Google knows what you searched last summer

Despise all the controversy, Google started his new Privacy Policy last Thursday and whether you like it or not, you are being watched.

Being realistic, this is not far from what they were already doing: Google already tracked your searches, what you are watching on Youtube or your emails.

But before March, 1st, Google Plus, Youtube, Gmail and almost 60 Google products, were in different databases. With this change, Google guys are giving themselves the right to put all those products in just one big place, put one and one and one together to build a better and more complete online behaviour of YOU. And use it to chase YOU with their ads.

And you can’t opt out. If you want to use any Google product you are under their privacy policy.

It should be nonsense for me to tell you to stop using Google products. Almost everything you do in the internet today, from searches and emails, to finding a street and comparing products’ prices, is somehow through a Google product or related to it.

But you can at least reduce the amount of information that Google will be able to collect from you.

You can, for instance, delete your Google history going to https://www.google.com/history/ and clicking the button “Remove all Web History”

You can also configure your advertising settings here:  https://www.google.com/settings/u/0/ads/preferences/

You can edit your settings or even opt out.

 

Another way to “confuse” Google is creating a different account for each Google service (if you can keep up with all usernames and passwords).

Or, when watching a video on Youtube or searching the Web, make sure you are not logged in to your Google account.

There is also the possibility to use browser plugins that work to protect your data, or even anonymous proxies.

But, the truth is, as soon as you type into your computer, click anything, visit at a page, talk through Skype, or even talk on a telephone, (mobile or fixed), those who want to, can spy on you.

At least now Google is coming clear and telling you that they are spying on you. It makes better sense to me than living in a fool’s paradise, where you still believe that you have control over your life.

Smart Grid Privacy

I have recently joined the IETF Smart Grid group to see what people were talking about it and to put away my fears on security and privacy. What I saw was a bunch of experts discussing the plethora of standards that could be applied (very important) but few people seemed too interested in the privacy issue.

If you see the IEEE page on Smart Grids, besides the smart generation / distribution / reception (very important) there is a paragraph on the interaction between the grid and the customers, being very careful not to mention invasive techniques to allow the grid to control customer’s appliances:

“Intelligent appliances capable of deciding when to consume power based on pre-set customer preferences.”

Here, they focus on letting the appliances decide what will be done to save power, not the grid or the provider. Later on, on the same paragraph:

“Early tests with smart grids have shown that consumers can save up to 25% on their energy usage by simply providing them with information on that usage and the tools to manage it.”

Again, enforcing that the providers will only “provide [the customer] with information”. In other words, the grid is smart up to the smart meter (that is controlled by the provider), where inside people’s houses, it’s the appliances that have to be smart. One pertinent comment from Hector Santos in the IETF group:

“Security (most privacy) issues, I believe, has been sedated over the years with the change in consumer mindset. Tomorrow (and to a large extent today) generation of consumers will not even give it a second thought. They will not even realize that it was once considered a social engineering taboo to conflict with user privacy issues.”

I hate to be pessimist, but there is a very important truth in this. Not only people are allowing systems to store their data for completely different reasons, but they don’t care if the owner of the system will distribute their information or not. I, myself, always paranoid, have signed contracts with providers knowing that they would use and sell my data to third parties. The British Telecom is one good example. He continues:

“Just look how social networking and the drive to share more, not less has changed the consumer mindset. Tomorrow engineers will be part of all this new mindset.”

There is no social engineering any more like it used to be. Who needs to steal your information when it’s already there, on your Facebook? People are sharing willingly, and a lot of them know what problems it may cause, but the benefit, for them, is greater. Moreover, millions bought music, games and films with DRM, allowing a company control what you do, see or listen. How many Kindles were bought? How many iPhones? People don’t care what’s going on if they have what they want.

That is the true meaning of sedated privacy concerns. It’s a very distorted way of selfishness, where you don’t care about yourself, as long as you are happy. If it makes no sense to you, don’t worry, it makes no sense to me too.

Recently, the Future of Privacy Forum published an excellent analysis (via Ars) on the smart grid privacy. Several concepts that are easy to understand how dangerous they can be, became commonplace to not think about it or even consider it a silly worry, given that no one cares anyway.

