Following tech with the consumer in mind » security

Web Safety and Crime on the Internet

William Gamoni — Fri, 18 Apr 2008 16:03:29 +0000

The latest news from United Kingdom’s major retail bankers says that if your online bank account has been compromised and you didn’t use any Internet computer security software such as antivirus and antispyware (e.g. Norton 360), you solely bear the responsibility for the loss, and they won’t compensate you a dime. A clause has been added to the newly updated Banking Code to make this very clear.

According to recent Internet safety and online identity fraud research, the British Police are being informed of a new cybercrime event every 10 seconds. This accounted for over GBP 300 million in financial loss for private and business bank customers in England in 2007. However, many online computer safety specialists claim that the vast majority of online crimes are never reported because they haven’t been detected or were of a lesser severity.

They don’t risk their lives to get money, they don’t shoot at anyone any more, and they don’t do any physical harm to their victims. Today’s crime is online crime and uses computer safety holes and threats in software and equipment to sneak money from peoples’ pockets while they’re sitting right in front of their laptops. No need to shoot nor to threaten anybody. Just a few smart code snippets smuggled into the victim’s PC via email or a booby-trapped website and you are done. Simple as that.

As Marcus Ranum, the author of The Myth of Homeland Security, explains, cybercrime delivers a criminal with a means of automation and the advantage of being anonymous. The criminal needs very little in terms of information technology knowledge or hardware and can cross global borders very fast, making it more effortless to hide and harder to be prosecuted.

So remember that you, the web user, are alone responsible for your doings online. And if you get your online banking password stolen and money robbed by cybercriminals, chances are no one except you will pay for this. Your identity is already an easy enough target for those knowing how to steal it. To minimize the chance of this happening, be sure to get yourself a copy of at least some of the free antivirus and antispyware software available.

My First MySpace Friend: SPAM

Bob Caswell — Mon, 10 Mar 2008 17:51:45 +0000

So I joined MySpace about a week ago and was already annoyed at the way they sent me my password over email. But then, just a few days later, I got an email with my first MySpace message / friend request from someone named Riley whose profile picture is a girl in a swimsuit. Originally, her (or his?) profile showed the same city and state that I live in, though now it’s been changed to Greenville, Ohio. Here’s the text of the message:

“Heya sunshine!
I recently broke up (9 months ago) and am ready to date once again. I’m not looking for a serious relationship though. It’s too soon. A little about me: I’m adventurous, outgoing and open-minded. I’m pretty good-looking and healthy. I like going out but also dont mind snuggling! If you make me laugh, you’re half way into my heart. I was browsing the site; my best-friend. After figuring out how things worked I came across your profile. I’m interested! I hope you’re not shy and that you’ll respond. Please dont reply directly though, this is really not my profile, I’m just borrowing it. Send your reply to my real email address instead: kate_cannon_x@yahoo..

Thanks and have a nice day!”

Interestingly enough, I’ve used Facebook and LinkedIn for years now and have never had this problem (or the previous password problem I discussed). But MySpace, for being the most popular social network out there, continues to disappoint. And it’s only been one week!

Perhaps I’m the exception rather than the rule, but if anyone joining MySpace for the first time should expect spam posing as a wannabe friend within one week… Wow, it just seems like one more issue to fuel the lack-of-privacy fire.

In MySpace’s defense, they do have some spam settings in the privacy section of your profile. I suppose it’s nice to be able to customize those settings, but I wonder why the default setting gets me spam? I suppose that’s the catch-22 of social networking and privacy: default openness vs. default privacy. What should those defaults be?

I’m personally a fan of “opting in” to the “my profile is accessible to everyone in every possible way” configuration rather than having to “opt out” of it. But I get the impression that, in general, the default demographic for social networks may prefer it the other way around. And that can make implementing decent privacy settings all the more tricky…

Coincidentally, MySpace updated both their terms of use and privacy policy this past week. Of course, it’s not like I read that relatively long legal verbage every day (if ever). So I have no idea what might have changed recently.

MySpace: Emails My Password But Says “Keep It Secret. Keep It Safe.”

Bob Caswell — Tue, 04 Mar 2008 19:39:17 +0000

I picked on search engine Mahalo as an example of a company emailing its customers passwords. I mentioned how having your password floating around openly on mail servers can defeat the purpose of having a password in the first place. Mahalo’s founder and CEO, Jason Calacanis, joined the discussion and some good thoughts were shared from both sides of the issue.

