Category Archives: Privacy

Windows 10 miscellany

Ed Bott noticed that the latest release of Windows 10 (1511) was mysteriously removed from availability via the Media Creation Tool. The new version can still be obtained through Windows Update. Microsoft’s explanation isn’t very helpful, and it’s rather annoying to system builders who missed the brief window during which release 1511 was available via MCT. Update #1: Ars Technica reports on the situation, noting that there are reports of serious problems with release 1511 when installed via the MCT. Update #2: Ars Technica confirms that upgrading via MCT was causing privacy settings to be reset to defaults. The problem has been fixed, and build 1511 is once again available via MCT.

Meanwhile, Microsoft apparently updated its privacy policy in response to concerns about information gathered and transmitted by Windows 10. Changes to the policy make it clear that Microsoft will only provide law enforcement access to your data on their servers, not data stored locally on your computer. Encryption keys are backed up to Microsoft servers, but Microsoft will not use them to decrypt disks or files on your computer. The collection of telemetry data cannot be disabled, but it can be limited so that only very basic data is collected, and none of it personal.

And finally, Microsoft has relented somewhat on its Windows 10 activation policy, allowing for legitimate installs using old, unused activation keys from Windows 7 or 8.

Latest Ouch! newsletters from SANS

It’s been a while since I posted a link to the SANS Ouch! Security Awareness (“Securing The Human”) Newsletter. It’s a monthly PDF publication that’s aimed at ordinary users, and each issue covers a topic that is – or should be – of interest to everyone.

The most recent issues are Two Step Verification, Password Managers, and Shopping Online Securely. Note: these are all PDF documents.

Note: because they are written for ordinary users, more knowledgeable users may not learn anything new from Ouch! newsletters. Still, they’re worth reading and passing on to anyone who may benefit.

Windows 10 privacy concerns are legitimate

Microsoft Corporate Vice President Joe Belfiore has finally admitted what we’ve known all along: Windows 10 talks to Microsoft servers even if you’ve disabled every available privacy-related setting.

Of course, Belfiore says that this is nothing to worry about, since it’s being done to make Windows 10 work better for everyone. He’s probably not lying about Microsoft’s intentions, but all the same, I don’t want my O/S to do this kind of thing. And I don’t care if blocking this unwanted communication makes Microsoft’s work more difficult.

Unless Microsoft relents and provides a method for disabling all of this anti-privacy communication, your choices are: a) give up and stop worrying about it; b) avoid Windows 10 completely; or c) use one of the available third-party methods, such as Spybot Anti-Beacon, to block all of this ‘phone home’ behaviour.

Normally, I’d go for option C. But I’m running Windows 10 as part of the Insider Preview program, and blocking all communication to Microsoft would almost certainly result in my being kicked from the program. So it’s option A for me.

Firefox 42 improves private browsing, fixes numerous bugs

Mozilla seems determined to keep us guessing with new versions of Firefox. New versions that are not assigned a major new version number (e.g. 41, 42) are not announced in any way. When a new version is (apparently arbitrarily) assigned a major new version number, Mozilla publishes a post on the Mozilla blog. This post never includes any mention of the new version identifier, and typically doesn’t even say that there’s a new version.

For example, the post associated with Firefox 42 says this: “We’re releasing a powerful new feature in Firefox Private Browsing called Tracking Protection” and “We hope you enjoy the new Firefox!” What new version? When will it be released? We’re left guessing the answers to these rather obvious questions.

According to the release notes for Firefox 42, it was released on November 3. The Mozilla blog post describes changes to Firefox’s Private Browsing mode, including the new Tracking Protection, which “actively blocks content like ads, analytics trackers and social share buttons that may record your behavior without your knowledge across sites.”

Firefox 42 adds a small speaker icon that appears next to the caption for any tab that’s currently playing audio. You can mute a tab’s audio by clicking the speaker icon. The Login Manager has been improved in several ways. Performance has also been beefed up for sites that perform a lot of restyling. HTML5 support was improved.

Firefox 42 includes fixes for at least eighteen security bugs, according to the Security Advisories page. Recommendation: update Firefox to version 42 as soon as possible.

Security & privacy roundup for September 2015

Android made security news in September for a lockscreen bypass hack and a ransomware app designated Android/Lockerpin.A.

