Category Archives: Privacy

Opera 40

Version 40 of alternative web browser Opera includes several major enhancements. Most notable among the changes are:

  • free, unlimited, no-log browser VPN service: when turned on, the browser VPN creates a secure connection to one of Opera’s five server locations around the world;
  • automatic battery saving features for mobile device users;
  • Chromecast support via the Chrome extension;
  • improvements to the video pop-out feature;
  • the newsreader feature now supports RSS feeds;
  • updated browser engine (Blink, aka WebKit).

Sadly, the folks behind Opera seem to be taking a (rather dysfunctional) page from Mozilla – at least in the way changes are reported. Release announcements for Opera are still in the same place on the Opera Desktop blog. But whereas changes in previous versions were reported in changelog posts on the desktop blog (such as this one for version 39), on a page on the Opera documentation site (which stops at version 37), and on the Opera history page (which also stops at version 37), there doesn’t seem to be anything like a change log for Opera 40. Hopefully this is a temporary issue, and something better is on the way. But I’m not holding my breath. This trend toward a general reduction in (and dumbing-down of) information provided to users is not helpful, in my opinion.

Cory Doctorow on the future of the privacy wars

Noted writer and technology analyst Cory Doctorow just posted a new article on the Locus Online web site: “The Privacy Wars Are About to Get A Whole Lot Worse.”

After providing some background on the current privacy situation, and how we got here, Doctorow speculates on what will happen when even the absurd notice-and-consent terms of use agreements that we see (and blindly agree to) every day are gone, leaving us surrounded with devices that invade our privacy without any pretense at consent, all in the name of commerce.

In case you hadn’t guessed, we are talking about the Internet of Things. Despite plenty of warnings from privacy advocates, and numerous real-world examples of the consequences to privacy of poorly-designed devices, the current move toward ‘smart’, connected devices continues apace. And these devices won’t ask for your consent, they’ll just compromise your privacy by default.

Meanwhile, Doctorow wonders whether and when this will come to a head with some kind of legal challenge. There have been attempts to challenge the validity of terms of use agreements that nobody ever reads, but so far the results are not promising.

I’d like to see Microsoft singled out for its current Windows strategy, which includes gathering and transmitting user information, ostensibly for the purpose of providing better support, but which can also be used to better target advertising, another feature of newer versions of Windows. To be sure, these features are currently protected behind terms of use agreements, but even those could disappear in a world dominated by smart devices.

Doctorow is worried about this, and so am I.

The EFF scolds Microsoft for anti-consumer Windows 10 tactics

The Electronic Frontier Foundation (EFF) is “the leading nonprofit organization defending civil liberties in the digital world.” If you’re not familiar with their work, you should be.

In a recent post on their site, the EFF provides a scathing review of Microsoft’s troublesome decisions in relation to Windows 10, including: hitherto unheard-of free upgrades; insistent and entrenched upgrade prompts on Windows 7 and 8; pushing Windows 10 upgrades via Windows Update; categorizing privacy-compromising and advertising-related updates as important for security; user interface tricks that are common to malware; collecting and transmitting large amounts of potentially sensitive data from Windows computers to Microsoft; failing to provide either adequate explanations for — or methods for disabling — various unwanted features; obfuscating their intentions behind claims of improved security and enhanced functionality; and claims that Windows Update is somehow unable to function without privacy-violating functionality enabled.

It concludes with a stern warning:

Microsoft should come clean with its user community. The company needs to acknowledge its missteps and offer real, meaningful opt-outs to the users who want them, preferably in a single unified screen. It also needs to be straightforward in separating security updates from operating system upgrades going forward, and not try to bypass user choice and privacy expectations.

Otherwise it will face backlash in the form of individual lawsuits, state attorney general investigations, and government investigations.

We at EFF have heard from many users who have asked us to take action, and we urge Microsoft to listen to these concerns and incorporate this feedback into the next release of its operating system. Otherwise, Microsoft may find that it has inadvertently discovered just how far it can push its users before they abandon a once-trusted company for a better, more privacy-protective solution.

