attractive or rich you are, the more you’re a target for the haters, the stalkers and online criminals of the 21st century. Heck, if you have a credit card, you’re a target for both the online criminals and unscrupulous marketers of the world.

Sharing personal information in an age where data can travel faster than lightning requires a 21st century view of data privacy. Some think it’s vain to worry about privacy. But don’t think about your ego, think about social engineering.

Wiktionary describes social engineering as “The practice of tricking a user into giving, or giving access to, sensitive information, thereby bypassing most or all protection.” Criminals have discovered that human error is the easiest vulnerability to exploit. If you’re not careful, your private data (or even public data) can be used to fool you into making mistakes that even your award-winning Internet Security can’t prevent.

Ignorance may be bliss, but it’s not an excuse. Once your private data is stolen, you’ll have to deal with the consequences. The good news is that you can do a lot to make your data more secure

My nephew once told me, “Facebook is so easy that even old people can use it.” And by old people, he meant me.

I agree with my nephew. Most people who use social media don’t suffer significant negative consequences for doing so—or there wouldn’t be millions of new people trying it every day. Stories of people being fired or arrested for what they’ve done on Facebook are rare. But they get lots of attention because Facebook is the superstar everyone knows.

Only a small percentage of those on social media fall victim to the worst of identity theft, malware or scams. And that’s still too many people suffering needlessly—especially because most of these scourges are avoidable.

The lessons

If you learned to manage the benefits and risks of email, you can do the same for social media. Here a few things you can do to help keep your private data private.

1. Decide why you’re social networking.
For some, social networking is an extension of your private life. You mostly interact with people you know or would like to know in the real world. The main topics of conversation are personal. Even when you delve into entertainment or politics or sports, it’s about sharing opinions to have fun and connect. Intimacy is the goal so private things are often shared nonchalantly. For instance, you might reveal what you did on a day when you played hooky from school or work.

For others, social networking is like interacting at a conference. You’re seeking out people in your industry or whom you admire. Conversation is like a cocktail party—being interesting and on-topic matters. When you talk about entertainment or politics or sports, it’s a way to network and establish trust. You want people to feel like they know you, but getting too personal too fast raises red flags. For instance, you may reveal what you did on your vacation but only in a way that you wouldn’t mind your boss reading.

For a growing number of people, social network is a chance to build a little fame or fortune. You’re looking for an audience who trusts and enjoys you to the point you might even sell them things. You converse with fellow influencers and friends but you also broadcast for a targeted or general audience. When you talk about entertainment or politics or sports, you’re entertaining or engaging an audience while establishing expertise. You may share extremely private details or never talk about your personal life. Either way, you’re establishing a persona that’s relatable to the audience you’re trying to attract. For instance, you may reveal a joke a well-known person shared with you.

By the time you’re out of college for a few years, most people have tried out some variation of each of these approaches to social media. And your approach definitely affects your data security.

The rule is: the bigger the audience you seek, the more you have to think about the information you share.

All of us have to protect our ID, account and phone numbers, our address and our Mother’s maiden name. But if you’re an aspiring Disney star or class president, you have to think about which pictures you take—since you know they’ll all be posted eventually. And George Clooney probably shouldn’t use Foursquare to share his location unless he wants to spend his day shaking hands or filing restraining orders.

We all need to be cautious about sharing details that can be used to scam us. If you achieve, or accidentally achieve, fame, your privacy will become even more precious. So if you want to be internet famous, you need to be savvy about which information you share online—or you’ll have to hire people who are.

2. Secure your systems
Don’t use the default password for your voicemail or anything. Use strong, unique passwords for all your accounts. Don’t use work email addresses or passwords for social accounts. Put security software on your PC and your mobile device, if possible. Password protect your Wi-Fi networks.Turn on secure browsing on Facebook. Put a remote lock on your mobile phone. Always lock your PC and mobile devices when you aren’t using them. Keep your system and application software updated. (Our free Health Check makes that easy.) Turn off GPS on your phone and pictures if you don’t want strangers to know your location.