Today I found out that MySpace is on the list of companies sending out passwords through email. I finally signed up (that could be a separate conversation, why I’ve ignored MySpace till now) and promptly got a welcome email with my password staring back at me. MySpace, though, takes it one step further and adds insult to injury by saying “Keep it secret. Keep it safe.” right below my visible password. As if I had a choice at that point, MySpace, you just made it less secret and less safe.

But, of course, I used a I-don’t-care-as-much-if-others-know password that I wouldn’t use for other “important” sites. And I’m sure that the hundreds of millions of MySpace users do the same (yeah, right). In all seriousness, though, I can see how certain sites don’t need the same level of security as others. As an example, there is an obvious difference between MySpace and your bank in terms of security.

In reality, though, there’s a wide spectrum of sites and services protected by passwords. It’s not black and white with only “banks” on the one side and “social networking” on the other. So who should decide which service deserves what level of protection? Well, in this case, it’s my opinion that it’s in the best interest of any company protecting your information with a password to avoid sending that password insecurely over email.

But assuming a world where there will always be companies that send passwords in emails, the very least they could do is tell you this before you decide on your password. That way, you’d know to what degree a company values the protection of your information before you decide on what password to give them.

One very simple implementation of this is that of a company showing you your password as you choose it. You’d then know that this should be a less important type of password. In fact, I’m not sure why asterisks are necessary to “hide” your password as you’re typing it the first time if 30 seconds later the same password previously hidden by asterisks is visible on screen in your email.

However the “less secure” message is conveyed before you create your password, is it too much to ask for this kind of disclosure from companies?

Note: This article is cross-posted at BobCaswell.com.

Your GPS Knows More Than You Think

Tyler Reber — Mon, 03 Mar 2008 17:01:07 +0000

Being that I’m studying for my bachelor’s degree in information technology security, I often find myself experimenting with certain computer security measures and countermeasures. Currently I’m enrolled in a class that focuses on computer and data forensics. Because of this, I have access to trials of some interesting computer forensics programs such as Access Data: Forensic Tool Kit (FTK) and Technology Pathways ProDiscover. Both of these are used by top computer forensics agencies for recovery and analysis of computer hardware and accessories.

Naturally I’ve been experimenting with this software (specifically with ProDiscover) over the past couple of weeks and have found that it is quite good at doing what it does. What is that, you ask? Well, ProDiscover can be used to capture an image from a data source such as a hard drive, jump drive…or even a GPS navigation device. An image such as this contains all of the digital information contained on the device, sometimes even deleted information. That leads me to the topic of today’s article. If you sell your old (or maybe new) GPS navigation device and you have taken the precaution to reset it to factory settings, does it really delete all your old contacts and data?

The answer to this question came surprisingly just a few days ago as I was getting ready to ship my TomTom ONE 3rd Edition navigation system to a buyer from Amazon.com. I realized that before I could ship the system, it would be important for me to have it erase my favorites and added points of interest. While this may not always be of the utmost importance, you may not want your potential buyer to have access to data regarding your home address and the addresses and phone numbers of your 100 closest friends.

In order to erase this data, I simply found the option in the preferences menu to reset the device to factory settings and confirmed my selection twice. Upon doing so, the device reset and allowed me to enter all the initial configuration information just like it would have you do the very first time you turned it on. All is well, or so I thought.

Being the curious type that I sometimes am, I decided it might be fun to connect the TomTom to my computer and have ProDiscover capture an image of it. My objective in doing this was to find out if any of my personal information could still be recovered from the device, AFTER it had been reset. I waited about 30 minutes until the imaging process was complete and what I found was not really too surprising, though maybe at the least a bit alarming. Even after the device had been reset, I could still find instances of both my home address and my school address in deleted files on the TomTom device. Granted, I did have to search for them specifically, but they were still there.

What does this mean? Probably not a whole lot, unless you are ultra paranoid about your personal information. Nine chances out of ten, no one will spend the time or effort to find this information on a device that you have sold. I tried this mainly just to see what would happen, and I ended up learning something in the process. With that said, it may be relevant for TomTom (and other GPS manufacturers) to include some sort of encryption layer for user data on the device, in the future. This way you could have the peace of mind that once you do a factory reset, your data really is inaccessible.

*Update* In related news, TomTom announced the release of two new products for the end of April: the TomTom GO 930 and the TomTom GO 730. Both have some pretty nifty features.

Bad Form: Companies Still Send Passwords via Email

Bob Caswell — Mon, 11 Feb 2008 15:06:26 +0000

Let’s face it; we all reuse the same password for login accounts all over the Internet. At best, some of us create a few passwords through which we rotate.