Windows users face a choice:

  • Option #1: Continue using Windows 7, 8 and 10. Trust that Microsoft’s intentions are good; that they are not really trying to control what we see, and track what we do, when we use Windows.
  • Option #2: Continue using Windows 7, 8 and 10. Assume that Microsoft will back down from its more aggressive moves, whether prompted by consumer backlash or legal action.
  • Option #3: Continue using Windows 7, 8 and 10. Disable what you can, block what you can, and stop using Windows Update, hoping that this will prevent Microsoft from compromising your privacy, but making your computer increasingly less secure.
  • Option #4: Continue using Windows 7, 8 and 10. Rely on the computing community to develop ways to block Microsoft’s attempts to control and monitor users (without compromising security), as we’ve already seen in the form of GWX Control Panel and other software.
  • Option #5: Stop using Windows 7, 8 and 10. Rather than wait for Microsoft’s plans to reach their probable conclusion (a Microsoft-controlled advertising platform on every desktop), switch to a less problematic operating system, such as Linux.

Recommendation: Option #5 if you can; otherwise Option #4. Option #3 should be viewed as a temporary solution only, and dangerous in the long run. Option #2 is probably overly optimistic. Option #1 is just sadly naive.

The Verge and Techdirt have their own take on the EFF’s post.

Microsoft: “Upgrade to Windows 10 or we’ll make Windows 7 and 8.1 just as bad.”

Microsoft just announced the next move in their fight to push their advertising platform into our faces, and it’s very bad.

Let’s review, shall we? Microsoft really wants you to use Windows 10. Their official explanation for this includes vague language about reliability, security, productivity, and a consistent interface across platforms. Their claims may be true, but they hide the real reason, which is that Microsoft saw how much money Google makes from advertising, realized that they had a captive audience in Windows users, and added advertising infrastructure to Windows 10 to capitalize on that. The privacy-annihiliating features are easily explained: the more Microsoft knows about its users, the higher the value of the advertising platform, since ads can be better targeted.

A short history of Microsoft’s sneakiest Windows 10 moves

Move #1: Offer free Windows 10 upgrades for Windows 7 and 8.1 users. Who doesn’t like free stuff? Many people jumped at this opportunity, assuming that newer is better.

Move #2: Dismayed by the poor reception of Windows 10, and upset by all the recommendations to avoid it, Microsoft creates updates for Windows 7 and 8.1 that continually pester users into upgrading, in some cases actually upgrading against their wishes or by tricking them. Angry users fight back by identifying and avoiding the problematic updates.

Move #3: Still not happy with people hanging on to Windows 7 and 8.1, Microsoft creates updates that add Windows 10 features to Windows 7 and 8.1, including instrumentation related to advertising. Again, users fight back by identifying and avoiding these updates.

Move #4: Microsoft announces that business and education customers can avoid all of the privacy-compromising and advertising-related features of Windows 10 through the use of Group Policy. This is good news for bus/edu customers, but then again, those customers pay a high premium for Enterprise versions of Windows already. At least now Windows 10 is a viable option for those customers.

Move #5: Microsoft realizes that the Group Policy tweaks provided for bus/edu customers can also be applied to Pro versions of Windows, Microsoft disables those settings in the Pro version. Windows 10 Home users never had access to those settings. Angry users are running out of options.

Move #6: Which brings us to today. Since the only way to avoid privacy and advertising issues (borrowed from Windows 10) in Windows 7/8.1 will be to stop using Windows Update entirely, angry users are now looking at alternative operating systems.

We know business and education customers won’t be affected by this latest change. The rest of us will have to suffer – or switch.

Assuming Microsoft doesn’t back way from this decision, I imagine my future computing setup to consist primarily of my existing Linux server, and one or two Linux machines for everyday use, development, blogging, media, etc. I’ll keep a single Windows XP machine for running older games and nothing else. In this scenario, I won’t run newer games if they don’t have a console version. Aside: if I’m not the only person doing this, we might see a distinct decline in PC gaming.