An evil use of a similar technology is the “Selectable Output Control“. Just like a Kindle, the media companies want to make sure you only watch what you pay for. It may seem fair, and even cheaper, as they allow “smart pricing”, like some smart-grid technologies.

But we all have seen what Amazon did to kindle users, of Apple did to its AppStore, taking down contents without warn, removing things you paid for from your device, allowing or disallowing you to run applications or contents on your device as if you hadn’t pay enough money to own the device and its contents.

In the end, “smart pricing” is like tax cut, they reduce tax A, but introduce taxes B, C and D, which double the amount of taxes you pay. Of course, you only knew about tax A and went happy about your life. All in all, nobody cares who or how much they pay, as long as they can get the newest fart app

Who’s afraid of the big bad code?

What would Bruce Schneier say about the magic list that the NSA is putting together with Microsoft and Symantec of the 25 biggest errors in code that normally lead to a security flaw.

Don’t get me wrong, putting out a list of bad practices is a fantastic job, that’s for sure. It makes programmers more aware of the dangers, and as the article says itself, newbies can learn from experience before getting into a new field.

But the way that (lay) people take it makes it so magical that the practical side of such list is greatly reduced.

Order and size of the list

I understand that the order must have some sense, but which? Is it ordered by number of attacks in the last 12 months? Or by the sum of all reported losses caused by them? Or by number of such errors found in common code (on those companies’ code, of course)? Or by any other subjective “importance” factor from a bunch of “Security Experts”?

Also, why 25? Why not 30? Who says that the 25th is so important to show up in the list and not the 26th?

Real-world

We programmers know about most of them, know the problems they pose and normally how to fix them. We often want to fix them, but that normally requires some refactoring and now it’s time to implement those features that our client needs for the demo, right? We can think about that later… can we? Will we?

Than, NSA decides to make this a priority for the country and claim it as a national security problem. Big companies like fancy terms, and would strive to adopt any new standard that shows up in the market.

Then, comes down the VP of engineering and say:

“We need to make sure every programmer knows how to write code that is free of the top 25 errors.”

Done, he can put the GIF image from the NSA saying his company’s software is secure against all odds, according to the NSA and DHS.

Now, coders and technicians, tell me: Would any editor, IDE or compiler ever be able to spot those errors with 100% accuracy?

“Then we need to make sure every programming team has processes in place to find and fix these problems [in existing code] and has the tools needed to verify their code is as free of these errors,”

Of course not, but they will try, and Microsoft will put a beta on Visual C++ and other companies will tell their clients that their software is being tested with the new product and the clients will buy, after all, who are them to say anything about that matter?

Protect against who?

Now, after so much time and effort, 30+ companies and government departments working hard to come up with a (quite good) list of the most common errors that lead to security flaws for what?

“The real dedicated serial attacker will probably find a way in even if all these errors were removed. But a high school hacker with malicious intent – ankle-biters if you will – would be deterred from breaking in.”

WHAT?!?! All that to stop script-kids? For heavens’ sake, I thought they were serious on that… Well, maybe I expected too much from the NSA… again…

(Note: quotes from original article, ipsis litteris)

Bad Vista

Ooops, they did it again…

A whole new hacking style was discovered due to the complete incompetence of Microsoft’s engineers. When will they understand that security means the opposite of trust?

You can choose whatever framework you want (Java, .NET, ActiveX) build a simple program and have total control of the user’s machine in seconds. All that because our beloved Windows browsers trusts Microsoft’s technology only too much. And worse, the Windows kernel trusts Microsoft’s browsers and .NET too much too!

ActiveX attacks are not new, IE has an extensive history of huge holes through their magnificent piece of crap. Rendering Windows’ security hopeless is also not new, Outlook for decades gave hackers a free feature of one-click-exploit ™ but this is completely crazy.

No matter which way you go, what framework you use and what path you take, total control of the machine is a few clicks away. Worse still, as this confidence in crap dates back from Windows 2.0, I wouldn’t be surprised if they find they can do the same on all versions of any software (ahem…) they’ve produced so far, including DOS 1.0!!

