Archive for the ‘Internet security’ Category

If you’ve read or heard anything about The Filter Bubble, you know that your on-line habits, content choices, searches, physical location, etc., are now being used more and more to give you a customized view of information. This is true whether we’re talking search results via Google or seeing updates on Facebook. The main issue with the views that are being presented to us is that the filtering of information is being based on algorithms we have no input to nor have much way to change. As a result, the filters could be way off, such as a case given in The Filter Bubble where a search of BP during the last oil disaster brought one person news on the oil leaking into the Gulf of Mexico and another person information on investing in BP. The problem with the latter is the person wasn’t an investor and couldn’t figure out why their search results would bring up such content so highly.

When I did a search of my name using Google, I noticed that there’s definitely a filter being applied. For instance, here’s one search:

Compare this to another search where I’m able to somewhat bypass the filters:

Note the difference in number of results and in how the entries I’ve marked with red arrows are flipped between the two searches. These searches were conducted at about the same time (seconds apart) from the same computer.

Part of how the filters work is that cookies are being used to track your browsing habits. That’s something you can control. There’s some other things that are entering in that you can’t without using a proxy or the like. For instance, note that both searches clearly show my location. This is being determined based on an IP address range from my Internet provider. So unless I bounce through a proxy, which would mask my originating IP address, this sort of information can be picked up. That’s why I said this is a post on partially avoiding the filter bubble.

The key to avoiding the filters is to remove cookies altogether. Doing this automatically for normal browsing isn’t a good idea. Cookies are often used to keep track of the fact that you’ve logged in successfully to a particular web site, hold the contents of a shopping cart, etc. So the use of cookies themselves isn’t bad. However, trying to sift between cookies you need to use the websites you frequent and other cookies which are tied to tracking and/or advertising can be downright impossible. Therefore, if you could start a browser window that basically shielded off your existing cookies, that would work and would be a nice compromise. And you can, depending on your browser.

  • Chrome: Toggle a window with incognito browsing (Ctrl+Shift+N)
  • Firefox: Toggle a window with private browsing (Ctrl+Shift+P)
  • Internet Explorer: Toggle a window with InPrivate browsing (Ctrl+Shift+P)

If you look closely at the second search results, you’ll see in the upper left corner a figure that looks like a spy. That’s how you know that Chrome window is incognito. The other main browsers have similar indicators. Open up the appropriate private mode for your browser and issue your search from that window. That should reduce some of the information being used to figure your results.


Read Full Post »

I help out from time to time at my church with the computer systems, but admittedly my time doing so is limited. My primary responsibility is to be the junior high youth pastor with a secondary responsibility of being the Awana commander. But recently I’ve had to spend a little more time with the secretary’s computer, because we’ve had a couple of malware outbreaks. Nothing major, but last night I put in more countermeasures to try and eliminate them as much as possible. Here are some things you can do, too.


OpenDNS does some filtering via the DNS protocol, preventing you from going to known malware sites even if you’re sent to http://www.somebadsiteyoudontknowabout.com by effectively giving back an address that doesn’t match up with where that site really is. It’s low level and seamless and this is a first layer of protection. It won’t stop malicious code put on a legitimate site nor will it stop a new site that just popped up. However, known old baddies are effectively blocked.

Do note, you don’t have to sign up to use OpenDNS’ services. You can simply change your DNS servers to reflect the two they give and that will do that minimal level of filtering for you. If you do sign up you can customize filtering, but I believe this requires an agent installed on a computer on your network unless you know you have a static IP (and if you don’t know what that is, chances are you don’t have one).

Microsoft Security Essentials:

This was installed initially when we first built the computer. If you haven’t heard of Microsoft Security Essentials, it is Microsoft’s free antivirus solution. It received good reviews when it first came out and I’ve been satisfied with the job it has done. It is lightweight and is among the best with respect to detection results. It also has a very clean user interface that makes it plain what’s going on.

