security

, , ,

Dropbox Peeks at Your Files

, , ,

        "Although I like and use Dropbox frequently, here's an article that reminds us nothing is secure in the 'cloud', unless it's encrypted, and even then NSA might take a peek at your documents," notes Jim Hamm.  Here's the article for you to check: http://www.computerworld.com/s/article/9242384/Dropbox_takes_a_peek_at_files?source=CTWNLE_nlt_dailyam_2013-09-13

, , , , , ,

Google Defends Sanning Email

, , , , , ,

"Here is an article discussing how Google defends their scanning every email sent or received through Gmail. Google says this is a 'normal business practice', and uses the info to tailor ads that appear beside your inbox."  Jim Hamm continues,  "I use Gmail, and the adds don't bother me, but I'm not fond of the idea of Google scanning the contents of every email sent through their system. On the other hand, Google is providing a useful service for free, so something or someone has to foot the costs.

        Jim goes on to comment,  "Perhaps Google already states this in their terms of agreement when one sets up a Gmail account, but wording somewhat to the following seems fair to me: as a user of the free Gmail email service the user agrees to having all sent or received emails subject to scanning by Google. If one doesn't like this, then don't sign up for the Gmail service -- use something else for your email service.
        So, this is Jim's question,  "I don't know, but perhaps other free email services such as Yahoo, Outlook Express and others may do the same thing. What do you think about Google's scanning of your emails? Armed with this knowledge, surely you won't send any of your passwords via email anymore, will you...(grin)."
, , , , ,

No, Your Data Isn't Secure in the Cloud

, , , , ,

          John Carter wants to share his viewpoint on security in the Cloud.  "You do understand that it's the government that is insisting on an open book for all personal information, yet they also insist on not telling us anything they don't want us to know about - like what really happened at Roswell and other places.

        "I really don't care how deep the government is looking into my personal affairs. In fact, I want them to be able to pry into the private life of any citizen planning on running for a public office at every level of government from our local supervisor and councilman to the President. 
        "The ONLY way to have access to my passwords across all devices without using the cloud is to carry a thumb drive —and it won't connect to my iPhone, iPod, or iPad. That makes no sense. 
        "So, using iCloud or Dropbox to store my passwords is my only sure way of being able to access them when I need them from any device. And with 128 bit encryption, that is secure enough to prevent Joe the Plumber (and even my high-tech buddies) from getting at them. I'm safe from the hackers, and that's all that really concerns me.
        "Now, if one of those hackers works for the government and is nefarious enough to steal encrypted data for personal gain, I can't stop that. No one can. It would take an act of Congress to prevent even the government from accessing encrypted files, and then only foreign governments would be able to access my personal files. Right back where I started from."  
        And thanks to John for adding to this discussion.  
,

Storage Security?

,

          Yes, we're still concerned about storage security.  Jim Hamm writes, "For your possible interest, here is an article about storage security -- or lack thereof -- in the cloud. For reasons mentioned in the article, I don't, and wouldn't, store passwords in the cloud. I wouldn't even use a Password Manager to store passwords in the cloud."
http://www.computerworld.com/s/article/9241553/No_your_data_isn_t_secure_in_the_cloud?taxonomyId=223&pageNumber=1

, , ,

OS X Mavericks: Hands-On

, , ,

        "Here is an article from MacWorld with comments about their hands-on experience with OS X Mavericks, to be released this fall. With various recent articles commenting on password security -- or lack thereof -- in browsers, read the section about a new feature: iCloud Keychain," Jim Hamm informs us.  Scroll down about half way for that password security feature. 

, , , ,

Is Your Router Vulnerable?

, , , ,

        With his thoughtful suggestion Jim Hamm forwards an interesting site.  He starts off, "Here is a description and test to see whether your router may be vulnerable to a UPnP discovery request. I ran the test, and our router is not vulnerable.

        Jim then comments, "In the real world, I don't know how serious this threat may or may not be. I don't recall reading anything about it, and don't really know anything about this vulnerability. So, proceed accordingly."
        Hmmm.  Let's look at this company and their blog to learn more.  Here's a photo of them,  http://www.rapid7.com/company/  and you'll learn more when you scan their Security Street blog: https://community.rapid7.com/community/infosec/blog 
       And this is the latest addition from Jim, "Here is more information on the Universal Plug and Play (UPnP) vulnerability issue. Although this article came out a while back, I guess reading it now is better late than never." 
, , , , , ,

So, What Do You Want Them to Know?

, , , , , ,
         It’s not a cheery handout today.  But as we keep hearing news reports the importance of  security and privacy grab our attention.  Of course, there are things we need to know and do.  Keeping up with the latest information is a necessary precaution for all of us.  Here is just a few possibilities for current sites for you to review. 