3. Choose services you trust
Any store, service or site that has your data, should have a privacy policy. A key feature of a good privacy policy is that your data will not be shared or sold. By 2011, most reputable online businesses have privacy policies that make that basic promise. But in addition to privacy also have to trust that any organization you trust with your data had security that won’t be compromised. Quality can have a price. If privacy is more important to you than cost, you can buy dedicated email services that won’t serve you ads. Regardless if they charge or not, you should only use reputable online services you trust. Before you enter any data into any website, think, “Do I trust this organization?” If there’s any doubt, ask others what they think.

4. On a social network, your information could be shared with everyone– no matter what your privacy settings are.
Twitter is simple. There are two privacy settings: everyone or “Protect my tweets”. But even if you go with the protected option, your approved followers can still retweet your information to everyone. Facebook’s privacy settings are much more complex. They’re so complex that it almost feels like you should get college credits for really using them. Going with “Friends Only” is a good start, then you have to decide if you want your page on Google (if you don’t want your Facebook page to show up on Google, go to Account > Privacy Settings > Apps and Websites: Edit your settings > Public Search: Edit Settings > Uncheck Enable public search)  and if you want to automatically share your information with other websites.

The safest rule is: get your settings right and still assume that what you post could go public so only share information you wouldn’t mind a future boss (or fan) seeing. NEVER share information that could be used to crack your passwords. Also keep in mind that the information you’re sharing that could be used by identity thieves and social engineers.

5. Be available or don’t
There is a difference between following and friending people. You can follow a lot of people but our brains can only handle around 130 friends. Rejecting or ignoring friend requests can be emotionally difficult, but your privacy is more important than others’ feelings. I say follow anyone on Twitter but on Facebook I’d recommend only befriending people you know or trust. And realize that the person is your friend, not their links. If anyone begins to spam you, let them know the problem. If they keep spamming, unfriend them. If anyone harasses you at all, block their communication. If you’re threatened, contact law enforcement.

You have the right to keep your private data secure while living your digital life to the fullest. All you have to do is respect your own data privacy and do your best to make sure that the people and businesses you interact with do the same.

Read more »

WiFi + Airport = Lost password

As most travelers know, many airports and VIP lounges offer Wi-Fi connectivity but, unfortunately, these connection are rarely encrypted.   Here’s an example:

All data sent and received travels in clear text, which means anyone could intercept the data for malicious purposes.  This unencrypted data could include passwords, logins, financial information like PIN codes, etc.

Many people also know that it’s always better to use a VPN connection.  However, in many cases,  VPN connection are filtered out and blocked by rules on the network firewall. I tried two different protocols and both were blocked.  Mostly network administrators don’t allow using VPNs from Public WiFi access points only because they want to make sure the network isn’t be used for malicious purposes without any readable network logs.  These policies actually allow to the bad guys to launch really easy  man-in-the-middle  attacks when all traffic pass through a malicious host.

The reality is that using a public Wi-Fi service can expose your really sensitive data to cybercriminals. Recently, we saw some famous people lose their Facebook and other social network passwords by using open (insecure) Wi-Fi connections.

So what is the solution when your VPN is blocked? Well, in some cases, an SSL (https) connection may help. Please, before going to any Website, type in the address bar https:// and then the domain name. After the page is loaded, please check if the certificate used for encryption is a valid one and issued to the site you’re visiting. If you see something wrong with the certificate, stop using the site.

Another solution is to use a cable Ethernet connection instead of a WiFi. Many lounges have such connection as well; it will be much safer for you.

In any case if you’re connected from a public place, it’s better not to use eBanking or ePayment services. That data is the main target for criminals. So, travel safe and keep your personal data safe as well!

Read more »

iPhone passwords succumb to researchers' attack

Researchers at the Fraunhofer Institute for Secure Information Technology in Darmstadt, Germany, have found a way to steal passwords found in the Apple iPhone's keychain services within six minutes.