Dear Microsoft: I only kind of disliked you before. Now…

Computerworld has more. Thanks for the tip, Pat.

Connecting everything to the Internet is dangerous

By now, you’ve probably encountered the term “Internet of Things”, usually abbreviated as IoT. It refers to the rapidly increasing number of devices that are capable of connecting to the Internet. Cars, fridges, thermostats, lights… basically, anything that can be built to include a few microchips can be made to talk to the Internet. Usually wirelessly. Often silently, by default.

Which of course is a perfect scenario for a whole new category of security breaches, privacy concerns, and other, related issues.

Recommendations:

  • Where possible (and unless you have a good reason not to) avoid purchasing any non-computer device that’s Internet-capable.
  • If you must use such a device (and unless you have a good reason not to) disable any Internet-related features.
  • If you’re unable or unwilling to disable a device’s Internet features, at least configure it to maximize security.

Bruce Schneier’s recent analysis of the dangers of IoT is excellent, and definitely worth reading.

TeamViewer: security risk

The free-for-personal-use remote control software TeamViewer is currently under intense scrutiny. Large numbers of users are reporting unauthorized access to their computers, theft of login credentials, and in some cases, access to online financial systems and theft of funds.

It remains unclear exactly how these unauthorized intrusions are happening. TeamViewer officials are so far denying that the software has been hacked, insisting that the current surge in TeamViewer-based attacks are the result of password re-use, combined with the recent publication of several databases of stolen credentials.

Until we know for sure what’s going on, we recommend removing TeamViewer from all computers on which it is installed.

If removal is not an option, as may the case for some support setups, then you should configure TeamViewer to not start with Windows, only start it when asked to do so by support staff, and then close it when their work is complete.

TeamViewer General Settings
Recommendation: disable the option that starts TeamViewer with Windows.

You should also avoid using fixed, personal passwords, relying instead on the temporary passwords TeamViewer generates when it is started, or at least make sure that your personal passwords are strong and unique. Oddly, there’s no way to disable a fixed, personal password, once it’s set up, so your only option in that case is to set it to something very long and random.

TeamViewer Security settings
Recommendations: set the personal password to something very long, complex, and unique, then don’t use it. Avoid the ‘Grant easy access’ feature. Change password strength of random passwords to 10 characters.

Criticism of TeamViewer is building, and the company’s response to this issue has been somewhat less than stellar. If they are convinced that the problem is re-used passwords, why have they not forced a password change for all TeamViewer accounts?

TeamViewer’s makers also seem unwilling to consider the notion that the software itself has been hacked in some way, instead focusing on TeamViewer accounts. An account is not required to use TeamViewer, and exists only as a master address book for people who use TeamViewer to access many different computers. If your TeamViewer account is compromised, an attacker will then have full access to all computers in your account.

To their credit, Teamviewer is working to add new features to the software that should beef up its security. But the new features only affect TeamViewer accounts. If you don’t have a TeamViewer account, you won’t see any benefit.

Update 2016Jun06: TeamViewer management continues to insist that the problem only affects TeamViewer accounts, not the TV desktop client. We recommend avoiding TV accounts if possible. If that’s not an option, make sure you enable two factor authentication (2FA) for the account, and use a complex, unique password.

There’s a lot of discussion about this over on Reddit. One post contains reports from users who have experienced TeamViewer-related intrusions. Another provides instructions for determining whether your computer has been accessed via unauthorized use of TeamViewer.

Meanwhile, we’re wondering whether it might be helpful if TeamViewer showed a large red warning when setting up an account, like this:
WARNING: if there's only one site or service where you use a strong password, let it be your TeamViewer account. Because if someone gets access to your TeamViewer account, they will also have full access to all of the computers you access through your account.

Privacy-related updates to avoid on Windows 7 & 8.1

If you use Windows 7 or 8.1, by now you’ve no doubt noticed that Microsoft is trying to push you to upgrade to Windows 10. In my opinion, Microsoft is doing this because Windows 10 includes a lot of features that track your activities, and the information gathered is extremely valuable for the purposes of advertising. Windows 10 doesn’t have a lot of advertising yet, and Microsoft denies that this is what they’re planning, but it seems clear that Microsoft is jealous of Google’s enormously lucrative ad-supported empire.