ID Theft, Opt Out Directions,  Free Credit Report,  Social Networking Danger

        See  http://www.worldprivacyforum.org   lists articles on ID theft, security, privacy, cloud computing, medical info on HIPAA,  medical identity theft, and more.   
Lots of links are provided on this website. One article brought to our attention was “Top ten opt out list.”   The information goes into detail and when printed out is 12 pages long as it describes the various opt-outs you can use to stop information about you from being collected, circulated, and sold among various companies and government agencies.  
One company is described which builds detailed dossiers on consumers with “information scraped from social networking sites like Facebook, and is combined with public record data.”  Dossiers have been used in political campaigns and other businesses.  According to their quotation from Wall Street Journal this company’s segments recently included   “a person's household income range, age range, political leaning, and gender and age of children in the household, as well as interests in topics including religion, the Bible, gambling, tobacco, adult entertainment and ‘get rich quick’ offers. In all . . .  more than 400 categories, the documents indicated."
This site also gives consumer tips and links on how to get your free annual credit report.   
A February 2010 report discloses Digital Signage Privacy Principles which might be a new term and a previously unexplained form of sophisticated digital information collection.  


Traveling Brings New Challenges for Security and Privacy
        See  https://www.eff.org/wp/defending-privacy-us-border-guide-travelers-carrying-digital-devices.  This website gives 20 pages of information.

Defending privacy at the U.S. Border:  a guide for travelers carrying digital devices   states that “for now, a border agent has the legal authority to search your electronic devices at the border even if she has no reason to think that you’ve done anything wrong.”  
It discusses such agencies as CBP, ICE, TSA.  Which other countries have you recently visited before entering the United States?  What other connections do you have there? 
Be aware of two basic precautions:  make regular backups so if your computer is ever taken, lost or destroyed you’ll still have access to your data, and encrypt the information on your computer.    
It gives details on how and why.  Talks about hard drives, flash drives, mobile phones, details, date and disk encryption, digital cameras. It goes into how to interact with border agents, what to say, how to behave.  The appendix lists 47 sources and their links with descriptions.  
You can click to download a PDF with this material. This might be something you’d want to pass along to your grown kids and friends who plan to travel this summer. 


Cookies?

These are not just the yummy ones Ginger brings to PMUG! Read on . . . 

What Info is Available for Internet Sites to Take? 

        Using Firefox:  are you collecting lots and lots of cookies?   See how to view history and clear what you don’t want saved.  http://support.mozilla.org/en-US/kb/how-clear-firefox-cache  Using Safari:  http://support.apple.com/kb/HT1677 

        See  http://kb.iu.edu/data/ahic.html   Indiana University knowledge base, dated 3-3-13.  Brief description of cache, cookies, history.   How to: for Firefox, Internet Explorer 7, 8, 9,  Chrome, Opera, Safari, Mobile Safari for iPhone, iPod touch, iPad, Android. 
        What personal information does Amazon gather and why? There’s 5 pages to read!  http://www.amazon.com/gp/help/customer/display.html?nodeId=468496  dated 4-6-12.
        Google’s Policy:  http://www.google.com/policies/privacy/  last modified 7-27-12.  Their policy in 8 pages; what they take and what you can determine on your end.  “We will not reduce your rights under this Privacy Policy without your explicit consent.”  Hmmmm.  

Password Managers Can Help
The query to Ben Patterson brings up info he wrote about iPhone, iPad:  http://heresthethingblog.com/2013/04/30/reader-mail-simple-password-manager/

How Safe is My Info on a Thumb Drive?

A handy little thumb drive can hold a lot of info.  But they can be misplaced, lost, mishandled.  Make a plan to store them and use them.  How long of a life do they have?  Probably you’ll want to back one up, then buy a new one & copy over again in a few years?  
An infected USB thumb drive can infect a computer.  This discusses software encryption, hardware encryption. http://en.wikipedia.org/wiki/Secure_USB_drive


An Unexpected Phone Call From Your Grandson 

Oh, it was a young man’s voice on the phone, but he said, “Grandma, I’m calling from Rome and I need help.”  Who wouldn’t be concerned?  How did he travel so far from home?  What’s going on?  Asking a few questions like,  “Maybe you have the wrong number.  What did you say your name was?  What’s your sister’s name?”  Ask anything that only the real grandson could possibly know.  “Give me your phone number and I’ll call you back after I ...“  Make some quick excuse and sound sort of confused.  Your brain’s internal warning device is in full swing now.  You’ve heard about scams like this.  Don’t be cheated out of your $$$. 
Facebook gives crooks the information so they can find information to pretend to be your grandchild. http://newyork.cbslocal.com/2013/01/16/scam-artists-using-facebook-to-target-grandparents/     
Alert your grandkids about posting information on Facebook, etc that would jeopardize you or them!  A good reminder now and then shows you care about their safety.