Passwords in the leaked Ashley Madison user database became much easier to decrypt, once again reminding us to avoid re-using passwords.

A rogue version of the iPhone development tool XCode was found to have added malicious code to almost 500 legitimate apps. Those apps were published on the Apple App Store, and were subsequently installed by millions of iPhone and iPad users.

In other Apple-related news, a simple bypass for the Gatekeeper process, that protects Mac OS X users from malicious software, was discovered.

This month’s Flash updates prompted Brian Krebs to take another look at Adobe Shockwave. He found that even the most recent versions of Shockwave still contain very out of date versions of Flash, and strongly recommends that you remove Shockwave from all your computers.

A series of exploits against the Imgur and 8chan sites caused little damage, despite their enormous potential. The true goals of the hack are still in question, and the associated vulnerabilities on the affected sites have been fixed.

A researcher discovered several serious vulnerabilities in popular security software from Kaspersky Labs. While there’s no evidence of exploits in the wild, this is rather alarming. Anti-malware software typically has access to core system functionality, making working exploits very valuable to attackers. Kaspersky Labs acted quickly to fix the bugs, but this isn’t the first time security software has been found vulnerable, and likely won’t be the last.

A new botnet called Xor.DDoS is using compromised Linux computers to perform DDoS attacks against a variety of web sites, probably at the request of paying customers. The Linux computers hosting the botnet appear to have been compromised via weak root passwords. So far, most of the targets are in Asia. This marks a shift in platform for botnet developers, which previously focused almost exclusively on Windows.

Microsoft responds to Windows 10 privacy concerns

Microsoft has finally broken the silence, responding to Windows 10 privacy concerns in a post on the Windows Experience blog.

Unfortunately, the post does little to address actual concerns, instead making a lot of vague promises about not using your data to target ads “Unlike some other platforms” (a clear reference to Google reading your GMail communication to target ads).

For example, there’s nothing about Windows 10’s persistent and frequent communication with Microsoft servers, even when privacy-compromising settings are disabled.

Techdirt, Ars Technica and The Verge have additional analysis.

Security roundup for August 2015

Last month in security and privacy news…

A weakness was discovered in the open BitTorrent protocol, rendering torrent software vulnerable to being used to initiate DDoS attacks. The BitTorrent protocol flaw was quickly updated, and patches for affected software were developed and distributed.

Malvertising continued to spread, most recently affecting popular sites like weather.com, drudgereport.com, wunderground.com, and eBay. Anyone visiting those sites with an unpatched browser may have inadvertently caused their computer to be compromised. Needless to say, the malicious ads were built with Flash.

It was a bad month for Android, as one of the updates released by Google that were intended to fix the Stagefright flaw turned out to be faulty, leaving some devices still vulnerable, and forcing Google back to the drawing board. Security researchers also discovered a flaw in Android’s Admin program that allows apps to break out of the security ‘sandbox’ and access data that should be inaccessible. Two flaws in fingerprint handling were also found in many Android devices, leaving both stored fingerprints and the fingerprint scanner itself vulnerable. And finally, new research exposed the predictability of Android lock patterns, making this particular form of security much less effective.

Lenovo’s hapless blundering continued, with the discovery that many of their PCs were using a little-known BIOS technology to ensure that their flawed, insecure crapware gets installed even when the operating system is reinstalled from scratch. Will these bozos ever learn?

Jeff Atwood reported on a new danger: compromised routers. If an attacker gains control of your router, there’s almost no limit to the damage they can inflict. Worse, there are no tools for detecting infected routers. If your router is compromised, no amount of malware scanning on your network’s computers will help. You’re vulnerable until you realize that the router is the problem and replace it or re-flash its firmware.

Mozilla offered more details on planned changes to Firefox that are expected to improve the browser’s security, stability, and performance. These changes are likely to benefit Firefox users, but will come at a cost: many existing browser add-ons will become obsolete. Add-on developers will be forced to make big changes or retire their software. Certain types of add-ons may not even be possible with the changes Mozilla plans.

In privacy news, the Electronic Freedom Foundation (EFF) released version 1.0 of Privacy Badger, a Chrome and Firefox add-on that blocks tracking mechanisms used on the web. The add-on initially doesn’t block anything, but learns as you browse, detecting cookies that are used on more than one site and blocking them.