But what about all those people staying with Windows 7 and 8.1? Microsoft’s solution is to retrofit those versions, via Windows Update, with some of the privacy-invading features from Windows 10. And of course, because we’re talking about Microsoft, they’re trying to hide what they’re doing by obfuscating the true purpose of these updates. The language used to describe these updates tends to include phrases like “This service provides benefits from the latest version of Windows to systems that have not yet upgraded.”

We’ve discussed the KB3035583 update (and how to remove it) before. That’s the update that adds all those annoying upgrade prompts to Windows 7 and 8.1. But you should be aware of (and watch for) a few other sneaky updates. These have been generally categorized as ‘telemetry’ updates; a reference to the way they monitor what’s happening on your computer.

Telemetry Updates

If you want to avoid these telemetry updates, check to see if they are already installed. If they are, uninstall them, and use the ‘hide’ feature of Windows Update to prevent them from reappearing. If you see these updates listed in Windows Update, make sure to de-select them, then hide them.

Varying interpretations

Woody Leonhard is getting a bit of a reputation as a Microsoft apologist. You may recall that he refused to believe that Microsoft would push Windows 10 onto Windows 7 users, and later had to admit he’d been wrong. Woody’s analysis of the telemetry updates is predictably pro-Microsoft.

At the other end of the spectrum, there’s a project on Github that consists of a batch script that automatically removes all of the telemetry updates from Windows 7 and 8.1. It actually removes twenty-one updates, many of which are shady for other reasons besides privacy.

A more balanced analysis is provided by the GHacks site. This article identifies the most problematic (telemetry) updates and explains how to get rid of them.

Security and privacy roundup for January 2016

Your devices are talking about you

You already know that your web browser is tracking your activity. You are probably also aware of ‘The Internet of Things‘ – the increasing prevalence of devices that are connected to the Internet – and you recognize that any such device can also track your activities. Bruce Schneier reveals the next step in this evolution: enabling devices to share information about you. Of course, since the goal of all this surveillance is merely better-targeted advertising, most people are unlikely to care. Still, if privacy and control are important to you, this will not be welcome news.

Brian Krebs reminded us that ransomware can affect files in your cloud storage space as well as on your physical computer and network-connected devices.

A summary of software vulnerabilities over at VentureBeat shows Mac OS X topping the list for 2015. Microsoft’s security efforts seem to be paying off, as the highest-ranked version of Windows on the 2015 list is Windows 8.1 at number 10, and fewer than half the vulnerabilities as OS X.

Serious vulnerabilities were discovered in OpenSSH (a very commonly-used secure terminal client), OpenSSL (the ubiquitous security library), and Trend Micro antivirus software.

Vulnerabilities in the Linux kernel (affecting Android phones and Linux PCs) remain unpatched on many affected devices.

Google produced more patches for vulnerabilities affecting Android devices, but as always, the patches are finding their way to devices very slowly.

The very weak hashing functions MD5 and SHA1 are still being used in HTTPS encryption in some contexts.

It’s official: your smart TV can become infected with malware.

Network devices made by Juniper and Fortinet were found to contain serious vulnerabilities, including an NSA-developed back-door function and a hard-coded back-door password (more).

The free-to-use deep search tool Shodan made the news when researchers showed that it can be used to find household cameras, including baby-cams. Note that the problem here is not Shodan, which is just a useful search tool. The problem is the failure to properly secure Internet-connected devices.

There were more serious corporate security breaches in January, at Time Warner and Linode. As usual in these cases, the login credentials of subscribers were obtained by the attackers.

Amazon’s security practices were (unwillingly) tested by a customer, and found seriously deficient.

More malicious apps were found in the Google Play store. Google removed those apps, but not until they were downloaded millions of times by unsuspecting Android device users.

LG fixed a critical security hole affecting as many as ten million of its mobile devices.