So, What Can We Do?

While we are bemoaning the loss of truth, honesty, and respect in the world today we of the “generation with years of experience” must continue to be relevant and responsible. It’s part of our heritage, how mama and dad raised us to be decent and trustworthy.  It’s like doing push-ups for exercise.  Now, we’re exercising our brains.  And part of that is continuing communication.  Listen and learn.  Respond as best as you can!  
Let your computer help you keep in touch.  Let PMUG help you learn.  

+ + + 
This was today's PMUG meeting handout from Elaine Hardt, May 18, 2013 
, ,

Java and Security Risks

, ,

        Prez Art Gorski finds info we need to read and heed.  "In a recent update to Mountain Lion, Apple has removed the Java plug-in used in the Safari web browser. In the future, if you absolutely need Java in Safari, you will have to go download it yourself from the Oracle website.

        "The question is: Do you REALLY need Java in Safari. For the vast majority of Mac users, the answer is NO. So this probably won't affect you.
        "Why has Apple taken this step? Security! See the following interesting article.
, , , ,

Java Fix Doesn't Work (Updated 8-31)

, , , ,

  We start out with the latest warning on Java, received at 3:20 pm Friday, 8-31.  Jim Hamm brings us up to date.  (Then read the rest of this for the background of this huge issue.)         "Now this is amazing. A few hours after Oracle issued a patch for the security flaw in Java, another exploit has been found. This has been forwarded to Oracle, but since Oracle never comments on these security breaches they didn't say anything. It doesn't appear the hackers have found this opening yet, but after they read this article, they'll probably start trying.          "Although our risk of hacking might be small, I think it's best to disable Java. I did so a long time ago and haven't missed it yet."         You saw this here on 8-27.   Here's a warning from Jim Hamm,  "If you've still got Java enabled in your browser, now's a good time to disable it. Another vulnerability with Java has surfaced. Take a read on this. In Safari, Java can be disabled in Preferences > Security > uncheck enable Java."         With another notice of a potential malware risk from Java 7 Jim sends this link  The last paragraph in the article states, "Mac owners can disable the Java plug-in from within their browsers, or remove Java 7 from their machines. To do the latter, select 'Go to Folder' from the Finder's 'Go' menu, enter '/Library/Java/JavaVirtualMachines/' and drag the file '1.7.0.jdk' into the Trash."         Here's a quick test to see if Java is disabled in your browser, from our eagle-eyed Jim Hamm.  He tells us,  "Just click here and if the box comes up empty, you're okay — Java is disabled."         And, Jim sends the latest:  "Here's an article describing how Oracle knew about the Java vulnerability to a malware attack since early April. And, moving right along at a snail's pace, Oracle doesn't plan a fix till October. Given Oracle's slow response to acknowledging and fixing malware attacks, it's a wonder any developer use Java at all."         We were surprised to see a fix announced here this afternoon, (Thursday, August 30).  Keep us informed on the latest and we'll pass the word along!  !           A hot topic: this just out an hour ago, (8-31)  and recommends you turn Java off or delete it.  

, ,

Gatekeeper in Mountain Lion

, ,

        "One feature coming in OS X 10.8, Mountain Lion, is Gatekeeper — an enhanced security feature," announces Jim Hamm.  He elaborates, "Recently, Macs have been attacked by malware, and we'll probably see more attacks in the future. Additional security protection is always welcome. Here are some comments about Gatekeeper.  From AppleInsider and from Apple.com 
        Here Jim goes on to quote from John Gruber of DaringFireball, posted 2-16-12. "My favorite Mountain Lion feature, though, is one that hardly even has a visible interface. Apple is calling it 'Gatekeeper.' It’s a system whereby developers can sign up for free-of-charge Apple developer IDs which they can then use to cryptographically sign their applications. If an app is found to be malware, Apple can revoke that developer’s certificate, rendering the app (along with any others from the same developer) inert on any Mac where it’s been installed.
        "In effect, it offers all the security benefits of the App Store, except for the process of approving apps by Apple. Users have three choices which type of apps can run on Mountain Lion:
 1. Only those from the App Store
 2. Only those from the App Store or which are signed by a developer ID
3. Any app, whether signed or unsigned
 The default for this setting is, I say, exactly right: the one in the middle, disallowing only unsigned apps. This default setting benefits users by increasing practical security, and also benefits developers, preserving the freedom to ship whatever software they want for the Mac, with no approval process.
"Call me nuts, but that’s one feature I hope will someday go in the other direction — from OS X to iOS."