And in other EFF news, a new malware campaign uses spearphishing techniques to get targets to visit what is supposed to be an EFF web site but is in fact a source of virulent malware.

Google announced upcoming changes to Chrome that will prevent extension developers from using deceptive practices to trick users into installing their software. Specifically, the ‘inline installation’ process will no longer work for extensions that are associated with these deceptive techniques. This is a good example of a software maker (Google) backing away from a feature that improved usability at the cost of security.

Google also firmed up plans to prevent most Flash media from being displayed by default in Chrome. Flash media won’t be blocked, but users will be required to click on each embedded video before it will play. Google’s official reason for doing this is to improve Chrome’s performance, but the change should reduce the spread of malvertising as well. Of course, Google’s own advertising network still allows Flash-based ads, and those ads will still auto-play. Google’s advice to advertisers is to switch from Flash-based ads to HTML5-based ads, or move to Google’s ad network.

And finally, Ars Technica posted a useful overview and instructions for encrypting your desktop, laptop and mobile devices. Be warned, total device encryption is not for the faint-hearted and comes with certain risks. For example, if you forget to tell your IT person that your hard drive is encrypted and they try to recover your computer from a failure, you may lose everything, even if your data is backed up.

Is Chrome spying on you? Nope.

This past week there was a lot of noise on the web about Google sneakily installing an extension into Chrome that spies on you via your computer’s microphone.

There are several aspects to this story. First, Google did indeed automatically update installs of both Chrome (its closed-source web browser) and its open-source cousin Chromium, with an extension called Hotword. Note that both browsers are designed to update themselves automatically, so this isn’t anything new. But it seemed a bit sneaky in that Hotword is an extension, and as such, a) should probably only be installed after getting confirmation from the user; and b) should show up in the browser’s list of installed extensions.

Google explained this by pointing out that some Chrome/Chromium extensions are ‘component’ extensions, and these are handled more as core components of the browser than as extra add-ons. And Hotword was designated as a ‘component’ extension.

Second, people using the open source Chromium were particularly dismayed that the browser was updating itself with code that was itself not available for review (i.e. not open source). This concern was understandable, and Google’s response was to stop installing Hotword automatically on Chromium.

Third, there was some evidence of a bug in Hotword that could allow third parties (i.e. not the user, and not Google) to use Hotword to listen to users. A demonstration of this seems to bear out this claim, but at this point it’s not clear whether there is any basis for a serious privacy concern. I’ll post more about this as things progress.

It’s important to note that the Hotword extension is not enabled by default. Even if you’re using Chrome, and Hotword is installed automatically, it won’t do anything until it’s enabled. More about that below.

Background

As you may be aware, there’s a big push on to get voice control into the mainstream. For years, we’ve seen people in SF movies talking to their computers and thought it was pretty neat. The technology for actually doing this is finally here, and it’s being added to everything, starting with our mobile devices: iPhones have Siri, Windows phones have Cortana, and so on. Microsoft is pushing Cortana into Windows on PCs now as well, in Windows 10.

Google has been experimenting with voice recognition for its search site and in Chrome for some time now. The Hotword extension is just Google’s latest improvement. Once installed in Chrome/Chromium, the browser provides various indications about its status. Visiting the main Google search page, or just opening a new tab (which shows the Google search interface by default) will now show ‘Say “Ok Google”‘ at the far right of the search prompt. There’s also a microphone icon, which has actually been there for a while.

As long as Hotword is disabled, saying ‘Ok Google’ displays a dialog that says ‘Voice search has been turned off’. You’ll also notice a camera icon – with a red line through it – in the address bar. To enable Hotword, click the camera icon and select ‘Always allow google.* to access your microphone’. Now, when you’re on the Google search page and say ‘Ok Google’, the browser will start listening for your commands. If you don’t want to enable Hotword, but want to use voice commands, just click the microphone icon.

Note: if you switch away from the Google search tab, Hotword stops listening.

Legitimate concerns?

Here’s where some of the privacy concerns may perhaps be legitimate. Even if Hotword is disabled, Chrome is clearly still listening to you, even if it: a) ignores everything you say except ‘Ok Google’, and b) will only tell you that voice activation is disabled when you say ‘Ok Google’. It’s extremely unlikely that Google has any malicious intent here. They are simply trying to make voice control seamless.