December security and privacy roundup

Security and privacy stories making the rounds in December…

Aethra modem botnet

In February I wrote about hack attempts on several of my WordPress sites. Most of those attacks originated in Italy, from Aethra modems provided by Italian service provider Albacom. At the time, I tried to contact Albacom and its new owner, BT Italy, with no success. Apparently I wasn’t the only person who noticed. The people who make Wordfence, an extremely useful security plugin for WordPress, recently reported on the efforts of a Voidsec security researcher to track down and report the problem.

Nemesis malware worse than ever

A particularly nasty piece of malware called Nemesis now has the ability to insert part of itself in the boot process of a PC, making it even more difficult to detect and remove. Luckily for regular folks, Nemesis mostly seems to be targeting financial institutions. On second thought, there’s nothing lucky about that.

Linux computers increasingly targeted – and vulnerable

It’s becoming clear that Linux computers can be just as vulnerable as computers running Windows: a single, unpatched application vulnerability can be all that’s required for attackers to gain complete control. Hacking groups are acting quickly when new vulnerabilities are revealed, and have been adding exposed Linux servers to their botnets at an alarming rate.

Mysterious attack on root DNS servers

In early December, most of the Internet’s core name servers were briefly flooded with requests from all over the net; the requests were all related to two specific (and undisclosed) domain names. It’s still not clear who perpetrated the attack, and no real damage was done, since the servers involved absorbed the traffic relatively easily.

Help for securing routers

The US-CERT security organization posted a useful guide for securing home routers. The guide necessarily gets into technical details, but anyone who is interested in keeping their home network secure – and has access to their router’s configuration – should give it a look.

Oracle spanked by the US FTC for its deceptive practices

Oracle has done a terrible job of informing Java users of the dangers of leaving old versions of Java installed. Worse, Java installation software is traditionally not very good at detecting and removing older Java installs. The FTC finally noticed, calling Oracle’s practices a “deceptive act or process” in violation of the Federal Trade Commission Act. In response, Oracle has posted a Java uninstall tool on its web site. To be fair, the newer Java runtime installers now also look for older versions and offer to uninstall them, so they are making progress.

A rational response to claims that encryption is somehow bad

You’ve no doubt noticed elected officials in various countries claiming that smartphone encryption is making police work more difficult. They often use the catchphrase ‘going dark’ and invoke ‘terrorism’ to scare people into believing their BS. There’s a post over on Techdirt that exposes the lunacy of these ‘going dark’ claims.

Panopticlick – is your browser keeping your activity private?

The Electronic Freedom Foundation (EFF) created a web-based tool that analyzes your web browser and lets you know how well it protects you against online tracking technologies. It’s a handy way to make sure that the browser you’re using is keeping your activity as private as you think it is. Keep in mind that a lot of web sites (including this one) use tracking technologies for legitimate reasons, such as counting the number of visits. To learn more, check out this helpful post over on the PixelPrivacy site that explains browser fingerprinting.

Security practices of some service providers still terrible

Brian Krebs recently reported that his PayPal account was hacked. During his subsequent investigation, he discovered that PayPal handed his credentials to someone impersonating him on the phone. PayPal’s responses to Krebs’ criticisms don’t exactly inspire confidence. Krebs says “the successful takeover of the account speaks volumes about why most organizations — including many financial institutions — remain woefully behind the times in authenticating their customers and staying ahead of identity thieves.”

Security and privacy roundup for November 2015

PCs from Dell were found to include support software and related security certificates that potentially expose users to various threats. Dell moved quickly to provide fixes, but many systems remain vulnerable. As if we needed more convincing, this is yet another reason to remove manufacturer-installed software from new PCs as soon as possible after purchase.

A hacking tool called KeeFarce looks for KeePass password databases, attempts to decrypt the stored passwords, and makes the decrypted passwords available to intruders. For this to work, the target computer must already be compromised, and the KeePass database left unlocked. According to researchers, the technique could be used on any password management software. Please, if you use password management software, remember to leave it locked, even if you’re the only user. Why make things any easier for intruders?