Spybot Search and Destroy:

Spybot S&D has a resident program called TeaTimer that can detect attempts to write to the registry and does some protection against malware behavior. It can consume a good bit of memory, but on the computer this was installed onto there is memory to spare. This was something I added last night though in the past I have not. Once upon a time if you used Spybot you typically used this tool. However, nowadays the opinion is mixed, probably because of the performance requirement.

Leaving UAC On:

UAC stands for User Account Control. Starting in Windows Vista, the logged on user doesn’t run in a process that has administrative privileges. Therefore, to do something that would require admin rights, you get prompted. In Vista it can really get annoying, because sometimes simple things require a confirmation, but it’s a whole lot better in Windows 7. In any case, most day-to-day operations should never require admin level access. On the computer in question, nothing the normal users would do should require it. As a result, I’ve left UAC on and instructed the users not to click OK or Yes when something asks for the escalated rights.

Is This Enough?

Truthfully, no. One of the things we struggle with as security professionals is security awareness by end users. Even relatively smart and tech-savvy IT pros (to include IT security pros) can be caught flatfooted by old and emerging threats. It’s not a matter of if a computer will be hit if it accesses the Internet, but when. The best thing we can do is to continue to try and educate users, to help them understand (in their own terms) why something might be an attack and what to do if they suspect something. Most attacks prey on the trust users have on the system. I can’t make users as paranoid as I am, but I can help make them more aware of just how insidious attackers have become. This will always be an ongoing process.

Read Full Post »

Just recently, my oldest son entered the ranks of the teenagers. I shouldn’t actually say teenagers, because I have come to not like that word, mainly because of the influence of the book, Do Hard Things. But with 13 came access to email and to Facebook. Here’s how I tackled things, not only setup, but initial education.


The first thing I did was set him up with an email account with one of the many providers that are out there. I could have set him up through one of my domains, but I decided this would be easiest for him, especially since I had already planned on getting him a decent cell phone. When I chose the name, I avoided obvious “tells” such as references to video games, to popular cartoons, or to anything else that might scream, “I’m not an adult.” Instead, I went with one variant of his full name, one that would be appropriate on a professional resume.

Now, most email accounts have the ability to contact another email in case you need to get into the account. I set up the emergency email to be one of my wife’s accounts, and I promptly gave her the email address and password to my son’s new email account. I have it, too. The email account password is a strong passphrase with some alterations. It’s not one you’d tie to him in any way but it is one he can easily remember.

Then I pre-loaded his contacts list with the folks he would most likely want to contact and sent an email from his account to all of those contacts sharing the email address and indicating that it was me setting up his email since he was a newly minted 13 year-old. This, of course, served three purposes:

  1. It gave him access to the email addresses of the people he’d most likely email.
  2. It gave those people his legitimate email so they wouldn’t be tricked by an account they though might be his.
  3. It gave them an opportunity to wish him a happy birthday!


With his email account set up, it was time to set up my son’s Facebook account. I used the email address just created, but chose a completely different passphrase. This ensures that should one password be compromised, the other one isn’t. I went through his profile, configuring the basic information that was necessary, hiding the rest. While Facebook does offer some protection for those who are classified as minors, I’m not going to rely on that. So among some of the things I did:

  • I did not specify his current city. He has already been told not to set this.
  • I specified his hometown as an older ones. Folks who legitimately know him will recognize the hometown and know they have the right person.
  • I did not publish his birthday to Facebook (yes, he’ll get posts on his birthday, but how old he is will remain hidden).
  • I locked things down to friends of friends for much of his information, because he is in a youth group and so there has to be some flexibility there.
  • I turned off the location features that Facebook now offers.
  • I configured initial interests that I knew were appropriate for him. For instance, Chris Tomlin as a musician he liked.
  • I picked up a reasonable profile pic that I had. He eventually changed it to another one that it is acceptable, too, of one with him and his grandfather.
  • And again, my wife and I have his password.

