Category Archives: Privacy

What is a VPN?

VPN stands for Virtual Private Network. It is a technology that creates a secure and encrypted connection between two points on the internet. This connection is established by using VPN client software on a device that connects to a VPN server, typically located in a different geographic location.

When a user connects to a VPN server, the user’s device becomes part of the private network established by the VPN server. This allows the user to access the internet as if they were physically located in the same location as the VPN server.

The primary benefit of using a VPN is that it provides a secure and private connection, which is especially important when accessing sensitive information, such as financial data or personal information, over public Wi-Fi networks or when accessing geo-restricted content. It also helps to protect against hackers, identity theft, and other online threats by masking the user’s IP address and encrypting their internet traffic.

(Ed: written by ChatGPT; verified by jrivett.)

What is spyware?

Spyware is a type of malicious software designed to gather sensitive information from a computer system without the user’s knowledge or consent. This information can include personal information such as passwords, credit card numbers, and online browsing habits, as well as system information such as installed software and hardware specifications. Spyware can be installed on a computer through a variety of means, such as email attachments, infected websites, and bundled software. Some spyware is designed to monitor a user’s activities for advertising purposes, while others are used for more malicious purposes such as identity theft and financial fraud. Spyware can cause a number of problems for a computer user, including decreased system performance, slow internet speeds, and a loss of privacy. It is important to protect your computer from spyware by using anti-virus software and avoiding downloading suspicious files from the internet.

(Ed: written by ChatGPT; verified by jrivett.)

Another breach at a password storage service: LastPass

Using a password manager is still the best way to securely record all your passwords. This assumes that you are in fact using different passwords for every web site and service that require one. If you’re using the same password for everything, you are risking your privacy, financial security, and sanity.

So… which password manager should you use? Most of the major password management services (1Password, LastPass, etc.) store your passwords on their own servers, and there’s no question that this provides some benefits in terms of convenience, with the main one being that you can access your passwords from anywhere. You don’t have to back up your password data or copy it between devices; it’s maintained by the service provider and easily accessible via their web site.

But this convenience comes at a huge cost: the risk that your passwords will be compromised when the service provider experiences a security breach.

A recent breach at LastPass is, sadly, only the most recent example. In this case, the LastPass servers were compromised and attackers gained access to user data. The company first reported the breach in August 2022, but downplayed the impact on users. Their latest announcement finally provides the full story, and acknowledges that the attackers gained full access to user data, including encrypted passwords.

More about the breach from Bruce Schneier.

Although LastPass is to blame for the breach and compromised user data, passwords in the user data obtained by the attackers are all encrypted, and there’s no way to magically decrypt them without knowing the master passwords of individual users. However, that just means that the people who have the data will be using brute-force techniques to crack those passwords. For users whose master password is long and complex, it would take years–if not centuries–to crack, but if your master password is simple or commonly-used, all of your passwords are now known by these attackers.

Something for your to-do list: if you use LastPass, and your master password is easy to crack (check it here), you should immediately change ALL of your passwords.

In my opinion, you’re much better off using password management software that stores its data locally, on your own computer. Then you only need to worry about someone getting access to your computer, which you can actually control.

I’ve long recommended Password Corral for Windows users. It’s simple, secure, and free, and it stores its data locally only.

Other password managers that use only local storage include PasswordSafe, KeePassXC, and KeeWeb. Password managers that can be used with local storage include Roboform, and Sticky Password.

And remember that when you use a ‘cloud’ service, you’re just storing your data on a total stranger’s computer, which may or may not be managed and secured competently, and which you have basically no control over. Cloud stuff is convenient, but the risks of using it indiscriminantly are enormous.

Some VPN services should be avoided

People use VPNs (Virtual Private Networks) for lots of reasons, both legitimate and… less so. They are commonly required for remote access to workplace computers by employees. They are used by people who do their banking from public WiFi networks. They are used by people who can’t afford to pay for dozens of streaming and cable services and instead rely on still-considered-illegal downloads of copyrighted media. And some people use VPNs to get around ridiculous regional limitations on access to streaming media.

I myself fit into at least two of those general categories of VPN users. I won’t say which.

Because people want (and rightly feel they deserve) access to their culture, and because Big Media is willing to go after absolutely anyone who dares to defy their stranglehold on culture, savvy media consumers rely on VPNs to avoid costly (and absurd) lawsuits.

But sadly, some VPN services exist only to fleece gullible consumers. There are numerous ways in which a VPN provider can cause problems for its customers:

  • Faulty service can leave the customer’s activity exposed.
  • Logging customer activity, and being willing to provide those logs to Big Media’s law enforcement lackeys, essentially renders a VPN service pointless.
  • Requiring installation of software that is then used by the VPN provider to route other customer traffic through the customer’s computer is just a horrible idea.
  • Selling customer information to anyone who wants it.
  • Poor security can lead to customer data being exposed.

