“The Smart Paranoid's Guide to Using Google” plus 3 more |
- The Smart Paranoid's Guide to Using Google
- 7 Online Scams Any Idiot Can Avoid
- McAfee to buy mobile-security firm Trust Digital
- British scientist infected with computer virus
| The Smart Paranoid's Guide to Using Google Posted: 26 May 2010 12:55 AM PDT
Do you realize that Google may have recorded and stored every single search term you have ever punched into its search box? Chances are some of those searches could be soberingly damaging to your reputation. What about Gmail? Have you ever sent any sensitive e-mails? How about business information stored in Google Docs? Unless you sat out the last decade offline, you've likely been building a pretty thorough profile of yourself on Google Inc.'s servers. Depending on which of the dozens of Google services you use, data about your habits, interests, activities, schedule, professional pursuits, stock portfolio and medical history could be sitting somewhere on Google's servers -- along with records of the trip routes you've mapped, the Web sites you've visited and much more. The good news is that Google anonymizes its server logs by removing the last three digits from the IP addresses associated with searches after nine months and by deleting the associated cookies after 18 months, which makes it very difficult to link you to searches that are more than 18 months old. That's still a pretty big window into your life, though. What if any or all of that data ever became public? An attacker could conceivably get access to your information on Google by hacking directly into its servers, or by hacking into your individual account. "There is a huge amount of stuff on Google," says Gartner Research VP Jay Heiser, "and it would be naive to believe that all that information wasn't of huge interest to a wide variety of people." What's more, the large number of services Google offers means there are multiple ways of accessing data. "Each service brings its own unique risks," says Heiser. "There's potential for a minor vulnerability in one to add up to a more significant vulnerability when combined with something else." And criminals aren't the only ones who could potentially access your Google records. Should the government (or attorneys from a legal suit you're involved with) come calling, all it takes is a simple subpoena and Google is forced to turn over your information, as outlined in Google's Privacy Policy. Bottom line? Big Brother knows a whole lot more than you probably thought. But you don't have to avoid Google to keep yourself reasonably safe. You just need to take steps to prevent potentially dangerous information from being stored on Google's servers in the first place, and to protect the integrity of your account. By taking some basic -- and not-so-basic -- precautions, you can minimize your exposure to bad guys, wherever and whoever they are. Read on to learn about things you can do to minimize the security risks involved in using Google, whether for search or for one of its myriad other online services. For good measure, we've included two levels of advice on how you can protect yourself: * "Defcon 2" (good security) tips are things you can do with the tools already at your disposal to keep yourself safe against typical attacks -- but not against a determined attacker. * "Defcon 1" (best security) tips -- a.k.a. "the celebrity solution" (steps to take if you have, or intend to have, a highly visible public profile) -- offer far more security but are far less practical and often require using third-party tools. In the end, only you can determine what trade-offs between security and convenience make sense for you. Risk 1: Search data and metadata If you visit Google's Web History page, you can see every single Google search you've run, while signed into your Google account, for years. And it's not limited to text searches -- you can also see your history of Google image searches, Google video searches, Google Maps searches and so on. This data is stored by default; users must activate Web History to access it. Google uses this information for a number of benign purposes, such as fine-tuning its search algorithms and determining wider patterns in Web searches for its Google Trends page. But however useful it is to the company, it's probably a safe bet that you don't want anyone to see every search you've ever done. Defcon 2 The simplest thing you can do to prevent the accumulation of search data is to make sure you're logged out of your Google account before searching. If you're logged in, your e-mail address will show up in the upper right-hand corner of Google's home page, search results pages or any Google Web page you're on. Also, turn off Google's Web History. From the upper-right corner of Google's home page, choose Settings --> Google Account settings, click "Edit" next to "My Products" in the left-middle of the page, and click "Remove Web History permanently." (If you don't see this option, it means you never initially activated Web History.) This will unsubscribe you from Google's Web History service and erase all the specific data linking your account to your searches from Google's servers. Google will still keep data associating your searches with your IP address for nine months and with other nonpersonal information for 18 months, but this data is not specifically linked to your identity. However, the Web History service can be of value to individual users, not just to Google. A searchable history of every Web search you've ever run could be a powerful tool for your own use. If you're comfortable with your search data being available in Web History but want to prune a few "incriminating" searches from the list, choose Web History under My Products from your Accounts page and click "Remove Items" in the left-hand menu. This will place a checkbox next to each query in your history; select the ones you want to chuck into