Oh well, you can’t say you didn’t know, can you?

Nvidia helps crackers?

Their long support for the minority is well appreciated for us, Linux users, but now they’re indirectly supporting the bad guys as well! Not to panic though, every major breakthrough comes with a proportional cost (ie. nuclear physics).

According to The Register, this company is using NVidia’s GPU to reduce the password cracking from months to days!

The new CUDA platform allows you to use the GPU for numeric processing, giving a big advantage over the too generic (and too complex) CPU.

Now, just between us, they can’t say they didn’t know it was going to happen, can they? No one said week password schemes (even with strong public encryption algorithm) were safe…

Dangerous Files you Have to Avoid

temp1.jpg
Crackers like to use phishing to spread their malicious code. And actually, if you take care with just some file extensions you can avoid these dangerous codes.

If you receive an e-mail with the extensions .cmd, .bat, .exe or .scr, don’t open it, even if it comes from a secure source. And, as email servers are blocking these attached files, crackers are using telephone promotions, your bank account and other current subjects to direct you to a malicious link where a virus is downloaded. They develop sites almost identical to the original sites, “clones”, where the cracker has total control over your acts. It’s really common send scraps to Orkut users with these links.

Most files available to download in these websites are those kind mentioned in the beginning: .cmd, .bat, .scr or .exe.

The .cmd and .bat files are used to execute scripts known as batch files, to automate tasks. Crackers use these kind of files to steal user data. The .scr are screen saver files, and most users trust this kind of files, but the virus will be activated when the screen saver is executed.The most known, and still most used as phishing is .exe. Users know how dangerous these files are, but, most of time, they don’t pay attention to the extension they are downloading.

The files mentioned are Trojans and keyloggers. Trojans open your machine to the cracker and Keyloggers record everything you type. So, can you imagine the damage to your personal data?

Now that you know these dangerous files, what to do to protect your data? it’s always a good idea to have a firewall and other prevention methods that can identify these links and extensions. And don’t think you will notice that your computer was infected. The cracker don’t want to be noticed, he will be hidden, and quiet, to get all information he wants.

Take care with those files and links, check the extension, don’t open files from unknown sources and don’t execute anything in your computer that you are not sure what is. It’s not that hard to be safe on line.

Computer Forensics: Recovering Files – Part 2

Last week I introduced you Active@ File Recovery as a useful computer forensics tool and file recovery software.

Today, we go a bit further in Active@ File Recovery usage.

A few tips when using Active @ File Recovery to recover your lost files:

    1. Before install Active@ File Recovery for Windows it’s a good idea create a Recovery point, so, that way, if you don’t like the software or if it doesn’t work properly, you can easily restore your system for the situation before to install Acite@ File Recovery.
        – Actually, it’s a good idea set up a Recovery Point for Windows every time you will install any software in your Windows System. It will provide the basis for recovery if and when needed.
      • – A recovery Point is the basis that allows you undo all changes made in your system and recover all your configurations.
    2. Try to use Active@ File Recovery without install, so, there’s no risk to overwrite your files.
    3. Install Active@ File Recovery in a different Hard Drive or partition of the affected drive partition to avoid of writing over data that you wish to recover.
    4. After install Active@File Recovery, you can open it and navigate just like you do in Windows Explorer.
    5. Go to the file or folder you want to recover and choose recover option.

    1. When you choose this option it will open a new windows asking where do you want to place the recovery file or folder.

  1. If you chose to save at the original place, the system will warn you to save it in another place to avoid overwrite your file or folder. In this case, it will be impossible a future recovering operation.

But remember, not every lost file can be recovered. You have to think about the following possibilities:

    • We have to assume that the file entry still exists, I mean, it was not overwritten. The more the files have been created on your HD, the less chances that the space for that deleted file has been used for other entries.
    • We assume that the file entry is more or less safe to point to the proper place where file clusters are located. If the operating system had been damaged file entries right after deletion, the first data cluster becomes invalid and further entry restoration will not be possible.