So why is it that some companies still insist on sending me my password via email right after I create my online account? The reason I have a password in the first place is so that it doesn’t flow back and forth openly in cyberspace only to reside peacefully on multiple mail servers.

This type of action, to me, is a sure sign of amateurs at work. In fact, it’s the lazy man approach for me to give (or take away) initial credibility to any company, startup or established: see how they handle the process of creating an online account.

So who gets picked on today? Search engine Mahalo, which is too bad, really, since they otherwise have plenty going for them. In their own words: “Mahalo is a human-powered search engine that creates organized, comprehensive, and spam free search results for the most popular search terms.”

It’s a fairly useful site and doesn’t require an account for much of what you can get out of it. But there are certain features and functions you do need an account for. So I signed up without hesitation and trusted the site subconsciously by using one of my “real” passwords. When I received the subsequent welcome email, there my password was, staring right back at me.

My only workaround to this all-too-common problem is to sign up with any new service with a token I-don’t-care-if-you-know-my-password password only to change it to a real password after a) I receive that initial “thanks for signing up, here’s your account info” email and see that the password was not included and b) find that I am interested in using the service for longer than just my first time of messing around.

But even then, I’ve seen some companies send out a “thank you for changing your password” update email which shows both your new and old password. (I’m not sure how Mahalo handles this; I haven’t gotten that far with them.)

What can make it even more of an eye roller is when the situation is thick with irony. I remember last year: An otherwise reputable affiliate program I signed up for wanted to make sure that my password was at least eight characters long and included both numbers and letters. It was then promptly sent out to my email. Wow. Thanks for making sure it was a good password!

Now, Jason Calacanis, the founder / CEO behind Mahalo seems like a reasonable guy. I’ve emailed him to ask for this to be changed (or an explanation). I can already give you the generic explanation I’ve heard before from other companies: “If you forget your password, you can just look it up in your email.” Here’s a better solution:

If I forget my password, I email support at mahalo.com (or whatever appropriate address) saying as much. Mahalo then should email me (only to the email registered in my account) a randomly generated temp password that only works for a limited amount of time. But it’s enough to get me into my account and allow me to change my password.

Is it a perfect solution? No. Just the first simple solution that comes to mind (that I’ve seen implemented elsewhere). There are other methods, too, like asking you for your mother’s maiden name / third grade teacher / favorite animal, etc. at the time of account creation. The site then asks you one of those questions if you’ve forgotten your password. Even then, though, it shouldn’t just let you in. Again, it should send a temp password to the email address on file.

I’m no security expert. But I do know that most any solution is better than automated open emailing of passwords.

*Update* Thanks to Jason Calacanis for responding (see comments below) and opening up for discussion via Twitter. For anyone interested, feel free to follow me on Twitter here.

Note: This article is cross-posted at BobCaswell.com.

How Much Is All Your Email Worth? Answer: $50

Bob Caswell — Sat, 26 Jan 2008 15:32:52 +0000

This past week a national cable and high-speed Internet provider by the name of Charter Communications accidentally deleted all the contents of 14,000 active email accounts. A spokeswoman for the company explained that there is no way for them to retrieve anything that was erased. The spokeswoman offered this explanation and apology:

“We really are sincerely sorry for having had this happen and do apologize to all those folks who were affected by the error… During this maintenance we erroneously deleted active accounts along with the others. It’s never happened before. They are taking steps to make sure it never happens again.”

As a result, the company has decided to give every affected customer a $50 credit on their bill. So there you have it: according to Charter, at least, your online email account and data is worth about $50. The company, which has around 2.6 million high-speed Internet subscribers, could have done worse than taking a $700,000 hit. But the irresponsibility of the situation shows that they could have done much, much better.

Indeed, how can a multi-million dollar company with millions of subscribers not have any sort of data backup? But then again, who’s really to blame here? Charter offers this “free” email account to any of its customers who pay for Internet service. And it’s likely to have the same terms of service as all the freebie email accounts available online: you know, the “we provide no guarantee and accept no liability, use at your risk” type of agreement no one actually reads.

The point is that, in many ways, $50 is quite generous even if obviously undervaluing most anyone’s personal value of all emails. But imagine if this was Google (Gmail), Yahoo, or Microsoft (Hotmail) making the mistake. Would they give you anything? Answer: No.

So the moral of the story is just how much we take for granted products or services we pay nothing for. Perhaps I’m alone here, but I would actually pay something reasonable for an online email account if the repercussions of a screw up valued my collective emails at a price well above $0 to $50. But that reality doesn’t exist and is part of the reason I still use a desktop email client (Thunderbird) to download and save all my emails locally.

