Category Archives: Internet

Internet, Security

Sensible passwords

Leave a comment

By now you’re probably sick of hearing the password mantras “use long, complex passwords”, and “don’t reuse specific passwords for multiple accounts”. Sick or not, that advice is still valid, and anyone who signs in to online services should be following it.

But you can make your online life a bit easier if you give some thought to the risk associated with each account you’re trying to protect. A password used to access an obscure web forum doesn’t need to be as complex (and difficult to remember) as the password for your online bank account.

Researchers from Microsoft and Carleton University have done the math, and conclude that this risk-based approach is sound.

We still strongly recommend the use of an offline password manager such as Password Corral or Password Safe. But at least now you can consider using easier-to-remember passwords for some accounts.

Internet, Internet Explorer, Microsoft, Patches and updates, Security, Windows

Microsoft issues emergency update of Certificate Trust List

Leave a comment

A set of fraudulent security certificates was identified by security researchers at Google on July 8. The certificates were issued by an authority in India, and trusted by the Microsoft Root Store. That means the bogus certificates potentially impact anyone using certain Windows applications, and especially Internet Explorer.

Microsoft was quick to react, issuing an update of their Certificate Trust List on July 10. Anyone using Internet Explorer should install the update as soon as possible.

Internet, Spam and scams

Canada’s new anti-spam law

1 Comment

There’s a lot of confusion and panic about CASL, the new Canadadian Anti Spam Law, which went into effect on July 1. Like many of you, I’ve been receiving slightly panicky email from businesses, asking me to consent to receive bulk email from those businesses. In fact, asking to confirm consent is not necessary in most cases.

The rules

If you ever send email with multiple recipients in Canada, then the new law may apply to you. That said, there are numerous exceptions. For instance: personal, family, and other non-commercial email is excluded, as is most inter-business and intra-business email.

If you were already following the rules (PIPEDA), you are almost certainly fine to continue what you were doing before. The basic rules of CASL are the same, namely:

  • To send commercial email, you must have consent from all recipients;
  • email must include contact information for the sender;
  • email must include a method for unsubscribing; and
  • email must not be deceptive in any way.

Consent

Most of the confusion about CASL is related to the issue of consent. Two forms of consent come into play: explicit and implicit. The Canadian Government’s information about consent is helpful in understanding the difference. If you obtain recipient addresses by asking customers if they would like to receive business-related email from you, and only record addresses of those who agree, then you already have explicit consent; there is no need to re-obtain consent.

The deadline

Some of the panic about CASL stems from the apparent deadline of July 1, 2014. In fact, although the law came into effect on that date, you have until July 2017 to comply.

What about Twitter?

Another source of confusion is that the new law seems to cover any Internet-based service that sends messages to multiple recipients, including web forums and Twitter. While technically true, most web-based messaging services make it very easy for a recipient to identify the source of a message and to unsubscribe.

An example of what NOT to do

Microsoft recently informed recipients of its security-related emails that it would stop sending those emails. It turned out that this was an ill-informed overreaction to CASL. CASL does not apply to email containing safety or security information. Even if CASL did apply, it would only have applied to Canadian recipients.

Additional information

Internet, Microsoft, Privacy

Microsoft adds encryption to its email and cloud storage services

Leave a comment

Traffic into and out of Microsoft’s Outlook.com email service will now be encrypted, as long as the other end also supports encryption. Both Outlook.com and OneDrive, Microsoft’s cloud storage service, now use random keys that are generated for each session.

That last change is a strong indication that Microsoft’s motivation in making these changes is to regain public trust in the wake of Snowden’s revelations. The NSA and other law enforcement agencies can only read encrypted communication if they obtain the encryption keys, and now those keys are temporary and disappear after use.

Ars Technica has additional details.

Internet, Internet crime, Malware, Microsoft

Microsoft gets careless in its anti-malware efforts

Leave a comment

Up to now we’ve been happy to report on the successes of Microsoft’s work on hindering or shutting down botnets and other malware networks and sites. But their most recent actions in this area were heavy-handed, resulting in millions of legitimate domains going offline.