Anti-adblocking service provider PageFair was hacked on Halloween, and for a couple of hours, visitors to about 500 web sites were shown fake Flash update warnings that actually installed malware. PageFair fixed the problem relatively quickly and apologized for the breach.

The web site for the popular vBulletin forum software was hacked and user account information stolen. Site admins reset all user passwords and warned users, but have yet to address claims that the attackers used a long-standing vulnerability in the vBulletin software itself to achieve the intrusion. If true, anyone who manages a vBulletin site should immediately install the patch, which was made available after the vBulletin site hack.

With all the furor over Windows 10’s privacy issues, it’s important to recognize that modern phones have all the same issues. Anyone who uses a smartphone has observed that most apps ask for access to private information when they are installed. Generally, user choices are limited to agreeing or cancelling installation. A new study looks at popular iOS and Android apps, the user information they collect, and where they send it. The results are about as expected, and the authors conclude, “The results of this study point out that the current permissions systems on iOS and Android are limited in how comprehensively they inform users about the degree of data sharing that occurs.” No kidding.

A nasty new type of Android malware has been discovered. Researchers say that the perpetrators download legitimate Android apps, repackage them with malware, then make the apps available on third-party sites. Once installed, the infected apps allow the malware to install itself with root access. So far, the malware only seems to be used to display ads, but with root access, there’s no limit to the potential damage. Worse still, it’s extremely difficult to remove the malware, and in many cases it’s easier to simply buy a new phone.

Ransomware was in the news a lot in November. SANS reported seeing a malware spam campaign that impersonates domain registrars, tricking recipients into clicking email links that install the ransomware Cryptowall. Ars Technica reports on changes in the latest version of Cryptowall, and a new ransomware player called Chimera. Brian Krebs reports on new ransomware that targets and encrypts web sites. Luckily, the encryption applied by that particular ransomware is relatively easy to reverse.

Several web sites and services were hit with Distributed Denial of Service (DDoS) attacks in November. In some cases, the attackers demanded ransom money to stop the attack. ProtonMail, provider of end-to-end encrypted email services (and used by yours truly) was hit, and the attacks didn’t stop even when the ransom was paid.

Security certificates generated using the SHA1 algorithm are nearing the end of their usefulness. Plans are already underway to stop providing them and stop supporting them in web browsers and other software. SHA1 is being phased out in favour of the much more secure SHA2 algorithm.

A rash of vulnerabilities in popular WordPress plugins, including the excellent BPS Security plugin, came to light in November. WordPress site operators are strongly encouraged to either enable auto-updates or configure their sites to send alerts when new plugin versions are detected.

An app called InstaAgent was pulled from the Apple and Google app stores when it was discovered that the app was transmitting Instagram userids and passwords to a server controlled by the app’s developer. It’s not clear how the app managed to get past the quality controls in place for both stores.

Security researchers discovered a bizarre new form of privacy invasion that uses inaudible sound – generated by advertisements on TV and in browsers – to track user behaviour. As weird as it seems, this technology is allowing true Cross Device Tracking (CDT).

On a brighter note, Google is now detecting web sites that appear to use social engineering techniques to trick users. Chrome’s Safe Browsing feature will now show a warning when you are about to visit a page Google thinks is using these devious methods.

The whole-disk encryption technology TrueCrypt was previously reported as vulnerable, and a new study has confirmed those vulnerabilities. The study also found that if TrueCrypt is used on unmounted drives, it is perfectly secure, but what use is a hard disk if it isn’t connected to anything? TrueCrypt users are still anxiously awaiting new encryption technologies like VeraCrypt.

Security researchers discovered a critical flaw in many Virtual Private Network (VPN) services. VPN software and services are used by many torrent users to protect their identity. The flaw allows a malicious person to obtain the true IP address of a VPN user.

The Readers Digest web site was infected with a variant of the Angler malware and proceeded to infect unpatched visitor computers for about a week before site operators took action. Thousands of Windows computers may have been infected before the site was finally cleaned up.