, ,

Privacy & Security? HTTPS & VPN

, ,

        Earlier we heard from Jim Hamm, (posted on 3-28 as "Need to Use an Unsecured Wifi Hotspot") and now he helps us with clarification.  Jim wrote to the developers of Cloak, which is VPN (Virtual Private Network), "If  'HTTPS' is all one needs to be secure, why have a VPN function at all?"
         HTTPS is Hypertext Transfer Protocol over Secure Socket Layer.  It encrypts and decrypts the page requests.
        The reply Jim received explains more about HTTPS and VPN.  The following is quoted from Dave Peck, founder of www.GetCloak.com 
        1. HTTPS helps your browser verify the identify of the server it's talking to. For example, HTTPS can help the browser decide whether it's really talking to your bank. (This is why, if you ever see a warning about certificates when connecting to a site, you should stop immediately.)
        2. Once the identity of the server is verified, HTTPS sets up an end-to-end encrypted connection between you and the server. So to continue the example, HTTPS lets you have a secure communications channel directly with your bank that nobody can listen in on.
        So HTTPS, and the protocol it is built on (TLS), is awesome. And... if everyone used HTTPS/TLS then yes, there would be no reason as an individual to use a VPN like Cloak. There would still be plenty of reasons for small and medium businesses to use VPNs.   ----
        Unfortunately, we don't live in this world, at least not yet. Not everyone uses HTTPS or SSL/TLS (in fact, most web sites don't) and, further, even sites that do use HTTPS often use it badly, or inconsistently. Things seem to fall into four buckets:
        1. Sites that don't use HTTPS at all. This is, sadly, the majority of sites. When you're on a network you don't trust (like at a coffee shop, airport, hotel, or at a conference) anybody can see what you're doing.
        2. Sites that use HTTPS badly. Usually this means they don't use HTTPS everywhere. Prime examples of this would be Facebook and Amazon.com. By default, when you log in to Facebook and Amazon, you log in with HTTPS. It might seem that this protects your username and password, but this isn't quite the case. After you log in, Facebook and Amazon kick you back to HTTP pages. But wait! How do they know who you are on those HTTPS pages? They know who you are because they've cookied you with an non-secure cookie. For the duration of your session with those sites, that cookie is as good as your username and password. Anybody can log in as you and do whatever they want as you. This is what the hacker tool Firesheep was built to exploit, and unfortunately it is all too common -- Firesheep works on nearly 100 different web sites.
        3. Native apps! These days, lots of stuff is done outside of the browser. Does the Twitter App for Mac use HTTPS or TLS? Who knows! We see a lot of problems here these days, and a lot of opportunities for Cloak to make things better.
        4. Sites that use HTTPS well. Your bank, and PayPal, probably fall into this category. For these sites, Cloak doesn't make a difference.
        I would like nothing more than to wake up one day and discover that Cloak is not necessary. But given that only one of four buckets is actually truly secure, I think we're easily five years off from that day. That said, one can never truly predict in the world of technology. -----
        I should explain, in case it isn't clear, that Cloak isn't an end-to-end solution for security. When you use HTTPS, you get end-to-end encryption: just you and (say) your bank. When you use Cloak, you get encryption from your laptop or iDevice to our servers. From there, things are decrypted. But we host our own servers on networks with great peering agreements and extremely strict security policies. Our networks are trustworthy, whereas presumably the networks "out there" in the wild, like at coffee shops etc, are not. It's only if you truly cannot trust the Internet at all that HTTPS and TLS are your only options.       ---
        Bottom line for all of this: I believe that we still live in a world where Cloak can provide real value; I hope that technologies like HTTPS and SSL will ultimately become so prevalent that tools like Cloak won't be needed anymore. I think we're many years off from that day."
      Thanks to Jim for getting this information for PMUG.

,

Here's More on Security & Privacy

,

        Ward Stanke passed along more info when he spoke at yesterday's PMUG meeting than his printed handout showed. Be sure to check out Mozilla Firefox because it gives you good choices for security and privacy.  Look at 1Password for a utility to create and store unique passwords.  See it at https://agilebits.com/onepassword/mac .
        Look here about opting out of ads that are tailored to your Web preferences and usage patterns:  http://networkadvertising.org  Their policy is that all NAI member companies set a minimim lifespan of 5 years for their opt out cookies.
        Take a look at this interesting possibility:     http://pobox.com/  You can use a custom email address that you'll own for life.
        Scroll down for Ward's handout reproduced in this newsblog.