Subscribe For Free
Dec
20
I was helping a customer with her FaceBook account the other day checking the security. Up popped the ubiquitous security hints. Now in theory, these hints to help you recover you password are a good idea. In practice they are often frustratingly laughable. Case in point with the FaceBook questions:
What was the name of your first pet? This is okay if you had a pet, and a good memory.
What was the name of your first grade teacher? WTF? I can barely remember most of my university prof’s names. I have been trying for the life of me to remember their names (we moved midway through the year so I had two teachers) and I can’t.
What are the last 5 characters of your driver’s license? Can’t answer the first 2 so I’ll just get up, stroll across the room, find my wallet, pull out my license (and bifocals) and put in the numbers. Yea, right.
What street did you live on when you were 8 years old? I can’t even remember my damned first grade teachers’ names. Hang on a minute while I call up my mom and ask her.
What is the name of the first boy or girl you kissed? WHAT? How old were the people who thought these up? Seriously!
In what city or town was your mother born? Okay we have a winner! This one is achievable.
My point is, setting questions like this fail to take into account not everyone is 16 years old when first grade was not that long ago. It’s great if you have enough fingers and toes to count back to when you were 8, but after a certain point in time, it’s just another hassle. It’s one thing to finally dredge up an answer, it’s another thing to remember this a year down the road.
To me the hallmark of a good company is one that understands the user. These are the companies that offer a series of set questions, then the lovely option to write your own question. So if you are in charge of website security, please keep in mind, not all of us have the nimble recall of a teenager. Don’t offer up one more obstacle to your user when you don’t have to.
Nov
25
Lessons in Privacy – a cautionary tale
Filed Under Internet privacy, internet usage, Security, SSID, wifi | 4 Comments
A long while ago, I wrote about securing your wi-fi network. It has become painfully clear to me that many still do not take even the most elementary steps to protect themselves. There are pressing reasons why you should never leave your internet wi-fi connection unsecured – legal issues (do you really want the police thinking it’s you, who is downloading all the kiddie porn or have the recording industry knocking on your door because of illegal music downloading?) and privacy issues (never allow anyone the chance to wander through your personal files) come to mind first. But there is a monetary reason as well. If you leave your wireless internet connection open, you invite someone to use up your time. Don’t think this is an issue? Listen to this cautionary tale.
I was called in by a customer a few months back. He was completely gobsmacked by a bill he had just received from his internet provider. He was charged in excess of $400 in overage fees. Each company will allow you quite a bit in download allowance – that means every page you visit/every song you listen to/every movie you watch is added towards your monthly allowance. Once you hit your bandwidth cap (how many gigabytes you can use up in a month, regardless of whether it’s movies/email etc) you are charged an overage fee and these are hefty. Since my customer had been away for 2 weeks, he couldn’t fathom how he managed to run up such a high bill. In the past, he barely came close to using 1/4 of his allowance.
I looked over his account and yup, it showed a lot of activity, even when he was gone. It didn’t take much detective work to figure out what was going on. A quick peak under his desk told me everything I needed to know – low and behold sat a shiny new wireless router complete with little antennae. I asked him about it and he said a friend came by and gave it to him and set it up as well. This was a great gift, no doubt about that. However, simple security procedures were not taken. These steps were not taken:
Logging onto the router was too easy. No new password was set so I was able to access the router using the factory issued password. Big no no. ALWAYS change your router password and never use your street address, last name or your kids names. Also, change the login name as well. Don’t make it easy for freeloaders.
Looked at the logs and found an unknown person connected to the wi-fi. Someone in my customer’s building had logged onto his account and was doing massive downloads – who knows movies/music/gaming. Hard to say, but it adds up quickly and eats away at your usage cap. Mystery solved, the unknown neighbour had hooked up and enjoyed a hell of a ride on my customer’s nickel.
Checked the wireless settings and found a network setup which was wide open. Not even WEP security set. What makes this tragic, is this customer didn’t use wireless so this should have been shut off completely. At the very least a WEP key should have been assigned, but WPA2 would have been better. Higher encryption means better security. This would have blocked the freeloader completely. He/she would not have been able to even connect.