For example, I have Cortana on my Windows phone (please keep your snickering to a minimum) and although I don’t use it much, it’s particularly handy for choosing music to play. I love being able to ask Cortana to play a particular song or artist when I’m in the car. There’s just one problem: to get Cortana to listen, I have to press a button on the phone. Microsoft is working on a ‘Hello Cortana’ feature that will allow users to get Cortana’s attention without needing to pick up the phone. Certainly this feature isn’t for people who worry about their privacy, but for the rest of us, it’s just going to be very handy.

General paranoia about Google

There’s a general feeling of distrust towards Google, and it seems to be growing. Google’s spectacular success, and their financial power, make it easy to think of them as just another huge corporation trying to run our lives. Google has certainly made their share of mistakes, and some of that distrust is perhaps warranted. But I think people get carried away with this. Sure, Google wants to make money from us, mostly in the form of advertising. But aside from that, I truly believe that they are just trying to provide excellent products and services. And I think they’re doing a remarkable job.

Security roundup – May 2015

Recent security breaches at mSpy and AdultFriendFinder are a gift for Internet extortionists. mSpy hasn’t helped matters by first denying the problem, and then trying to downplay its impact.

A serious vulnerability called Logjam has been discovered in the Diffie-Hellman Key Exchange software, which is used to secure communications on many web and email servers. Meanwhile, despite its many flaws, it’s still a good thing that the web is moving towards HTTPS encryption everywhere.

In the world of network-attached hardware, malware called Linux/Moose is exploiting vulnerabilities in routers and spreading across the Internet. A security flaw in NetUSB is making many consumer routers vulnerable.

A serious vulnerability in many virtual hardware platforms, including Oracle’s popular VirtualBox, is making life difficult for many service providers.

Those of you who monitor traffic arriving at your home or work network are no doubt aware that your network is being constantly scanned for vulnerabilities. Brian Krebs rightly points out that much of this scanning activity is not malicious.

And finally, before you exchange that Android device, you should know that even if you’ve performed a full reset, your personal data is not being completely erased.

The hidden Tracking Protection feature in Firefox

A hidden feature in recent versions of Firefox blocks technologies – including cookies – that would otherwise be used to track your activities on the web.

Currently, the Tracking Protection feature can only be enabled via Firefox’s hidden about:config interface. To access this interface, enter about:config in the address bar. You’ll see a large warning message. Click the I’ll be careful button to proceed. In the search box, enter privacy.trackingprotection.enabled. The setting should be listed below, along with its current value. Double-click the line of text to toggle it from false to true.

Tracking Protection doesn’t appear to block ALL cookies, just those that are associated with activity tracking. According to Mozilla’s description of the feature, the default list of blocked resources is based on information from the security provider Disconnect.

Unfortunately, there’s not much available to the user for managing the feature. There’s no easy way to list or modify the resources that will be blocked. All the user sees is a new shield icon at the extreme left end of the address bar, which you can click to see a small dialog:

Firefox Tracking Protection
Firefox Tracking Protection

There’s not much information on the dialog, and the only options available are to close the dialog or Disable protection for this site.

There is a way you can see exactly what resources are being blocked: click the Firefox menu button (the ‘hamburger’ at the right end of the toolbar), then click Developer, then Web Console. As you encounter blocked resources, they will appear in the list at the bottom of the screen. For example: “The resource at “http://www.google-analytics.com/analytics.js” was blocked because tracking protection is enabled.” Unfortunately, there’s usually lots of other information in that list as well.

By default, Tracking Protection blocks useful technologies, including at least two used on this site: Google Analytics and Feedjit. Google Analytics provides invaluable information to site managers, including how many people visit the site, when they visit, how long they stay, and so on. Feedjit is the technology powering the Live Traffic Feed in the sidebar; I’m only using it as an interesting experiment, so it’s not a big deal if it misses some users, but it’s not in any way harmful.

In the final analysis, Tracking Protection is really only useful for the truly paranoid. But if you hate the idea of anyone knowing what you’re doing on the web, you should probably be using Firefox’s Private Browsing mode.

Tracking Protection was apparently added by Mozilla in response to the fact that the Do Not Track feature is not being honoured by all trackers. A post over on VentureBeat provides additional perspective.

Hat tip to reader tap tap!