In order to steal passwords, the researchers said, the attacker must have have the actual, physical iPhone in hand--this isn't a remote maneuver. First, the attacker has to jailbreak the iPhone, and from there then must install an SSH server on the smartphone to be able to run unrestricted programs. The researchers also created a "keychain access script" that they then copied to the iPhone. After executing that script, they found that they were able to decrypt and see some passwords saved in the keychain.

Over the past year, several iPhone exploits have been revealed by researchers around the world, including some that attack vulnerabilities in the mobile Safari browser. But at least so far, the issues have affected users who jailbreak their own devices. Even in the Fraunhofer Institute's case, a non-jailbroken iPhone will not reveal keychain passwords. Jailbreaking is the process of bypassing the restrictions that Apple sets up to keep users from tinkering with the device's underlying system software.

Researchers said that this latest issue has to do with how iOS handles encryption--namely, that "encryption is independent of the personal password to protect access to the device properly." In other words, even if a user protects access to the iPhone--or any other iOS-based device--with a passcode, it won't be enough to stop hackers from using this method to access saved passwords in the keychain.

It should be noted that the proof-of-concept maneuver would not reveal passwords for Web sites. Services like Gmail, AOL Mail, Yahoo Mail, and others with "protected" passwords "were available to the script only after entering the passcode to unlock the device, which by assumption, should not be possible for an attacker," the researchers noted.

But the folks at Fraunhofer Institute don't necessarily believe that iPhone owners should assume that they will be safe if they don't jailbreak their iPhones. In their scenario, the researchers assumed that the iPhone was stolen and the person who took it knew how to jailbreak the device and create and run scripts. They said in their evaluation of their proof-of-concept that the difficulty level of exploiting the vulnerability is "low."

"Owners of a lost or stolen iOS device should therefore quickly initiate a change of all stored passwords," the researchers wrote in their report. "Additionally, this should be also done for accounts not stored on the device but which might have equal or similar passwords, as an attacker might try out revealed passwords against the full list of known accounts."

Malicious hackers are increasingly turning towardsthe mobile market to target unsuspecting victims.

Earlier this week, security firm McAfee revealed that mobile malware threats were up 46 percent last year. The company said that it expects "cybercriminal activity" in the mobile market to surge in 2011.

Read more »

Data theft attacks besiege oil industry, McAfee says

A McAfee diagram of how the Night Dragon attacks proceeded.

(Credit: McAfee)

For years, companies in the oil and energy industry have been the victims of attempts to steal e-mail and other sensitive information from hackers believed to be in China, according to a new report from McAfee.

The attacks, to which McAfee gave the sinister name "Night Dragon," penetrated company networks through Web servers, compromised desktop computers, bypassed safeguards by misusing administrative credentials, and used remote administration tools to obtain the information, the security firm said late yesterday. McAfee and other security companies now have identified the method and can provide a defense.

"Well-coordinated, targeted attacks such as Night Dragon, orchestrated by a growing group of malicious attackers committed to their targets, are rapidly on the rise. These targets have now moved beyond the defense industrial base, government, and military computers to include global corporate and commercial targets," McAfee said in a white paper (PDF) published today.

And the attack was at least partially successful, McAfee said: "Files of interest focused on operational oil and gas field production systems and financial documents related to field exploration and bidding that were later copied from the compromised hosts or via extranet servers. In some cases, the files were copied to and downloaded from company Web servers by the attackers. In certain cases, the attackers collected data from SCADA systems," the supervisory control and data acquisition systems that control and monitor industrial processes.

McAfee didn't reveal details about what SCADA data was involved, but it's a potentially serious matter: such systems are at the operational heart of everything from oil pipelines and refineries to factories and electrical power distribution networks.

McAfee told The Wall Street Journal that the attacks appeared to be purely about espionage, not sabotage. The latter possibility has become a more vivid fear with the Stuxnet attack that apparently damaged Iranian nuclear operations. China is a particular concern: it's a rising industrial power that Google has implicated in attempts to crack its own network and obtain sensitive information.

McAfee notified the FBI of the Night Dragon attacks, and the FBI is investigating, the Journal reported.