The Phone:

Truth be told, I was looking for a really basic phone that would allow him to call us and to text.For those teens thinking, “No fair! My parents won’t let me have a phone!” it is truly a mixed blessing. As the old AT&T commercial went, him having a phone means I can “reach out and touch someone,” namely him, whenever I want. We have a dispersed church campus and we spend a lot of time there, and tracking him down could sometimes be a chore. Not any more! Now I can get him any time. And believe me, my wife and I have (ab)used this greatly since he got his new phone.

He’s on our plan, which is pretty robust since me and my wife both carry smartphones due to my ministry and professional commitments. Looking at the phones, however, the only decent set of phones that I saw also had the built-in camera and ability to connect to Facebook and Email. As I thought about that, though, it occurred to me that this was just fine. So we got him a good phone, and I set up Facebook and his mail on it, because I knew this would be his primary interface to those two mediums. That restricts some of what he can do, but it also protects him a great deal because the phone doesn’t have a lot of functionality. It’s not a smart phone, so certain security threats are naturally eliminated.

The Education:

Next came educating him on everything. I started with the phone, which is his primary means of communications. First there was the explanation of the shared plan and that his phone use should be limited. He knows my wife and I will check the minutes religiously, so he’s been good about his usage of his phone. Then I showed him how to call out, how to text, and how to access Facebook and e-mail, to get him started quickly. The rest he picked up from reading the instructions that came with his phone. He knows his phone only has a 1 GB card in it, so he has to limit the photos and pictures he might take.

Then, when we got home, I went over email and Facebook. The first rule is, if it looks too good to be true, it probably is. Then we talked about the mentality of attackers on the Internet. They basically don’t care how they get you, as long as they get you. While this is slightly overstating things, and may seem a bit paranoid, having worked in IT security for a number of years, I know it’s not. My son knows I worked in IT security and so when I said “Pay attention,” he really did. Let’s talk about the basics:

Getting Something from Someone You Don’t Know: Unless you know something was coming in, like from a school or something and you just didn’t know the address, automatically be suspicious of this, whether it’s email or a Facebook message or a Facebook friend request. This is a play on your trust.

Getting Something from Someone You Do Know That Doesn’t Fit: This is the classic con game. I explained to him that it’s not too hard to make an email look like it came from someone you know, when it really didn’t. Technically, it may have, but their computer is infected. So if they send something that’s out of character for them, like sending an attachment, don’t open it. Instead, write them back and ask them if they really meant to send it. Even if they did, be suspicious.

If You Get an App Request for a Photo or Video, Close Out the Tab: Facebook photos and videos do not require an application request. If you get one, that means it’s not legitimate. Don’t play around with navigation. Simply close that tab, open a new one, and go back to Facebook. If it was posted to your wall, go into your profile and delete it so it doesn’t get someone else.

If You Get a Prompt Saying You Need to Update Software, Check with Me: We talked about how attackers have used false software updates to push malware onto a system. The unsuspecting user thinks they are getting a needed software update to say, Adobe Flash, and what they are really doing is infecting their system. His account doesn’t have rights to do a software update, so he has to check with me anyway, but should he see such a prompt, he needs to tell me right away.

If It Appeals to What You Know You Shouldn’t Be Messing with, Avoid It: Scantily clad girls, adult content, beer/alcohol ads, etc., it makes no difference. Not only should he not be going after such things because of his age, but it’s just dumb on the Internet. Attackers know what our vices are. And they know that when it comes to our vices, we’ll let down our guard, meaning it’s easier to push malware onto our systems. So knowing that attackers are using our weaknesses against us, it’s just smart to steer clear. It’s not just about purity, it’s also about IT security.

Limit the Facebook Games You Play: I used to play a handful of Facebook games. One was because my cousin was in QA for Zynga and he asked me to play one to give him honest feedback. But over time I started tracking the number of hours spent each week on those games. I wasn’t pleased with those numbers. They are incredible time sinks. They also collect personal information on you from Facebook. So I told him to limit it to a few sets of games I’d approve of. Bejeweled Blitz is one, though that can be addictive. But any of the -ville games are definitely out. This isn’t an IT security one, just a common sense one.