Data Privacy & Portability: Who owns what? Who can see what?

Bob Caswell — Thu, 10 Jan 2008 15:24:55 +0000

The privacy and portability of your online data may become more of an issue in 2008. News is out today of a Federal case which will investigate whether the use of a false identity could be considered Internet fraud under federal statutes. This was originally triggered by the October 2006 case in which a 13-year-old named Megan Meier committed suicide after receiving “cruel” messages on MySpace (messages allegedly received from the mother of a school rival who was posing as a 16-year-old boy).

Take this news and mix in this BBC piece which discusses how Facebook will have an uncomfortable year due to privacy issues, and we’re back to question of who owns what data online? And who should be able to see what? These are not easily answered questions. After all, there are different types of data (email address vs. phone number, for example) and different types of decision makers (13-year-olds, twenty-somethings, baby boomers, etc.).

But even if more control and ownership were given back to the user, we’d still see conflicting opinions. For control, how granular should it be? While I may want lots of levers to pull for sharing and unsharing tidbits of my information differently with different people, someone else may find that confusing. And for ownership, how will we deal with the viral nature of information spreading? Even if you “own” something, what stops anyone with whom you’ve shared from doing whatever they want with your theoretically “owned” data?

It’s a big mess that many don’t care about (or are perhaps in denial?). But 2008 is shaping up to be the year where online data control and ownership will be in the spotlight.

TC News: GDrive Evidence Surfaces, Use GPay on Your Phone to Pay for Stuff, “Who’s Afraid of Google?”

Bob Caswell — Wed, 05 Sep 2007 03:55:42 +0000

div>TechConsumer News is a feature we started out of a hobby of tracking the latest happenings within the consumer related technology sphere. The goal is to provide a concise, compiled overview of the most intriguing stories from the last few days. Today’s news roundup focuses on Google. Feel free to give us feedback or send us tips.

Here’s the latest in TechConsumer [Google] news:

Google Blogoscoped stumbled upon evidence which suggests the rumored GDrive (Google online storage) will be made available publicly, likely as part of Google Apps. Apparently, Google Apps accounts allow you to “change the query string parameter on the page where you can disable services.” The important part is that by doing this, the option to disable GDrive is given (even though it was never enabled). See the screenshot below:

Google submitted a patent application filing named Text Message Payment on Friday. The patent explains how “GPay” can be used to make payment via text messages. An example of how this works is in scenarios where you would pay for items in vending machines or at retailers. If rumors of the GPhone come true, then expect to see GPay as a default service for the GPhone. See the screenshot below:

The Economist (subscription required) has joined the ranks of those questioning Google’s antics, asking some of the same questions TechConsumer’s Tom asked in his article entitled, Is anyone else nervous about Google? The Economist compares Google to a bank: “Just as financial institutions grew to become repositories of people’s money, and thus guardians of private information about their finances, Google is now turning into a custodian of a far wider and more intimate range of information about individuals… [Google] will be the one to test the limits of what society can tolerate.”

Gmail Vulnerability and Fix

Tom Caswell — Tue, 07 Aug 2007 20:15:19 +0000

div>Last weekend a Gmail vulnerability was demonstrated at DEFCON, one of the oldest continuous running hacker conventions. Though it’s not specific to Gmail, a session hijacking demonstration by Robert Graham showed hackers can take over a users email account by simply sniffing network traffic and stealing web browser files called “cookies.” A simple fix for Firefox users is to install an add-on called Better Gmail. This Firefox extension forces Gmail to connect using a secure connection (https://) all the time, which eliminates the problem.

Google is looking into adding secure sessions (https://) to their connections, but it will take time. If you still use Internet Explorer, be sure to type “https://www.gmail.com” to check your email. This will also prevent network sniffing problems.

Pet Peeve: Why do companies still send me my password through email?

Bob Caswell — Thu, 15 Mar 2007 19:28:49 +0000

Let’s face it; we all reuse the same password for login accounts all over the Internet. At best, some of us create a few passwords through which we rotate. So why is it that some companies still insist on sending me my password via email right after I create my online account? The reason I have a password in the first place is so that it doesn’t flow back and forth openly in cyberspace only to reside peacefully on multiple mail servers.

Just the other week, a classic case of stupid reminded me of this. An affiliate program I signed up for wanted to make sure that my password was at least eight characters long and included both numbers and letters. It was then promptly sent out to my email. Wow. Thanks for making sure it was a good password!