the Memory Hole and click "Remove," and they'll be deleted. You can also click the "Clear entire Web history" link at the bottom of the page to delete your past searches all at once, or "pause" Web History for a while, if you know some of your upcoming searches might be difficult to explain or reveal too much personal information. To put Web History on hold, just click the "Pause" link in the left menu, then click "Resume" to have Web History begin saving your searches again. Defcon 1 Logging out of Google prevents the direct association of searches with you, but not the searches' association with your IP address and other information such as the operating system and browser used, time and date of the search, and the ID of the cookie saved to your computer for that search. (Google's Privacy FAQ shows a sample log entry.) A determined attacker could conceivably work backward from Google's server logs to discover your identity. To prevent this, anonymize your Web use by using tools like Tor, Anonymizer or the PhZilla Firefox extension. These tools funnel your Web use through one or more proxies, bouncing from city to city around the world, so your searches cannot be traced directly back to your computer. Be warned, though: Internet surfing is significantly slower when it takes place behind a proxy server. Risk 2: Tracking cookies Google uses cookies to store your log-in status for its various services, so, for instance, you don't have to log into Google Calendar when you're already logged into Gmail. But that means that you're leaving a trail of log-ins that can be accessed both from Google's servers and from your hard disk. Also, the Google-owned ad service Doubleclick uses cookies to track visitors as they move among sites, and that information, combined with your Google login, can identify exactly what sites you visited. Defcon 2 Use your browser's security or privacy settings to reject third-party cookies -- that is, cookies that originate from sources other than the site you're on. Blocking all cookies can be problematic if you want specific sites to remember your log-in info or preferences. Blocking third-party cookies, on the other hand, won't inconvenience you on most sites but will take your privacy up a notch. Note that blocking new third-party cookies won't actually get rid of the ones that are already on your system. So to be thorough, you can use your browser's security/privacy settings to either delete all of your current cookies at once -- which means you'll have to re-enter log-in information or preferences at certain sites (but only once) -- or look through your cookies file and manually delete those that aren't from sites whose cookies you want to keep. However, some services -- notably Doubleclick -- have been able to install cookies even with third-party cookies blocked. You can opt out of Doubleclick's cookies by, ironically, installing an opt-out cookie. But if you clear your cookies file at any time, you might also delete the opt-out cookie. Google provides tools and instructions for making your opt-out preferences permanent in Firefox, Internet Explorer, Chrome and Safari. Another option is to take advantage of your browser's "private browsing" feature. The most recent versions of Firefox, Safari, IE, Opera and Chrome all offer private browsing sessions -- sometimes called "InPrivate" or "incognito" browsing -- that purge cookies and passwords when you close the browser, and also erase your Web history and browser cache. The only challenge is remembering to select private browsing before you begin a sensitive search. Defcon 1 Block scripts and ads entirely. Use an ad blocker such as AdSweep for Firefox, Opera and Chrome or AdblockIE for IE8 to prevent sites from serving ads, including Doubleclick's. Many ads (including Google AdWords) use JavaScript to load. Blocking scripting in addition to ads is the belt-and-suspenders way of keeping ads from loading and third-party tracking cookies from finding their way onto your system. You can turn off JavaScript and other scripting using your browser's security settings, or use the NoScript extension if you use Firefox. This will make a huge number of sites unusable, but it will make it much more difficult to track your online behavior. Note that you can add exceptions for sites you trust using the "Trusted Sites" list in IE8 (on the Security tab under Internet Options) or by clicking the NoScript toolbar icon and selecting "Allow" for sites you wish to accept scripting from to restore functionality. Risk 3: Hackers attacking Google Even if you trust Google as much as you trust your mother, the sheer amount of data the company amasses about your life is daunting -- even more so when you consider what could happen if someone outside of Google managed to get access to Google's servers. Sound far-fetched? Google's internal networks were breached in December 2009 in a widespread attack known as "Operation Aurora" that resulted in the theft of some Google source code and some (but not all) personal details of at least one Chinese human-rights activist, including his account creation data and e-mail subject lines. Google may have some of the best minds in the world working to secure its systems, but it's also a big target -- and a potentially big prize -- for hackers. "Companies like Google are under attack because they have so much data about you," says Bill Morrow, CEO of CSIdentity, an Austin-based provider of identity theft protection services. "Instead of getting a little snippet of your life's digital footprint, [attackers] could get your entire profile." Defcon 2 Use common sense. "If it's absolutely critical intellectual property, don't use [online] services," says Mark Kadrich, CEO of The Security Consortium, a San Jose-based security services provider and research firm. The same goes for personal information. No system is 100% perfect. If you simply could not recover from