Toms View of the World

Facebook have introduced a new data harvesting system to assist in targetting advertising to it’s users, using 3rd party websites to gather data on their behalf.

With the help of some clever javascript, and some co-operative 3rd party websites who have embedded this javascript into their pages, they can now update your facebook profile for you when you do things.  At the moment this is done with your consent - the little popup (if you spot it) gives you the option to deny - but you can’t completely block the facility from within your facebook privacy settings - you can block it on a site by site basis, but only after the fact -a site has to have already sent an update to your account before it appears in your privacy settings.

Scary stuff. How to stop this happening to you is after the “more” link… Continue Reading »

In this little article, i’m going to be using “Facebook” (which I do use) as my example Social Network, but I’ve no doubt other networks have the same risks…

Firstly, unless you change the default privacy settings, anyone in the same “network” as you can probably see some or all of your personal details. Continue Reading »

Occasionally I get these “fake lottery” SPAM email messages slip through the net and actually reach my mailbox - but this one made me laugh…

This is to inform you that you have been selected for a cash prize of £300,000.00 (Three Hundred Thousand Great British Pounds) and a brand new Peugeot 407 Car,From the International online programs held on the 26th of April 2007 in London the United Kingdom .

Now, if I had 300 grand, I wouldn’t be driving around in a Peugeot, I can think of several far more “fun” cars to spend money on… Especially after my previous experiences with Peugeot cars!

The email then carries on with the usual rubbish, including a form to send to an address, which is (not) surprisingly not at a domain owned by Peugeot, but is in fact on Yahoo Mail. The form naturally asks for a ton of personal information normally asked for by people wanting to steal your identity.

I can’t beleive anyone falls for these - simply by the very fact that the “company”claiming you’ve won aren’t even using their own domain, but are using a well-known, free webmail provider.

Are you worried about identify theft - the act of criminals obtaining credit (in other words, running up debts) in your name - debts which you are responsible for and appear on your credit rating?

No?

Really No?

Watch this from the BBC.

Now are you worried?

Think about the stuff you throw away - how much of it has your name, address, bank account number, credit card number (or part of it) on - now think about that reciept from the petrol station - that’s got (part of) your credit card number on it, put it in the same bin as something which just has your address on - and that information that can be put together to identify you.

I’m already in the habit of shredding anything I throw away which has my name, address, or is a receipt. Even just a petrol receipt. If you aren’t - you should get into that habit. Really Quickly.

Also, be wary of phone calls asking for personal information - I had one from a marketing company - “I’m calling on behalf of ****card - are you Mr Marshall, yes, good, can you confirm that by telling me your date of birth and last 4 digits of your card number.” - My answer - “NO, you called me - I have no guarantee you’re from ****card - I’m not giving you personal information”. Her reply - “I can assure you I’m calling from ****card” - no, she wasn’t. The callerID display gave me a number which I called back - it was a marketing company, not my credit card company.

I then called my card suppliers customer services line - it turned out this was a legitimate marketing call - they’d passed my details onto this 3rd party marketing company in order to ask me if I still wanted to be opted out of their junkmail and sales calls. Yes, despite being opted out, they passed me details to another company, and got that company to pretend to be them, call me, lie outright, and try to get me to sign back up to marketing junk.

I will be closing my account as soon as possible - I will not deal with companies that abuse my trust.

Don’t forget the other old favourite scam - “I’m calling from your mobile phone provider - would you like a free upgrade.” - reply is “Who are you calling on behalf of?” - “my mobile phone company?” - “who is my mobile phone company?” - “you don’t know?” - “so how are you calling on their behalf if you don’t even know who they are?”

Following the great work done by SiteAdvisor in rating sites for how much unwanted junk they include with their downloads (think spyware, adware, trackers, “search-enhancers”, toolbars etc) they’ve produced a cool little Firefox extension which warns about sites that they consider “unsafe” with little icons and a statusbar highlight. Another useful weapon in your armoury to keep your PC free of nasties…

http://www.siteadvisor.com/download/ie.html

It’s also available for IE (for those who are forced to use it) - for whom it’s probably even more valuable!

I just got an interesting message from my bank (via their website)…

Do You Use Wireless Broadband (Wi Fi)? Then you should be aware when using wireless networks to always ensure all security features are turned on so nobody else can access your information. We strongly advise you to review your configuration and ensure that strong encryption and authentication features are turned on. Features such as “128bit WEP” and more recent, and more secure, “WPA encryption technologies” are essential to protecting your data. For further information on Wi Fi security go to www.getsafeonline.org.

I think this is good thing - if people who are running unsecured WiFi networks start getting advice about securing them from their bank (rather than via techies or their ISP) maybe they’ll take heed. After all, they already know that security is important with money, and maybe seeing a message like this will help people make the connection between poor PC security habits at home, and the risks they face.

Now if the banks would start putting messages out about Phishing, Spyware, and BotNets then maybe it’ll start to turn the tide of the hordes of compromised PC’s out there.

Several high profile security analysts are now coming out and expressing their concerns regarding the “Search accross PC’s” feature of the latest version of Google Desktop - echoing my post from a couple of weeks ago.

Silicon.com is reporting that Gartner and the Electronic Privacy Foundation are now both advising that this software should not be used - or should be “locked down”.

In my opinion, all companies who are concerned over Google having copies of their confidential documents, should ban the use of the Desktop Search on PC’s connected to their network, and should take steps to prevent the software sending documents “home” if a user should install it against company policy. Certainly your firewall needs to block all traffic to the Google servers where the data is transferred to.

I have yet to identify the server in question, but it should be possible to install the software on a “clean” test machine, set a couple of “dummy” documents, and watch the network traffic that the search tool generates when it sends those files home, however I’d suggest that concerned network admins contact Google via the link at the bottom of this page and ask something like “what rules should I apply to my firewall to prevent PC’s within my network which have Google Desktop installed on them communicating with Google’s servers?”

I’m not sure that it isn’t going too far to call this tool “spyware” - although if you read the agreements it’s not hiding what it’s doing, and you can turn on and off the feature - but even so, how many people are really going to take the time to configure this properly, the earlier versions required little configuration at all to be very useful, will this version require very little configuration to be a security risk?

I’m not going to install it to find out.

Update - Apparently Google agrees that it’s a security risk, but their only advice is “use the Enterprise version” - which apparently allows the feature to be switched off as a global setting - however there’s still nothing to stop end users downloading the personal version - or provide information to help sysadmins configure their network to prevent this.

Unfortunately it’s well know that users are the weakest link in computer security as was proved a couple of weeks ago when “free valentine” CDs handed out in street managed to bypass a number of companies security rules and procedures and “call home” from office PC’s across London - proving that despite many large companies having policies on installing unapproved software on desktops - they’re routinely ignored by a percentage of users.