Recently, a group of VPN providers, all owned and operated by one company in Hong Kong, was discovered to be doing many of the problematic things listed above. Needless to say, all of these VPN providers should be avoided:

  • UFO VPN
  • FAST VPN
  • FREE VPN
  • SUPER VPN
  • Flash VPN
  • Secure VPN
  • Rabbit VPN

In general, VPN services should be carefully researched before using them. There are numerous VPN rating sites on the web, but many of them are maintained by the VPN providers themselves, and not to be trusted. TorrentFreak’s “Which VPN Providers Really Take Privacy Seriously” series is both trustworthy and comprehensive, and focuses on investigating the privacy claims of VPN providers.

There’s also a growing chorus of voices encouraging people to reconsider their reliance on VPN services for privacy, arguing that the way most of these services work provides little actual privacy for their customers. Techdirt has more along those lines.

There’s more on the welivesecurity site.

Brian Krebs recently investigated the extremely shady proxy service provider Microleaves (currently being rebranded as ‘Shifter.io’). This service uses a huge network of computers runing their software, often installed without the knowledge of their owners.

Pegasus spyware

Pegasus is spyware that can be installed on Apple and Android mobile systems. It’s difficult to detect, and difficult to remove. Pegasus is developed by NSO Group, who deny that the software is being used for anything nefarious, or that if it is, that use has nothing to do with NSO Group.

The methods used to install Pegasus on mobile devices have changed over the years. It can be installed directly, with physical access to the target device, which is presumably how it ends up on devices legitimately. Pegasus can also be installed more surreptitiously. Previously, that involved inviting the user to click a link in an email or SMS message. More recently, it’s being installed using app and O/S exploits that require no interaction from the user, including a very nasty exploit for WhatsApp.

Pegasus is not a virus. It does not spread on its own. Further, it’s important to distinguish between Pegasus and the methods used to install it. Pegasus does not typically arrive on a device at random. Devices are specifically targeted, and those targets are often used by journalists, suspected terrorists, and other people whose activities are tracked by government agencies and criminal organizations.

The main problem here is not Pegasus, but the way security vulnerabilities are discovered and — more importantly — how information about vulnerabilities is disseminated. Unfortunately, some organizations perform this research not for the public good, but for themselves and their partners, legitimate and otherwise. In an ideal world, when a vulnerability is discovered, the vendor is informed privately and then proceeds to develop and release a fix. In reality, vulnerabilities and exploits are often hoarded.

Advice to anyone who operates a mobile device and wants to reduce the likelihood of Pegasus or other unwanted software being installed without their knowledge: stay informed regarding security vulnerabilities in your device’s O/S and any apps you run. When you learn about a zero-click exploit, immediately install a fix if one is available, or uninstall the affected app. If it’s an unpatched O/S vulnerability, all you can do is hope that you’re not being targeted.

Related

Canada Revenue Agency hacked; shuts down online services

Canadians: if you’ve tried to access your CRA accounts recently, you probably noticed that you can no longer log in. That’s because normal access has been disabled while the CRA works to undo the damage caused by two recent attacks on their services.

The CRA systems were penetrated by persons unknown over the past two weeks. According to the CRA, the breaches have been contained, but the My Account, My Business Account and Represent a Client services have been disabled as a precaution.

Several thousand user accounts have been compromised. Starting in early August, unusual and unauthorized access to accounts was noticed by the account holders and reported to the CRA. In some cases, email, banking, and other account details were changed by the attackers. Fraudulent CERB payments were also issued.

Access to the compromised accounts was apparently gained via ‘credential stuffing’, which is based on the sadly-still-true fact that many people continue to use specific passwords on multiple systems. To be clear: if nobody ever did that, this type of attack would never be successful.

“Of the roughly 12 million active GCKey accounts in Canada, the passwords and usernames of 9,041 users were acquired fraudulently and used to try and access government services, a third of which accessed such services and are being further examined for suspicious activity,” according to a statement from the CRA.

The CRA is in the process of alerting people whose accounts were compromised.

Firefox 74.0

A new version of Firefox fixes some annoying problems with pinned tabs, improves password management, adds the ability to import bookmarks from the new Chromium-based Edge, resolves some long-standing issues with add-on management, introduces Facebook Container, and addresses several bugs, including twelve security vulnerabilities.

The release notes for Firefox 74.0 provide the details.

Starting with Firefox 74.0, it is no longer possible for add-ons to be installed programmatically. In other words, add-ons cannot be added by software; it can only be done manually by the user. Add-ons that were added by software in previous versions of Firefox can now be removed via the Add-ons manager, something that was previously not possible.