a piece of information getting out into the world, then no online service can offer you the level of security you need. While Google's mechanisms are strong enough to protect against common threats, a determined attacker such as a corporate competitor or a government agent who gains access to your account on Google could conceivably access everything you've entrusted to the company -- including data you didn't even know you were leaving behind. "You have both very sensitive and less sensitive data under the same log-in credential," says Vatsal Sonecha, vice president of business development and product management at security vendor TriCipher Inc. "An attacker who gets into your account has the keys to the kingdom." It's up to you to make the distinction between what information can be trusted to Google and what can't. Defcon 1 Encrypt your e-mail. If you use an e-mail client like Outlook or Thunderbird to access your Gmail account, you can use a product like PGP Corp.'s PGP Desktop Home or its open-source cousin GnuPG to encrypt all of your outgoing e-mail. Or you can use the FireGPG Firefox extension to add encryption to Gmail's Web interface. Businesses can use tools such as PGP Desktop Corporate on the desktop or one of PGP's server-based products to encrypt all outgoing e-mail at the network level. You'll have to insist that others send you only encrypted e-mail, though, or all your incoming e-mail will still be in plain text. Unfortunately, there are no equivalent encryption tools for other Google services -- some, like Google Health, encrypt your data, but not all do. Risk 4: Hackers guessing your log-in While hacking into Google might be difficult, hacking into your particular Google account probably isn't. Most people use simple, easy-to-remember passwords -- often the same one on dozens of sites -- which means a hacker with some basic information about you could easily crack your account. If you use a single English-language word as a password, a hacker who knows just your e-mail address can crack your account in a few seconds by using common cracking tools that simply try every word in the dictionary. And on Google, your password accesses everything, from your medical records on Google Health to your credit card numbers on Google Checkout. Defcon 2 Use a password management program like KeePass or RoboForm to generate and remember strong passwords (such as W2J@Y*YHzqrkd) that are almost impossible to guess. And change your password regularly -- once a month or more. Defcon 1 Use multifactor authentication. Using just a password to log into a service gives you only one point of failure: If someone gets your password, you're vulnerable. Multifactor authentication requires you to verify your identity in two or more ways. "Multifactor authentication is based on using at least two of three things: something you know, something you have and something you are," says TriCipher's Sonecha. A password (something you know) is one factor. Services such as TriCipher's MyOneLogin and MultiFactor Corp.'s SecureAuth limit access by requiring additional verification, such as a VeriSign security token or a file on your computer (something you have) or a fingerprint (something you are). MyOneLogin offers its secure authorization free for users of Google Apps or, for $3 a month, you can sign up for a service that covers not just your Google account but all of your online activity. You can add Web sites or Web applications from MyOneLogin's vast library, or easily set up applications MyOneLogin doesn't cover yet. (Click "Free Trial" on the home page to get started.) Risk 5: Hackers cracking your log-in Even if you have a difficult-to-guess password, a hacker can still gain access to your Google account by getting you to log in through a fraudulent link, or by getting malware onto your computer that installs keylogging software or modifies your hosts file. If your computer has been compromised in that way, you may think you're logging into Google but you're really giving your information to a hacker. Google speculates that this is how the Gmail accounts of several human rights advocates were breached recently. (Tip: Always pay attention to the URL in your browser before entering sensitive information if you clicked on a link from an e-mail or a third-party page -- if the domain name is wonky or doesn't match where you're supposed to be, it's a clear indicator that someone's trying to dupe you.) Defcon 2 If you're still using Internet Explorer 6, upgrade immediately. According to security firm Secunia, IE6 has 24 unpatched vulnerabilities -- far more than any other browser commonly in use today. It was an IE6 flaw (that has since been patched) that enabled the December 2009 breach of Google's network. Google plans to drop support for IE6 for many of its services this year. Beyond that, practice good Internet security behavior: Run anti-malware software on your system (yes, even on Macs); don't click on links in e-mails, even from people you trust (or if you do, pay attention to the URL, as outlined above); don't open attachments you aren't expecting; stay away from shady Web sites (porn, illegal file-transfer or warez sites); and never click on pop-ups, not even to close them (instead, use the keystroke commands Alt-F4 on Windows machines or Command-W on Macs). Defcon 1 "Sandbox" your browser. Use virtualization software like VMware Player or Parallels Desktop to create a self-contained operating system so that viruses and other malware cannot access your hard drive directly -- and when you're done, trash the session and start a new one from the original disk image. A browser sandbox such as Sandboxie also offers some protection by isolating your browser from the rest of the system. As Steve Gibson, longtime security researcher and founder of Gibson Research Corp., points out in a Security Now! netcast, neither virtual machines nor browser sandboxes