So, as a general advice, do not write anything in the drive containing your deleted data and do not try to recover your files to the original drive data.

 

How to keep your Internet Life Browsing in a secure way

First of all, if you thought Internet Explorer and Firefox were your only options, you were mistaken. This section reviews Internet Explorer and Firefox basics and introduces other viable Web browser options.

Microsoft Internet Explorer is a common target for browser hijacking. Internet Explorer 7.0 provided a significant upgrade to Microsoft browser security but, still have flaws, like the one discovered for an Israeli vulnerability researcher. Aviv Raff warned in a posting on his blog Wednesday that Attackers could exploit a new flaw in Internet Explorer 7 (IE 7) to launch phishing expeditions. Raff said IE 7 running on Windows XP and Vista is susceptible to cross-site scripting attacks.

So, you don’t have options and you have to use IE, or maybe, for some weird reason, you just like it.

IE has the ability to provide a secure browsing, but it’s the responsibility of the organization or the user to configure it.
Yes you have to do your homework. You can start reading this How-to articles from Microsoft.

If you are tired of patching your IE browsers every week (at least) may consider migrating to Mozilla Firefox, a popular third-party browser that is generally thought to be more secure than IE. However, Firefox is not immune to attacks, and as the browser increases in popularity, it’s likely to become a bigger target for attackers.

In this link you can find a list of security tips for Firefox users, but it’s great reading for other users as well.

Not satisfied with Firefox or IE? Yes, there are other options, such as Opera, Safari, Konqueror, Lynx (this one just for grown ones) and others. They all have theirs pros and cons, visit their webpages and and learn what you should expect if you’re not using IE or Firefox.

And remember: on the second Tuesday of every month, Microsoft releases hot fixes for its newest flaws which almost invariably include Internet Explorer patches. Yes, at least twice a month you will have to patch your IE.

Others Web browser of your choice will release their patches eventually.

How to create a security policy

Technology helps us to solve problems, but they are vulnerable to several types of threats. Any kind of lost or unavailability could be too dangerous for small and big companies. So, information security is a basic investment.

But, how do you decide what kind of investments are necessary?

First of all, you must know the cost of your business’ downtime to protect it against failures.

Planning
A deep investigation of users’ access to the internet together with your data security needs will help you to begin your security policy.

  1. What do you want to protect?
  2. What are the risks?
  3. What parts of your business are relevant?
  4. What do your users expecting from their computers? What do they need for their jobs?


Defining

Now, you can start writing your security policy. The best way to develop a policy is to work from an example policy. You can find several templates of security policies in the internet. You must define the mission of information security in your company: scope, responsibilities, enforcements, revision.

You need a Continuity Plan; which will involve a lot of areas in your company, such as technology, electric power, engineering, staff planning, communication, etc. Your users must know the Security Policy and they need to be trained constantly.
Processes must be review in a constant basis, to ensure that you have the latest and most up-to-date version of a solution.

Remember that threats and vulnerabilities are constantly evolving.

Implementing

So, you make business decisions and you know how important is protect you computer data. Security systems are the implementation of those decisions. Good security system starts with careful planning and understanding company business, not robust hardware and software.

Security policies are strategic documents that guide you for security. If you don’t understand your business needs it will be difficult implement and configure those security systems.

Remember that a firewall security policy cannot exist alone. It must be accompanied by your company board support, a policy that establishes how to maintaining physical security, staff training and awareness, and other specific security controls.

Using

A firewall stands between your protected network and public internet. Its main function is to examine traffic coming from the public side to the private; to make sure it reflects your security policies before permitting that traffic to pass through your private network.

Two things you must think about implementing firewalls:

1. Acquire the right firewall for you company

There are lots of firewalls in the market, but without a solid and trustable host, your firewall will be worthless.

2. Configure your firewall to meet your security policies

You could create rules that allow your users to access local web servers but that prevent employees to access local systems such as financial, development and human resources.

When you define a strong security policy that balances your users’ needs with your business needs, you will be able to find the right combination of IT resources to implement it. Keep in mind that firewall rules comes from your business needs.