Facebook Container is a new Firefox add-on that “works by isolating your Facebook identity into a separate container that makes it harder for Facebook to track your visits to other websites with third-party cookies.” People who are concerned about Facebook’s ability to track their activity across browser sessions and tabs can use this add-on to limit that tracking, without having to access Facebook in a separate browser.

You can wait for Firefox to update itself, which — assuming that option is enabled — may take a day or so, or you can trigger an update by navigating Firefox’s ‘hamburger’ menu to Help > About Firefox. You’ll see an Update button if a newer version is available.

Firefox 72.0 and 72.0.1

Security fixes and some welcome changes to notifications and tracking protection were released in the form of Firefox 72.0 on January 7. Firefox 72.0.1 followed the next day, adding one more security fix.

Site notifications are those annoying messages that pop up when you’re browsing web sites, asking — somewhat ironically — whether you want to see notifications for that site. You can still choose to see those, but now Firefox lets you suppress them. To control notifications, navigate Firefox’s Settings to Privacy & Security > Permissions, then click on the Settings button next to Notifications.

Firefox’s already helpful tracking protections were enhanced in version 72 with the addition of fingerprint script blocking. Fingerprinting is a technique used by many companies to better understand you and your online behaviour. While arguably harmless (it’s mostly about providing better ad targeting) fingerprinting is also creepy and a privacy concern. By default, Firefox now blocks scripts that are known to be involved.

Current versions of Firefox default to updating themselves automatically, but you can check for available updates by navigating Firefox’s menu to Help > About Firefox.

LifeLabs hacked; patient data compromised

Some security breaches are worse than others. If your bank suffers a breach, the potential for damage is enormous, because banks necessarily store a lot of critical information about you and your money.

Almost as bad are breaches of health-related services, because those systems may store extremely private information about you and your medical history.

Which makes the recently-announced breach of Canada’s LifeLabs (PDF) very disturbing.

The Ars Technica story about this provides a helpful summary of what happened, although it starts out by saying that LifeLabs “paid hackers an undisclosed amount for the return of personal data they stole”. Data can be copied, and when someone copies data to which they have no legal access, it’s a crime. But the idea that data can be ‘returned’ is bizarre.

It’s more likely that LifeLabs was the victim of a ransomware attack, in which data is encrypted by attackers, rendering the data useless until a ransom is paid and the data decrypted by the attackers.

However, it’s also possible that the attackers copied the data to their own systems before encrypting it, with the aim of selling that extremely valuable data, containing names, addresses, email addresses, customer login IDs and passwords, health card numbers, and lab tests. So far, there’s no evidence that the data has made its way to any of the usual dark web markets for such data, but there’s no way to be sure that won’t happen.

Charles Brown, President and CEO of LifeLabs, posted An Open Letter to LifeLabs Customers on December 17, in which he discloses the breach and apologizes to customers. While it’s good to see the company take responsibility, an apology is hardly sufficient. Even the offer of “one free year of protection that includes dark web monitoring and identity theft insurance” seems unlikely to satisfy affected customers. There’s at least one petition in the works, “calling on Parliament’s Standing Committee on Access to Information, Privacy and Ethics (ETHI) to investigate LifeLabs, and put forward recommendations to ensure this doesn’t happen again.”

In British Columbia, users access their LifeLabs test results online using a service called eHealth. It’s not clear whether LifeLabs’ relationship with eHealth is in any way related to this breach. At this point it appears that it makes no difference whether you signed up to access your test results using eHealth. In other words, changing your eHealth password, while advisable, seems unlikely to mitigate the potential damage.

However, as usual in the case of any breach, you should review your passwords, and if you’ve used your LifeLabs or eHealth password for any other site or service, change those passwords to something unique. Do it now.

Firefox 69.0: security improvements

The latest Firefox includes fixes for at least twenty security vulnerabilities, and improves overall privacy and security by enabling Enhanced Tracking Protection by default.

When enabled, Firefox’s Enhanced Tracking Protection reduces your exposure to the information-gathering efforts that otherwise silently occur when you browse. It also provides protection against cryptominers, which surrepticiously use a portion of your computer’s resources to make money for someone else.

New in Firefox 69.0 is a feature that allows you to block any video you encounter, not just those with autoplayed audio: Block Autoplay.

The ‘Always Activate’ option for Flash content has been removed. Firefox now asks for permission before it will play any Flash content.

Default installations of Firefox will usually update themselves, but if you’re not sure what version you’re running, click the browser’s ‘hamburger’ menu button at the top right, then navigate to Help > About Firefox.