provide complete protection from keyloggers and other malware. But used properly alongside other standard security applications (firewalls and antivirus and anti-malware apps), they can help prevent malware from installing anything on your system. Final advice Finally, take a good, hard look at what you're giving Google and what you're getting in return. "You can no longer be passive about protecting your digital footprint," explains CSIdentity's Morrow. "You need to think of it as if your enemy is in the room, overseeing everything you do. That kind of 'filtering' will lessen not only where you go but what information you're willing to leave behind." Google may not be your enemy -- now. But a change in management at Google or an acquisition by another company (hey, it could happen) could change that. Even a legal suit could spell trouble if Google gets a subpoena. And individuals within Google's wall of defenses -- a rogue employee, someone with a personal vendetta, or a hacker -- may actually be your enemy. And naturally, the higher your public profile, the more of a target you become. Friend or foe, Google will have your information in its servers for a long time; a little paranoia won't kill you, and it just might save you if Google ever turns back on its "Don't Be Evil" mantra. Logan Kugler is a frequent Computerworld contributor. His most recent article was "10 must-have Firefox extensions for business." Five Filters featured article: The Art of Looking Prime Ministerial - The 2010 UK General Election. Available tools: PDF Newspaper, Full Text RSS, Term Extraction. |
| 7 Online Scams Any Idiot Can Avoid Posted: 25 May 2010 07:40 AM PDT It's pretty easy to get ripped off in the physical bricks-and-mortar world if you're not careful. It's no different in the digital world online. Some scams are so bald-faced and clumsy that you marvel that anyone still falls for them. Others have a reasonable patina of plausibility that can seduce the unwary. Unfortunately, there's no real-world correlation between technological savvy and street smarts. It's almost embarrassing to have to repeat an old cautionary bromide, but here it goes: If something sounds too good to be true, it probably is.Keeping that in mind, here's a run-down of some of the most pernicious online rip-offs as well as one or two that add a new spin to the art of online duplicity. Nigerian (419) Scam This one, which plays on greed, is one of the oldest digital rip-offs on the books. You get an email from a wealthy Nigerian (fill in the appropriate country, this one travels well) who needs help in transferring millions of dollars from his homeland. If you are able to assist in the process, the email continues, you'll receive a sizable cut of the fortune as a reward. If you take the bait, you will be asked to put up some of your own money to smooth the transfer. It'll be the last time you see that money or the scammers; there is no fortune that needs to be transferred other than yours. The number "419" refers to the article of the Nigerian Criminal Code that deals with fraud. Any email from strangers that promises riches in exchange your help (read: money) and trust should be avoided. According to scambusters.org, the Nigerian Scam and its cousins still bilk people for between $100 million and $200 million each year. eBay Buyer Remorse Buying on eBay can be great fun as well as a source of bargains on a whole cornucopia of goods and services. It can also be a disillusioning experience if you never receive the goods you bid on and paid for, or if what you gets doesn't live up to the seller's description. A majority of eBay sellers are legitimate and go the extra mile to maintain their good reputations. In a barrel this large, though, there will be some bad apples. Avoiding them is the best way to not get ripped off. eBay recommends looking at a seller's feedback before hitting the buy button. Just click on the seller's feedback score next to the seller's user ID. If you're dealing with a new seller who doesn't have any feedback or with one who has negative feedback, use the "ask a question" link to communicate directly with the seller. You should also look at the icons by the seller's user ID to learn more about them. Gone Phishing Identity theft is alive and well online. One of the slicker phishing ploys making the rounds comes in the form of official looking emails claiming to be from a bank, credit card company or site such as Best Buy or eBay asking you to verify your account details and password. The email is generally tricked out with authentic looking logos and authoritative text reassuring the recipient that their security is a paramount concern and includes a link for you to use in the verification process. Don't do it. There may be subtle clues that the email is not as it seems, such as the return header containing a Hotmail address. The best clue, though, is that legitimate companies never request this kind of information via email. If in doubt, go to the institution's official web site by typing its URL in the address bar of your browser, not by clicking on any links in the email you received. The scam may be listed on the home page. If in doubt about the authenticity of the email you received, call or email the institution's customer support department. Disaster Scams Your humanitarian impulses offer rip-off artists an opening to take another shot at your wallet in the wake of well-publicized disasters such as Hurricane Katrina or the earthquake that devastated Haiti. The latest to raise its larcenous head uses the Iceland volcano that grounded flights around the world as its vector. The fraudsters hack email accounts and start sending emails to that account's contacts list. A plaintive message is sent out saying that the account holder is stranded because of the eruption and needs money to get home. The recipient is instructed to contact the sender on where to send the