Understand What a Phishing Attack Is: We talked about how attackers will make a link look legitimate but it’s not. Therefore, if it’s something that asks him to disclose any personal information, even his email, he immediately should delete/ignore it. If he thinks it might be legitimate, then he needs to let me see it.

If You Have Any Doubts, See Me: I knew that with the brief education I gave him, he would occasionally come across things he wasn’t sure what to do with. In those cases, he needed to talk to me or my wife (who would likely just ask me). And then I reminded him of the next one.

On the Internet, Be Paranoid: As a security professional, I came to understand the following maxim very well: “Just because I’m paranoid doesn’t mean there isn’t someone out to get me.” There are plenty of attackers looking for anyone they can take advantage of. There are sexual predators out there who will pretend to be a teenage boy or girl and want to be his friend, all to arrange a meeting with him. If you don’t know the person, if you aren’t sure you can trust something, check in with me. It’s better to be safe than sorry.

Likely More to Come:

I’m sure there are some other things I’m leaving off, but this is what we started with, so far as I can remember. It was sort of like a brain dump on him, but he’s done well thus far. Now it’s about ensuring he stays diligent.


Read Full Post »

I had seen others using the FourSquare application and decided to give it a try. Here’s basically what it does:

  • It allows you to post check-ins of your location for your friends to see.
  • It allows you to see the location of your friends.
  • It allows you to post tips or things to do at the locations you check in at.
  • It allows you to see others’ tips and things to do at the locations.
  • It allows you to post a message communicating something you choose at the check-in. For instance, you could post who else you are with if they aren’t using FourSquare.

And all that sounds good. You get to choose when and where you check in, so you don’t have to reveal what you don’t want to. Only the friends you approve can see where you are… Well, sort of.

FourSquare also integrates with Twitter and Facebook. Now when you check in, you can tell it not to tweet or post to Facebook. It will honor that. But if you earn a badge or dethrone someone as mayor (meaning you’ve been to a location more often lately), it will tweet and post to Facebook if you have them configured. In my case, there were times I wanted FourSquare to communicate info, but not always. However, there wasn’t an option to disable the communication of badges.

I gave FourSquare a decent try over several weeks, including in another city. Ultimately, I decided FourSquare wasn’t for me. Here’s why:

  • I couldn’t stop the badge tweets that were spamming my Twitter and Facebook.
  • Locations can be entered by anyone and duplicate locations are frequent. So you could be at the same place as a buddy and not realize it.
  • Checking in was easy, except I couldn’t change the default to not tweet and not post to Facebook. That meant every time I checked in, I would have to uncheck those boxes.
  • I didn’t get any value out of it because those friends who use it tend to tweet their locations if it is somewhere I want to be as well.

Therefore, in the end, I have uninstalled FourSquare from my Blackberry. I will still play the game involving four squares and a playground ball, but with respect to this social media experiment, I am taking my ball and going home.

Read Full Post »

In recent days I’ve seen folks jump on Facebook groups and become fans of pages which I know, from a glance, are not what they appear to be. Part of the reason I know they aren’t goes back to my experience as an IT security professional. Part of it goes back to my experience as a web developer. So when I see one of these groups that makes a claim I know cannot be met with the architecture and design of Facebook or Twitter or whatever technology you want to speak of, I know it’s false and that means the group or page has an ulterior motive. But my signals or clues are based on my experience. This is especially concerning for me since a lot of my youth are on these sites and they may not realize a threat for what it is. And that threat could lead to something far worse than a stolen password, a hijacked account, or an infected computer.

So what I want to do is figure out a way to deconstruct those cues so that a regular end user without a security or web development background can learn them and make reasonable assessments themselves. There’s too much of this nonsense going on. And that’s the reason it has made my goal list. I want to figure our how to make an easy to understand, informative presentation with realistic instruction on how to judge potential security threats for social media sites. A presentation targeted not at IT, but at the end user. I know this isn’t going to be an easy undertaking, but I think it’s gotten to the point where it’s necessary.

If you’re interested in collaborating with me, shoot me an email at kbriankelley {at} acm {dot} org

Read Full Post »