From Microsoft’s official blog post:

On June 19, Microsoft filed for an ex parte temporary restraining order (TRO) from the U.S. District Court for Nevada against No-IP. On June 26, the court granted our request and made Microsoft the DNS authority for the company’s 23 free No-IP domains, allowing us to identify and route all known bad traffic to the Microsoft sinkhole and classify the identified threats.

Microsoft named two foreign nationals, Mohamed Benabdellah and Naser Al Mutairi, and a U.S. company, Vitalwerks Internet Solutions, LLC (doing business as No-IP.com), for their roles in creating, controlling, and assisting in infecting millions of computers with malicious software—harming Microsoft, its customers and the public at large.

We’re taking No-IP to task as the owner of infrastructure frequently exploited by cybercriminals to infect innocent victims with the Bladabindi (NJrat) and Jenxcus (NJw0rm) family of malware.

That all sounds fine, except for one thing: No-IP was also being used for millions of domains with perfectly legitimate purposes. Microsoft says they knew this, and took measures to protect non-malicious domains.

Backlash against Microsoft’s actions is ramping up. Microsoft’s PR people are now saying that this is all due to a technical error, but given their characterization of No-IP (see above), it seems more likely that this is just spin, and they really did mean to kill all domains using no-IPs services.

Brian Krebs has additional details, as does Ars Technica.

Update 2014Jul03: Microsoft has returned control of the No-IP domains to No-IP. There’s still some doubt as to whether Microsoft acted in good faith: No-IP claims they were never contacted by Microsoft prior to the domain seizure; Microsoft claims otherwise. Regardless, I imagine No-IP will quickly move to remove clients using No-IP for nefarious purposes.

Update 2014Jul13: The EFF has a useful followup of the debacle.

Internet, Security

Twitter worm spread via TweetDeck

Leave a comment

If you use Twitter at all, you may have noticed a strange tweet showing up in your feeds yesterday. The tweet is actually a script that takes advantage of a bug in the popular desktop Twitter application TweetDeck.

The developers of TweetDeck took it offline briefly to deal with the problem, and the glitch was later confirmed to be fixed.

Anyone using TweetDeck is being told to log out and back in to make sure the fix takes effect.

Internet, Internet crime

Denial of Service attack against Feedly

Leave a comment

I’ve been using Feedly as my main RSS feed reader for several months now, having tried several other alternatives to the now-defunct Google Reader.

Unfortunately, as I write this, Feedly is down. A Denial of Service (DoS) attack began when the site’s operators refused to pay extortionists to avoid the attack.

Feedly staff are working with their Internet Service Provider to mitigate the attack and hope to have service restored soon.

Graham Cluely has more.

Update 2014Jun12: Feedly seems to be back up and running normally. Feedly: 1; Internet extortionists: 0.

Internet, Patches and updates, Security

More flaws found in critical security software

Leave a comment

Two new vulnerabilities were recently discovered in widely-used security software OpenSSL and GnuTLS.

The OpenSSL vulnerability is not as dangerous as the infamous Heartbleed bug, but can allow attackers to pull private information from communications between unpatched systems, including passwords.

The GnuTLS vulnerability can be used by malicious persons to execute arbitrary code on devices accessing specially-crafted web pages.

As with Heartbleed, these vulnerabilites mainly affect servers, although client software and operating systems that use the GnuTLS and OpenSSL libraries are also at risk. Patches are expected to be made available soon.

Internet, Privacy, Security, Tools

Tools to reduce browser-based tracking

Leave a comment

The search engine DuckDuckGo has received a lot of attention because of its attitude towards user privacy. Unlike Google, DuckDuckGo doesn’t store your search queries. Their motto is ‘The search engine that doesn’t track you.’

Not everyone cares whether their online activities are tracked. But for those who do, DuckDuckGo’s Fix Tracking! page is an excellent source of information. Once you’ve selected your web browser, you’ll be presented with a list of tools and techniques that can help to reduce the amount of tracking that is done when you use that browser.

The Fix Tracking! page also contains a section describing Common Tracking Methods. Recommended reading.