money and the message includes an email address that looks like it comes from a Gmail account but is slightly different. A quick phone call can defuse this little bit of skullduggery. Your Resume Has Come to Our Attention Remember, stealing your time is as much a rip-off as taking your dollars. The major job search sites such as Monster.com and CareerBuilder.com do a good job of directly channeling job seekers to appropriate opportunities without inundating them with sales pitches or making them jump through hoops to browse job listings and details. But there are some that take your job hunt and use it as a vehicle to upsell you to paid memberships if you want access to premium job listings or solicitations to fix your resume for a fee. Some are notorious for offering personalized critiques that in actuality prove to be formulaic boilerplate based on the keywords you use in your resume. The companies that do this are relentless. The best litmus test for a job search site is this: Does it spend more time steering me to the services it sells or to genuine job openings? Craigslist Connivers Craigslist is a wild and wooly bazaar of goods for sale, apartments for rent, jobs listings and meeting people. Because it's faceless and generally free to use, it also offers safe haven for rip-off artists. Craigslist apartment listings, particularly in large metro areas such as New York City, are well-known hotbeds of fraudulent activity. You see a listing for an unbelievable rental in a desirable neighborhood at a below-market price. Because it's such a great deal and will rent quickly, you're asked for an advance deposit, even though you won't be able to see the apartment before forking over your money. You can see where this is going. Fraudguide.com reports that one woman running this scam collected $60,000 in rent and security deposits from several dozen different people. If you're looking for an apartment on Craigslist, park your trust at the door and do your due diligence. Fake Anti-Virus Software Fake anti-virus programs account for 15 percent of all malicious software, according to a new Google study. Computer users are tricked into downloading these programs when a window pops up on their screen telling them that their computer has been affected by a virus. It provides a link to an antivirus program they can download that claims it will cure the problem. It won't, since there's no problem to begin with, but it will either steal the user's data or demand a payment of $40 or more to register the fake product. Sometimes it does both. The best antidote is to not click anything and close down your browser. Know what anti-virus programs are installed on your computer and make sure they're up to date. They should already be protecting you.
Five Filters featured article: The Art of Looking Prime Ministerial - The 2010 UK General Election. Available tools: PDF Newspaper, Full Text RSS, Term Extraction. |
| McAfee to buy mobile-security firm Trust Digital Posted: 25 May 2010 01:15 PM PDT
McAfee said on Tuesday it has signed an agreement to acquire Trust Digital, a provider of mobile security and management software targeting corporations. The companies did not disclose terms of the deal or how many of Trust Digital's 30 to 40 McLean, Va.-based employees will be moving to McAfee. Santa Clara, Calif.-based McAfee expects to combine Trust Digital's solution that allows corporations and organizations to manage the smartphones employees use with its antivirus and other security software and its centralized management and reporting offered through ePolicy Orchestrator. About 180 million mobile devices are loaded with McAfee mobile security while Trust Digital software works on a range of mobile operating systems including iPhone OS, Android, Web OS, Windows Mobile, and Symbian. Five Filters featured article: The Art of Looking Prime Ministerial - The 2010 UK General Election. Available tools: PDF Newspaper, Full Text RSS, Term Extraction. |
| British scientist infected with computer virus Posted: 26 May 2010 02:08 AM PDT May 26, 2010 Experiment has implications for chip implantsA British scientist claims to have become the first human to be infected by a computer virus, in an experiment he says has important implications for the future of implantable technology. Dr Mark Gasson from the University of Reading infected a computer chip implanted in his hand with the virus and then transmitted it to a PC to prove that malware can move between human and computer.
Speaking to the BBC, Gasson said someone with an infected chip implant could potentially infect someone else, while a person with two devices under the skin could run the risk of viruses passing between the two chips. "With the benefits of this type of technology come risks," Gasson told the BBC. "We may improve ourselves in some way but much like the improvements with other technologies, mobile phones for example, they become vulnerable to risks." See also:
<<newer story | back to index | older story>> Subscribe to PC Advisor now and claim your FREE gift
Five Filters featured article: The Art of Looking Prime Ministerial - The 2010 UK General Election. Available tools: PDF Newspaper, Full Text RSS, Term Extraction. |
Chips that can be implanted into the body have been around for a while, and Gasson uses one in place of a security pass to gain secure access to the building, and to activate his mobile phone. But he says the implications for computer viruses in implants are far-reaching, and could potentially affect those with pacemakers and other medical devices.| You are subscribed to email updates from Yahoo! News Search Results for antivirus To stop receiving these emails, you may unsubscribe now. | Email delivery powered by Google |
| Google Inc., 20 West Kinzie, Chicago IL USA 60610 | |
Comments
What are your views on this subject? Use the form below to post a comment on this article up to 1000 characters.