Securing your information, especially electronically on a computer, is now the most important issue in IT today. Even President Bill Clinton conceded on 22 May 1998 the importance of computer-related security in the Presidential Decision Directive 63 which stated:
"[The President] ordered the strengthening of the nation's defenses against emerging unconventional threats to the United States terrorist acts, use of weapons of mass destruction, assaults on our critical infrastructures and cyber-attacks." (1)
In fact, it may well be true that the entire future of the computer and Internet industry may hinge on the quality of its security to protect the privacy of the people who use the technology (e.g. keeping credit card numbers private) and everything that they create and sell of value to society.
Is security really that important?
Well, let us put it this way. If for any reason the security of IT products cannot be guaranteed when it comes to protecting the sensitive electronic financial transactions and intellectual property of the people who use the technology as well as those holding your personal information, there is a good chance that the multi-billion dollar world of e-commerce could come crashing down around all the Dot.com and general IT businesses (and people will lose trust in internet companies very quickly with major consequences for those companies on the stock exchange). Security should be the number one concern for all internet companies where sensitive information is kept and can be accessed online in any way.
In the meantime, the need for greater security is now fast becoming a huge industry in its own right (Why? Is this because the IT products are so poorly programmed and designed?). Already thousands of people throughout the world are participating in hacking classes costing between A$3000 and A$10,000 just to learn how hackers actually do it. And when they've finished, many of these security-trained experts will get paid a lot of money just to find security flaws in the software and hardware used by companies.
Some people will even become well-trained private investigators and "stingers" whose sole aim is to track down and secretly watch people to see whether they are doing the right thing or not. (2)
Alternatively, software manufacturers such as Apple, Inc. are prepared to set up free or low-cost conferences for worldwide hackers to convene so they can learn the latest secrets from the hackers and then later try to make the manufacturer's software more secure.
Why are there so many security problems in our technology?
The best way to answer this is with a quote. Commenting on whether new security technologies today would mean the hackers days are numbered, NSW police force member and now IT security expert for PricewaterhouseCoopers John Hunter laughs at the suggestion saying:
"Technology is driven by people that don't think about security. Their priority is to get out some whiz-bang widget as soon as possible. It's a battle. Some vulnerability comes out, then they patch it. It's like a road with potholes. It rains, then you fill them in. Then it rains and there's another one." (3)
There is also another reason why technology will contain security flaws: it would allow marketers, law enforcement agencies and other people to learn more about the people who use the technology.
Why do we need security?
The purpose of security on a personal level is about protecting your individuality, your ideas, and the means by which you are able to survive in modern society (i.e. with the help of money in the present Westernised system of government and economics). It is not necessarily about hiding something naughty or illegal from other people. It is more about protecting (i) who you are in this moment in time by revealing only what is relevant for other people to know when achieving certain goal(s); and (ii) what you want to become or sell to the community without fear of someone else taking away your idea(s) without your consent.
On an organisational level, security is mainly about protecting the intellectual property or proprietary ideas generated by its people without having someone else outside the organisation take commercial advantage of what is being developed before those people have a chance to benefit from the work. As the Federal Bureau of Investigations (FBI) and Computer Security Institute (CSI) has discovered in a survey of US companies, theft of proprietary information is the biggest cause for financial loss to the private sector. (4)
Good security equates to saying that you are entitled to be the unique person you want to be or to develop into and to create and sell the ideas you want to contribute to society without fear of external third-party influence. We our social beings, but we all want to be individuals with something unique and important to contribute. That is why we all need some privacy and, if necessary, to have the security to maintain that privacy.
What are the fundamental principles to maximising computer security in an organisation?
If, as an organisation, you want to protect your information in electronic form and you must have all your computers containing that information kept in a building (sometimes unattended (5)) and/or constantly connected to a network (e.g. an intranet or Internet), your best form of security is to develop an effective technology-based multi-level and adaptable authentication system with high levels of encryption.
Apparently the better forms of authentication system are those that combine a good password with some kind of biometrics (i.e. fingerprint, eye retina tests, DNA analysis etc). When implementing a password system, it should contain a delay function of around 1 second during the authentication process to prevent hackers working it out using the brute-force method (i.e. with the help of an electronic dictionary or going through a combination of letters and numbers using high speed computing power).
Good quality encryption is the start of a respectable defence. In fact, good encryption is so powerful that the US government classified encryption software as a weapon, and therefore illegal software to export. Well, at least not until they have developed the latest secret software tools in their own arsenal to help decipher the latest encrypted messages! But if you can find quality international encryption software not controlled by the US government, then you may have a near impenetrable "weapons grade" security system. You should now be looking for 448-bit or more encryption software (not the standard 128-bit encryption software) such as CyberFusion from the US company Proginet.
To emphasise the power of good encryption, The Regulation of Investigatory Powers (RIP) in the UK now has the legislation to obligate Information Service Providers (ISPs) to allow any electronic message (email or whatever) to be intercepted. If the message is encrypted, the sender - it doesn't matter if he/she is an individual or business - will be required by law to provide their private key to decrypt it. Failure to do so could result in a two-year prison sentence.
The reason for this is presumably to help police and other law enforcement agencies to combat criminal activity (if they can find evidence that you are involved in criminal activity).
Will a good security system stop all secrets from coming out for all eternity?
Remember, there is no such thing as a perfect security system (not even with biometrics added to the system since people could still chop off your finger or create a plaster cast of your fingerprint or produce a virtually perfect copy of your eye retina or iris etc or even the latest quantum communication security system (6)). You will not find a tool that will secure all your information perfectly forever. The sophisticated and complex nature of a number of security systems and choice of programming techniques used by the security system's manufacturers will always contain certain flaws for people to exploit, or people may simply use their brain and enough time to work out independently all the secrets you wish to hide. Everything that is to be known will be known with time.That's the way it works.
However, for the short period of time you need something to remain secret, this may be sufficient security. So then the only remaining vulnerability are the people themselves. Because even the most trusted people can make honest mistakes, or they can choose to set up conditions accidentally or deliberately with the security system, to allow others to quietly create major security breaches that the authorities may never know about until the people in question decide to confess or it becomes too late for the authorities to do anything about it.
Or people can independently recreate the secrets given enough time because of our inherent skills in creativity as well as access to the massive amount of information from other people and in nature all around us to formulate and test all the possibilities until the secrets are fully revealed. Hence you can have the perfect security system where nobody can ever eavesdrop on what you are doing and you are a perfect robot that doesn't speak the secrets to anyone. But, eventually, all it takes is one creative and highly rational individual or group in another part of the world to come along and deduce virtually all the same secrets you have and then the security system is effectively useless.
Security systems are only good for maintaining secrets for a finite period of time until you have reached the point of sharing the secrets with others in return for gaining something (e.g. to make a profit for the commercial work you have done).
How do I develop a good security system for my digital work?
If you are still interested in creating a respectable security system and want to maximise the protection of your information, you have got to do things such as looking after the people around you and treating them well (7) when given the responsibility of accessing sensitive information, and to use several levels of security (i.e. a good password and biometric security feature with strong encryption capabilities for your hard disk, another for some of your most sensitive files, another for your email account etc), with each security level constantly changing and adapting to the latest security features and knowledge as well as making it difficult for unwanted people from working out the password or similar access key.
As Peter Hind, manager of the IT Experience Program at IDC Australia, said:
"Technology has a role in ensuring security. Organisations concerned with security can put in firewalls and encryption technology. They can also put in auditing practices as a way of verifying transactions." (8)
The essential steps to greater security for an organisation involves:
- Identifying the data or information that needs security (9).
- Looking for vulnerabilities in your assets (including people). Look at things like how the system is connected to networks, who will use the system and how will they use it, and whether the people using the system are being treated well.
- Identifying potential systems in the marketplace which could protect your assets.
- Starting with the small (e.g. password-protect your important files) and work to the large (e.g. developing an Internet firewall, adding biometric authentication systems etc).
- Getting authentication from people who will use the sensitive information (via a password and biometric authentication system).
- Estimating the cost of the security features you will need and implementing those features as soon as you purchase them.
- Setting guidelines (i.e. policies) on how the sensitive information is to be handled and processed (e.g. type of personnel and software tools to be used etc).
- Repeating the above steps over time to ensure the security is updated and refined in a process known as auditing/monitoring.
There is also a lot of work being done in getting security software tools to recognise people's faces, voices, fingerprints and now eye retina patterns at the computer terminal (or recorded on identification cards via a chip) instead of the traditional password system. These are known as biometric authentication systems.
For more information, read this PDF.
In the wake of the 11 September terrorist attacks in New York, companies, governments, military and privately-run educational institutions such as universities are now looking to record biometric data (such as the unique patterns recorded in the retina of each person's eyes) onto state-of-the-art identification cards as a new security measure in the Western world.
In the end, every organisation will have to carefully decide on the type and number of levels of security considered reasonable for the nature of the information being processed and managed. As John LaVacca, head of the Australasian Supply-Chain Management Group and PricewaterhouseCoopers partner, said:
"Enterprises need to decide on the levels of security most suitable for them. They would need to also give a lot of thought into what information to put outside a firewall on their Web site." (10)
Can I just use a standard password authentication system for what I have to do?
It will depend on the importance and sensitivity of the information you are working on.
For instance, if you happen to have worked for the US Department of Defence dealing with say a crashed UFO and alien bodies from the late 1940s and you knew the political, social and economic implications of this discovery, then any information you can gather from the study of the UFO and perhaps why the aliens have arrived will not only have to be protected, but also the standard password authentication system will not be sufficient to do the job of securing information from the outside world. A far more secure system is necessary (even to the point of having the system housed underground to prevent electromagnetic leaks from the system from being picked up on the surface).
In this situation where fear and paranoia (and later the feeling of having power to make money from selling some aspects of the technology in subtle ways) sets in among certain people in the US Department of Defence, it is imperative for you to use the most sophisticated and latest 'multi-level' biometric authentication systems available combined with good password authentication systems as well as securing the entire complex in a kind of underground 'electromagnetically sealed from the outside world' prison with security guards at virtually every exit and cameras in every room for this level of sensitivity in the information to be protected (and even then, no system is perfect).
However, for normal people on the street wanting to protect basic things like your credit card number in an electronic file on your computer (is this a good idea?), you may only need to choose a good 'multi-level' password security system and that's it! When choosing a password system, make sure the encryption level is at least 128-bits (ir should now reach 1,024-bits for anyone serious about security) and there is a built-in delay function during the process of authenticating the passwords as nearly all consumer IT products and the less-known password hacking tools from the general public manufactured to 2003 are not likely to have the speed and capabilities of breaking into your password through the brute force method.
Or potentially it may be possible for really normal people to never have to worry about encryption and any kind of authentication system if everyone in the world had everything they needed including a roof over their heads, food on the table, a job they enjoy working in, and be able to contribute their own unique solutions and be supported for it. No matter how dangerous or powerful the ideas or technology from people might be. everyone will have the knowledge of knowing that they and their family will be secure and safe in the future. People, when given the opportunity, will only seek to do good for society when they are treated well and given everything they need to survive and be happy.
Until that utopian society comes when the people can get their priorities right with regards to protecting the environment and looking after all living things in an appropriate way, and share all secrets and resources, we are unfortunately faced with a situation where the rich want to get richer and the information they create to help them get richer needs to be protected from those who are less fortunate or simply to give an unfair advantage and hence deprive others of an income.
So while there are people around you wanting to get rich, famous or maintain the 'status quo" (in the case of hiding certain secrets while avoiding rocking the boat so to speak), even to the point of not respecting your privacy should other people find your personal details and your work to be a kind of financial advantage to them, you are wise to find some kind of a good security system of a level which is considered appropriate for the kind of information you are working with and to prevent most people taking advantage of you and your hard work.
In the end, you must decide what you think is a suitable security system for your particular circumstances.
I have too many passwords to remember!
Yes, this can be a common problem when implementing a multi-level authentication (password) system. Such a system can mean people will have to remember quite a few different passwords for accessing the sensitive or important information on numerous computer systems.
Except when human are involved, there is a tendency to simplify the authentication system by choosing passwords that are too similar (or use the same password). Then it can defeat the purpose of a multi-level authentication system.
People want to simplify the situation by developing a unified security system requiring only one main password to open up and access information on a variety of other systems having their own specific and different and hopefully very complicated password requirements. For example, the Canberra-based Protocom Development Systems Pty Ltd have developed a "single-sign-on" technology to save time in accessing all your password-protected systems such as the mainframe, an encrypted file, a PC on the network and so on.
Apple, Inc. has caught on to the same idea by establishing the keychain system into OSX to do exactly this very purpose.
Of course, you will still need to be careful with this kind of technology. Remembering a single password may be a great time saver. But it can also increase the risk of someone else able to access everything. Unless the password is very good and is changing over time, or in itself can be encrypted securely, "single-sign-on" technology could be seen as just another piece of technology to add to the already overburdened technology base and create more problems than it solves.
Whatever password authentication system you employ, make sure you use at least one very good password. And if people are likely to use the same computer as you do to access information, you should change the password regularly over time to make it more difficult.
Don't leave your computers lying around unattended!
Naturally, common sense would have told us this already, but it is now official. Leaving behind computers and computer-related equipment, even if it means a simple and trivial matter of going to the toilet and back again, dramatically increases the chance of having them stolen or lost. An unfortunate fact of life these days. And if by losing a computer, important information is also lost as well, it could cost a whole lot more than just losing a computer! Unless information is properly secured and there is a solid back-up of the information on a separate disk, the cost to government departments and other organisations could be enormous.
According to the Federal Opposition's (Labor) spokesman Senator John Faulkner who had been compiling answers to a survey he put to all government ministers over a three-month period between July and September 2000, it was estimated that around $A4 million worth of laptops and other computer-related equipment were either lost or stolen in Commonwealth departments within Australia in the 18 months from April 1999 to September 2000 due to the fact that they were left unattended, whether because nature was calling or there was a brief period of forgetfulness.
Of the top three departments that showed the greatest lapses in security, they were, in order of worse to better (11):
- Department of Defence
73 laptops stolen, 54 lost
Estimated value: $291,053 (not including $169,000 of other computer-related equipment that were lost or stolen);
- Department of Industry, Science and Resources
51 laptops stolen, 12 lost
Estimated value: $198,175; and
- Airservices Australia
27 laptops stolen, 2 lost
Estimated value: $128,194.
Percentage of computer equipment that were lost or stolen in Commonwealth departments within Australia in the 18 months up to June 2000. Source: Burgess 2000, p.5.
And what about the loss in sensitive government information? Shadow Minister for IT, Senator Kate Lundy, had this to say about the matter:
"In 1999-2005, Defence admitted to 54 lost and 73 stolen, several of which had classified documents." (12)
As Senator Faulkner puts it:
"It is clear that many departments and agencies need to review their security arrangements." (13)
Has there been a recent drop in the number of stolen or lost computers in Australian Government departments because of new security measures?
According to the March 2002 edition of Australian PC World, the number of stolen or lost Commonwealth-owned or leased notebook computers from Government departments seemed to have dropped from 1035 in 1999-2005 to 541 in 2000-2001. However, the failure of the Department of Defence, the Attorney-General, Health and the Tax Office to report back to the 2001 Senate estimates on IT equipment may show the real figure in stolen or lost computers to be not much different from the previous year (or perhaps even worse!). Who knows? Perhaps the Department of Defence and other departments had an absolute shocker for the number of lost and stolen computers for 2000-2001 and would prefer not to mention this to the public.
Whatever the truth, given the fact that the Department of Defence had already successfully topped the list in 1999-2000 for the most number of computers reported stolen or lost in the previous parliamentary enquiry by Senator Faulkner, it would certainly be further embarrassment for them to top the list again for 2000-2001 if they did mention the latest situation on their IT equipment.
Has there been a recent increase in the number of stolen or lost computers in Australian Government departments?
Nearing the anniversary of the terrorist bombing of the World Trade Centre in New York in September 2001, some Australian Government departments notably Customs and the Department of Transport have suddenly experienced a spate of laptop thefts and various security breaches from brazen thieves in early September 2003.
Setting a particularly fine example for laptop security and protecting other sensitive information at ADFA and the Department of Defence, Dr Ed Lewis of the ADFA School of Information Technology and Electrical Engineering, was quick to warn the Australian (Howard) Government and the public that this could be the first stage of a much broader attack:
"These things can be the first stage in a broader attack. It is always a possibility.
It's like Tattslotto. You've only got one chance in eight million of winning, but someone wins every week." (14)
Yes, but this assumes the eight million or so people who participate in the lottery game known as Tattslotto are vying for the exact same prize and are coming from outside. Clearly in this security issue not every Australian (or at least the eight million or so people) are going to be going around every week trying to break into every Government department in an attempt to win the chance of stealing equipment and sensitive information!
The probability of this happening by outsiders is still considered very low. And when it happened, one of the offices that was ransacked was apparently in the middle of being refurbished including the installation of more secure doors. Once the refurbishments were complete, however, the security threat would have been dramatically reduced.
Perhaps Dr Lewis should have emphasised the real security threat is the people who could be working in the Departments themselves. Since people are not infallible and definitely not the most perfect security systems in the world, it should be considered a higher probability tfor insiders to be deliberately doing the dirty work or may have accidentally left partially open a secure door for someone unknown to enter and steal equipment and information. Again, it shows just how easy it can be to fool the most powerful security systems in the world simply by the fact that just one insider can forget to close a door properly.
At any rate, some observers looking at these security breaches suspect it is possible for some if not all these recent events to be the work of intelligence and defence workers working on behalf of the Australian Government to test the security of various Government departments. In other words, the security breaches aren't that serious.
These incidents also come roughly a month after the city of Sydney experienced an unexpected partial blackout coinciding with more serious blackouts in London and the eastern continent of the United States.
Should we assume all these incidents are examples of an imminent attack from the terrorists? Or are the Governments testing certain scenarios for possible terrorist actions?
5 April 2004
The Joint Committee of Public Accounts and Audit of the Management and Integrity of Electronic Information in the Commonwealth whose aims were to look at the physical security of IT hardware and electronic data in Commonwealth departments within Australia has tabled a report in Parliament recently. According to the report, the Committee has recommended sweeping changes to the way Commonwealth departments keep inventory records and movement logs of IT hardware (i.e. tighter controls on the issuing, location and use of laptops to public servants) and how they report security breaches (preferably without the media knowing about the breaches before anyone else does). And as concerns of terrorism increases for the Australian (Howard) Government, the Committee also recommended the Defence Signals Directorate (DSD) play an expanded role in securing information held by Commonwealth departments. Another issue raised in the report is the Commonwealth's public key infrastructure security system known as Gatekeeper and the providers of Gatekeeper services. Although Gatekeeper has proved to be invaluable to public servants in securing electronic information, there is a general consensus that the product is too expensive and complex to use compared to more modern commercially available public key infrastructure products in the marketplace. The report recommends that the Department of the Prime Minister and Cabinet look for more cost-effective and simpler alternatives to Gatekeeper. As for companies seekings accreditation to supply Gatekeeper services to the Commonwealth Government, the report recommends the companies are visited and checked by ASIO, the IT systems of the companies are checked by DSD, and staff at the companies are granted with a Highly Protected security clearance by the Australian Security Vetting Service and the Australian Protective Service.
Get insurance cover for your computer-related assets
To minimise the hassles and cost in losing a computer, we recommend that you do three things:
- Use strong password encyption technology for the most sensitive files you don't want others to see;
- Backup all your data and applications onto one or a few reliable storage disk(s) and store the disk(s) in a safe and secure place (the aim is to have a copy of all your work and place it in a different location to where you are likely to use your computer. In that way, there is an extremely low probability of losing everything you've done if information is stored in two different places); and
- Get insurance cover for your computer.
Your home contents insurance should cover your computer for burglary (forcible entry into your home) and theft (stealing without forced entry) in the home. Outside of the home, this will not be enough to give you adequate cover. Look for a specialised notebook or desktop computer policy cover.
Most insurance companies that supply this kind of policy will protect your computer at another property other than your home (you can also use your Business Insurance policy for this one if the computer is used at your primary workplace or office located outside of your home), and in transit between properties, such as the shipment of your computer to or from a repairer.
The policy should also cover muggings where your computer is stolen by assault, intimidation or threat.
Remember, most companies will not insure you for the software installed on your computer (except for the operating system that was already installed on your computer at time of manufacture). The responsibility for looking after software remains with you and you should be keeping the installation software and backup disks at home or some other safe and secure location.
Furthermore, your computer is usually not insured if the item is stolen from an unlocked car, or from a locked car where the computer is in plain view of any stranger to see. If travelling overseas, the computer must be carried as an item of personal cabin luggage for the insurance policy to be effective and valid.
For an example of a good insurance company handling specialised notebook insurance policies, try the Australian company CompNow Insurance Specialists.
Keep the value of your assets you want secure to a minimum and employ a variety of hackers to develop their own best security system
The more security you put on a system, the more likely someone will find a way to beat the system. No security system is perfect, and people will eventually find a way through the security maze.
It is far better to provide cheap or free computer-related assets (as there is little incentive in stealing or damaging these kinds of assets) to the masses with security that basically helps people not to make the accidental mistake of going in the wrong places. And even if hackers are able to get into the wrong places, the assets that are available there should be so inexpensive and readily-available to everyone that it would be pointless to steal or damage the assets.
If you want good security, why not provide a competition for hackers to develop what they consider to be a good security system and how to make the assets look good and easy to use. Pay the hackers for their expertise or give them a top quality computer system of their own, and the hackers will have pride in their work and less likely to hack into their own system or others in the long term.
Sweeping changes to security in the software industry
Now that Microsoft has become aware of the importance of good security in software after the spate of recent viruses, hacker attackers, and generally those people not wanting to buy software that isn't secure, Microsoft has set up the Security Across the Software Development Life Cycle Task Force. But as Microsoft's chief security strategist and co-chairman of the Task Force Mr Scott Charney admitted:
"There is no silver bullet for making software secure." (15)
Consequently a five-part US report published in March and April 2004 by the National Cyber Security Partnership proposes an education campaign in getting software developers and programmers to improve security of their software, easier installation of patches (including the ability to reverse the patches in case of problems), and propose stricter regulation of popular software from software programmers and developers to ensure they are certified to provide secure software (probably at a cost to the programmers and hence force all programmers to sell software at a price which would allow Microsoft and other companies to compete). This certification requirement is being initially tailored towards programmers who work for other companies. But there is nothing to say in the future that all programmers will be required to get certification to do their work or else face legal consequences unless you are living in Russia, Romania or some other part of the world.
Currently there is no legislation in the US being prepared to support the proposals in the report. But talk in the report of a recommendation for US Government to study the effectiveness of getting the government to act on security issues through such options as "liability, and liability relief, regulation and regulatory reform, tax incentives, enhanced prosecution, research and development, education, and other incentives" (16) does strongly suggest an eventual need to legislate in this area.
Proponents of the new proposals could not confirm this aspect of the report. Instead many would prefer to talk in general terms about the aims of the report. Some security experts, however, believe the report may eventually see the entire software industry regulated in the way big software manufacturers want in order to maintain reasonable control of the industry. In the meantime, some experts are also viewing the report as an attempt by commercial software manufacturers to avoid responsibility for fixing up the security problems in their current line of software products as well as to ease consumers concerns in security problems found in these products.
The National Cyber Security Partnership is the result of discussions between industry and government officials to improve cybersecurity.
Always encrypt your Wi-Fi network
Google has highlighted a major security issue for the public in terms of unsecured Wi-Fi networks established in the home.
During a period of 4 years since 2006, Google had not only been taking pictures of streets in different countries as part of a massive information gathering exercise for its Google Maps service, but had also "accidentally" detected and downloaded over 600GB of information from people's unsecure Wi-Fi networks. Well, that's the Google's explanation.
In May 2010, