Thursday, February 15, 2018

EFF offers tips on shielding personal data from telecoms and maybe hosting providers



I wanted to share Electronic Frontier Foundation’s page on protecting your privacy from your telecom provider, by Amul Kalia, here. There is a lot of discussion of VPN’s and (especially overseas) TOR.  There is also a list of smaller telecom’s, not available everywhere, that seem less interested in monetizing your personal information.

Likewise, one could ask questions about hosting companies, who from my experience generally keep hands off.
  
Nevertheless, there are automated tools in use that might be able to detect (by digital watermark) illegal content when it is backed up in a cloud (I know of at least one arrest in Maryland (of a school employee) over this possibility).  Likewise Google searches attachments to emails, which has resulted in at least one arrest in Houston, TX.  There are cases where there could be legal issues with intentionally viewing some social media images or video portions out of context, and this might be detectable.

Monday, February 05, 2018

EFF warns users: keep your software up to date, even when vendors rudely interrupt you


Electronic Frontier Foundation has a valuable advisory paper today reminding visitors that they should always install software updates promptly. The advisory appears as a Security Education Companion from Surveillance Self-Defense.

The article maintains that updated systems are much less likely to be targeted by malware or known enemies because they are much more “expensive” to attack.

It also advises that notification normally does not come by email but within the product itself, so subverted updates should be extremely rare.

It also admits that there is a small risk with an update of failure, but an older system is already “broken”.

I have to admit that secondary backup computers (for travel) don’t get updated as option, and that may be one reason a Lenovo ultra table that I bought in early 2015 with Windows 8 became unusable this year.

I’ve also been unwilling to rock the boat with a 2011 Macbook and Sibelius, because there is so much music that is working there that way now. But that could be one reason why I’ve had trouble with iCloud recently.

I might also take exception to this idea when Microsoft pushes operating system replacements on users with older hardware.  I burned up a Toshiba laptop in 2014 going from 8.0 to 8.1; the motherboard just got too hot. 
  
It may be advisable to look into the issue of whether you “use” all the services you have with an account you have, or someone else could hack them without your knowledge.  Then I don’t know who would be legally liable. You don’t hear this idea discussed very often. 

Saturday, February 03, 2018

Apple and iCloud phishing attacks continue; AOL seems unable to identify certain phishing scams;security companies not up to speed on this


I continue to receive strange emails claiming signon to my iCloud account and purchases overseas, especially in Indonesia and former Soviet republics.  I have marked them all as spam and forwarded them to Apple’s reportphishing@apple.com.  AOL does not seem to catch these as spam (nor does it catch emails that say your own AOL mailbox has been closed). 

I am also getting emails claiming my iCloud account has been canceled, with the sender addressed spoofed well enough even when tested by mouse-over to appear to have come from Apple. But the iCloud id and pw still work so that appears to be phishing. These also have been forwarded to Apple.
  
Yet security company Webroot is not aware of a specific problem with phishing involving iCloud.  
  
 However employees at an Apple store told me there has been a problem.

So far there is no evidence of invalid charges or of fake accounts overseas in my name.  But it is conceivable that someone could get arrested overseas if a fake identity had been created and the person went to that (third world) country. It is conceivable that fake accounts could result in judgment attempts.
 
Another possible risk could be that a hacker could place illegal content in an iCloud account. Users should always periodically spot check all online accounts that they have for possible abuse. 
   
This does seem to be a very large and bot-automated phishing attack probably from parts of the former Soviet Union. 

Monday, January 29, 2018

ChromeBooks offer sandboxing, which some experts say make them safer


I don’t know if there is some partnership between Vox and Google behind this story. But Vox Creative has a story on how the Google Chromebook runs every application in its own Sandbox.  That means malware from a website can’t infect anything else on the machine. 

This could mean that the Chromebook is a good choice for travel, especially long air trips, maybe overseas.


I don’t know how this compares to up-to-date security on modern Windows 10 or Macbook laptops.  There are opposing viewpoints on YouTube.  
  
I don’t know if the current concerns about chip security matter here. 

Wednesday, January 24, 2018

How many email addresses should you use? What about the proliferation of unused ones?



Since I do have domains on several platforms but need only two email accounts (AOL and gmail), I have no need for the email addresses that often come with web hosting providers, who assume that clients will run entire businesses off their platforms.

I have wondered if unused capabilities (meaning they are never looked at) could present a hidden security vulnerability. But the same capability could occur for non-existing social media accounts.  When I opened Instagram, I found an account already existed but it had no content.

Nevertheless, most pundits recommend that webmasters use different providers for email than for their sites, which is especially likely because of the popularity of Google’s gmail.

Here are a couple of typical advisory links:  carrier, and “nuts and bolts”.

There is some justification for multiple emails, however.  Many sources advise using separate emails for credit card charge verifications, orders, and travel itineraries, for example.  When I was “working” in a regular job, I always had a work email that was employer business use only. 

Tuesday, January 16, 2018

Trend Micro website safety ratings -- some questions (controversial news site rated "Dangerous")


I am noticing some confusion in Trend Micro’s website safety ratings.

The Site Safety Centeuses the color Blue for untested and gray for Dangerous.  (I know, quoting Milo.)  But in actual practice, if a site gives a gray circle with a question mark it means untested.
I find that Trend slips between green and gray on my two newer Wordpress sites (“billsmediacommentary” and “billsnewscommentary”).  I think that this is because Blue Host treats these as “addons” and Trend’s scripts have trouble navigating addons.  If I convert to subdomains (which I would have to do for https anyway) these problems go away, but that is a complicated and difficult and potentially disruptive conversion effort.  (The "Is it safe?" comes from the dentist scene of "Marathon Man".)

There is a discussion site yabberz which Trend rates as red (“Dangerous”, like Milo's book) and will not let me open. I haven’t tried it on the Mac.  Norton rates Yabberz as safe.   I have sent a Twitter message to Trend to ask them why this rating, A Facebook friend is writing on it. Does controversial content matter?  I hope not.  There could be issues with the site is navigated.
  
Website safety ratings could become more critical for publishers to remain connected after the rolling back of network neutrality.

Tuesday, January 09, 2018

"Typosquatting" scams


Here’s a risk I’ve mentioned before, “typosquatting”, as NBC News explained last night. 

The most common result is “scareware” where a site takes over your browser and freezes a Windows machine, and demands you call and pay them. This happened one time with “nbcbews.com”.  The cure is to power off the machine, power it back on and bring it up, and then when you go to the browser, click “No” on restoring it. 


“Https” doesn’t seem to stop the scam. 
  
Most major sites register common and deliberate misspellings of their names.  Legally, these are trademark infringements, but it would be impractical for companies to go after overseas (often Russian) offenders.  North Korea might even be trying this now.