The SSID (network identifier) was still set at the default. That should have been changed. Leaving it at the default is a tip off there may be more security problems. First think I think when I see a default SSID is the person likely just plugged the router in and didn’t take care of the little details. When you choose an SSID don’t choose your address/family name or anything that can make it easier to identify where you are. Nothing screams BREAK IN like a router with your name on it. Privacy should be your biggest concern, no sense setting up a secure network but still advertise to the outside world where you are. If you can, take an extra step and hide your SSID, that way no one can see it. I don’t always do this with my customers because some of them simply can’t remember their SSID (let alone the piece of paper I wrote it down on and securely put into a folder and put into a drawer for them) and endlessly call me saying they forgot again.
So follow these basic steps for securing your network:
- If you don’t need wi-fi, shut it off.
- If you use wi-fi assign encryption.
- Change your SSID and preferably hide it.
- Change your router login and password.
These steps simple steps would have saved my customer $400. In hindsight, this was a hell of an expensive router.
Dec
7
Facebook Data Collection Hits the Fan
Filed Under Advertising on the internet, Internet privacy, Security | 4 Comments
Facebook has a big plate of eggs on its face after it came to light about their Beacon information collection. It has highlighted the current information gathering frenzy going on in the Internet.
It seems to be the vogue to collect streams of data and then claim it is part of a “technical checking process” as Facebook spokesman Matt Hicks claimed or that the information was not stored, used or sold. If this is the case, then why go to the bother of collecting all the data in the first place. Isn’t there a more efficient way of providing a “technical check” – that phrase is nothing more than marketing blather.
In this case the info gathering went far beyond gathering benign data – it was used to track purchases online. The data was then shared with other users and advertisers without consent. This flies in the face of Facebook’s claim the data was not used in any way. Sounds to me like what we used to call a bold faced lie. How Facebook can stand up and make their claims of innocence is beyond me.
If, what Facebook was up to is not entirely clear to you, then let me quote from The Nation’s article on the subject:
Facebook had launched Beacon, which was using “social advertising” technology to broadcast information about online purchases without many users’ consent. The idea was to convert private commerce into public endorsements: “Ben Bloom ate at the restaurant Junnoon,” read one ad, with a prominent head shot of Ben displayed next to the company logo. But what if Ben didn’t want his lunch date to be an ad? Beacon enrolled people automatically, offering users a choice to “opt out” of each ad on an individual basis.
The sharing and using of information is implicit in this program. To claim the information collected was not used or shared is false. How can this program work without the use of the data. I don’t hear any explanation of this ethical two-step anywhere. Just a resounding silence.
Sit back for a minute and ponder the implications of such unauthorized intrusions into your social life. Lets say you scooted on over to your favourite bookstore’s website to purchase a Christmas certificate for a friend. Next thing you know, your face is all over the internet advertising the fact you love the place so much you’ve done your Christmas shopping there – and what do you get for the use of your face and lose of privacy? Not a damned thing, except perhaps your friend now knows what their present is. Merry Christmas!
This isn’t “social advertising”. Its just plain old advertising done in a dishonest manner. No matter how you dress it up, this was not ethical. Sounds a lot like the Emperor’s New Clothing – oh and yes the Emperor is indeed naked. I can just imagine the corporate folks who thought up this gem sitting around the big table justifying Beacon software – Oh what money we’ll make, and how little we’ll have to pay. We can do an end run around the advertising firms – no costs! We can get our customers to do all our work for us! Wheeee…. what a scam.
I tend to be very wary of signing my name to anything on the Internet. Everyone wants my address, name, phone number, hat size… some companies want this information before I use their self-serve support to figure out issues with THEIR equipment. I now have a stock set of answers for their questions. My name is Piss Off – and yup I actually get unsolicited email, from companies that swore they would not use the information, to Dear Piss Off. My email is noneoff_your@damnedbusiness.com. My phone number 555-555-5555. My address is whatever large company ticks me off at the moment. This works everytime. You are welcome to use my technique in avoiding the useless info grabbing, its fun and cathartic at the same time. You might have to vary the email a bit, many of my customers use it and you may find it’s already used. I get downright rude in some of my answers because this is a waste of my time and an unwarranted intrusion upon my privacy.
I’m waiting to see which corporation gets it in the neck next month for this type of egregious behaviour. I just know it will happen again.
User Liability Information.
Information is supplied on a use at your own risk basis. Catpaw Computer Consulting offers no warranty or guaranty concerning the tips, hints and information supplied. Again, use at your own risk.
All content wholly owned by Catpaw Computer Consulting and may not be copied without permission.All comments are held for approval. If there is a link back to an obvious spam site the comment will be deleted, regardless of the comment.
Not all comments will be approved. Abusive and rude comments will end up in the trash with all the spam so please moderate your language.