Several Night Dragon attacks were launched in November 2009, McAfee Chief Technology Officer George Kurtz said in a blog post, but attacks have been going on for at least two years and likely as long as four.

"We have strong evidence suggesting that the attackers were based in China," Kurtz said. "The tools, techniques, and network activities used in these attacks originate primarily in China. These tools are widely available on the Chinese Web forums and tend to be used extensively by Chinese hacker groups."

The attacks themselves used a variety of methods that, although described as "relatively unsophisticated," were nonetheless effective.

First came an attack to compromise a Web server that then became a host for a variety of hacking tools that could probe the company's internal network. Password cracking and other tools were used to gain access to PCs and servers. Remote administration software, including one called zwShell, let attackers control compromised Windows PCs to gather more data and push the attack toward more sensitive areas.

An appendix of the white paper offers more details on the Chinese connection:

While we believe many actors have participated in these attacks, we have been able to identify one individual who has provided the crucial C&C infrastructure to the attackers--this individual is based in Heze City, Shandong Province, China. Although we don't believe this individual is the mastermind behind these attacks, it is likely this person is aware or has information that can help identify at least some of the individuals, groups, or organizations responsible for these intrusions.

The individual runs a company that, according to the company's advertisements, provides "Hosted Servers in the U.S. with no records kept" for as little as 68 RMB (US$10) per year for 100 MB of space. The company's U.S.-based leased servers have been used to host the zwShell C&C [command and control] application that controlled machines across the victim companies.

Beyond the connection to the hosting services reseller operation, there is other evidence indicating that the attackers were of Chinese origin. Beyond the curious use of the "zw.china" password that unlocks the operation of the zwShell C&C Trojan, McAfee has determined that all of the identified data exfiltration activity occurred from Beijing-based IP [Internet Protocol] addresses and operated inside the victim companies weekdays from 9:00 a.m. to 5:00 p.m. Beijing time, which also suggests that the involved individuals were "company men" working on a regular job, rather than freelance or unprofessional hackers. In addition, the attackers employed hacking tools of Chinese origin and that are prevalent on Chinese underground hacking forums. These included Hookmsgina and WinlogonHack, tools that intercept Windows logon requests and hijack usernames and passwords...

Although it is possible that all of these indicators are an elaborate red-herring operation designed to pin the blame for the attacks on Chinese hackers, we believe this to be highly unlikely. Further, it is unclear who would have the motivation to go to these extraordinary lengths to place the blame for these attacks on someone else.

The early phase of the Night Dragon attack gains access to Web servers.

(Credit: McAfee

Read more »

Sandboxing to come in Avast 6

Free security suites have long been offering protection for Windows computers that has ranged from adequate to excellent. After using the Avast 6 beta for the past week, it looks like Avast 6 will land far closer to the high end of the spectrum thanks to its new WebRep browser add-on and sandbox environment, unique in the free antivirus marketplace. 

Avast 6 Free will come with a sandbox feature to isolate risky programs while they run.

(Credit: Screenshot by Seth Rosenblatt)

 

The security suite is available in three forms: Free Antivirus, which replicates the features available in the upcoming Avast 6 Free; Pro Antivirus, which offers a 30-day trial for checking out Avast's first level of paid security; and Internet Security, which ramps up the feature set to include more security tools. 

The biggest new feature is the AutoSandbox, which walls off suspicious programs, preventing them from potentially damaging your system while allowing them to run. Few details have been provided so far as to how the AutoSandbox works, however a response from an Avast employee on Avast's forums gave some indication of how it works. Avast's sandbox allows the program to run, while keeping track of which files are opened, created, or renamed, and what it reads and writes from the Registry. These permanent changes are virtualized, so when the process terminates itself, the system changes it made will evaporate. 

The AutoSandbox settings are accessible from the new Additional Protection option on the left nav. It defaults to asking the user whether a program should be sandboxed, although you can set it to automatically decide. There's a whitelist option for programs that you always want to exclude from the sandbox, and you can deactivate the feature entirely. 

Avast 6 will come with an optional browser plug-in for Internet Explorer and Firefox called WebRep, which is Avast's new Web site reputation service. It uses a combination of data from Avast's virus labs and user voting to determine a safety score for a site. Similar add-ons are a common tool available in most antivirus suites, so it's good to see Avast join them. Like its competitors, Avast appears to have ignored Google Chrome and its 10 percent market share when it comes to search result rating add-ons. However, Avast has promised that the Chrome add-on will be released soon. 

The browser add-ons install when installing Avast 6. If you don't want them, it's actually easier to remove them from within Avast instead of within the browser. Currently, removing the add-on using the browser's interface will cue Avast to re-install the add-on the next time the computer is rebooted. 

Other new features have been introduced in Avast 6 beta. The Troubleshooting section now comes with a "restore factory settings" option, there's a new sidebar gadget for Windows 7 and Vista, and you can set automatic actions in the boot-time scan. Two features that have filtered down to the free version are the Script Shield and site blocking. The Script Shield now works with Internet Explorer 8 and 9's protected mode. Meanwhile, the paid versions have gained some new features, such as SafeZone, a virtualization feature for secure online banking. The installer has shrunk for all versions by about 20 percent. 

Avast 6 Free also comes with the optional WebRep add-on, for rating search results and Web sites.

(Credit: Screenshot by Seth Rosenblatt)

 

The initial build of the program was buggy and actually caused my computer to enter into a crash loop that I escaped by booting into Safe Mode and removing it. However, subsequent builds have proven to be far more stable. Note that if you do install the beta, you'll have to completely uninstall your current antivirus program, even if it's Avast 5. The company expects to have an upgrade mechanism in place by the time Avast 6 is ready for wide distribution. 

Other known problems in the beta include the fact that the SafeZone feature doesn't work yet and that the firewall in the paid versions contains a conflict with uTorrent.
Performance benchmarks are not available because of the in-development nature of this release. It's simply changing too quickly for benchmarks to provide any useful information, given the time it takes to conduct them. 

Although the suite looks good and bodes well for the coming public release, this is a beta product and so it's not recommended for security duties on your primary or only computer. However, it's well worth exploring on secondary machines, and it's encouraging to see Avast not laying fallow after the gains made in version 5.


The beta announcement thread on the Avast forums can be read here.

Read more »

Firefox beta to Web: 'Do Not Track'

Firefox 4 beta 11 has landed a useful security feature for people who are sick of "stalkertizements," those cookie-based ads that use your browsing history to target ads at your perceived tastes. The new "Do Not Track" feature in Firefox 4 beta 11 for Windows, Mac, and Linux sends out a header that tells Web sites that you want to opt out of behavioral tracking, though Mozilla cautions in a blog post that it will take some time for sites and advertisers to respond to the header. 

This diagram shows how Firefox's new 'Do Not Track' feature works.

(Credit: Mozilla)

 

The feature can be toggled via a check box in the Advanced tab of Firefox's Options window. 

Mozilla privacy lead Alex Fowler said that the engineers decided to base the feature in the header sent from the browser because it's something that all Web pages read as they load. A blacklist or cookie-based solution would be harder to implement across different browsers. He acknowledged that successful implementation of "Do Not Track" also depends on advertisers and site owners respecting that incoming header.


He added that the initial stages of a legislative fix are under way as at least one member of Congress--Rep. Jackie Speier (D-Calif.)--plans to introduce a bill ordering the Federal Trade Commission to create a "Do Not Track" program for advertisers. However, a second bill also being proposed does not include the "Do Not Track" option. Both might have a hard time passing in today's antiprivacy climate, although a bill with "Do Not Track" would be the harder sell because of its stronger privacy controls. 

Mozilla security and privacy engineer Sid Stamm has documented the technical implementation of "Do Not Track." 

Other changes in Firefox 4 beta 11--which Mozilla hopes will be the penultimate Firefox 4 beta--include moving connection status messages to a small overlay window, re-enabling WebGL on Linux, disabling automatic switching to offline mode when no network connection is detected, and a redesign of the default about:home page. The full changelog is available here.

Read more »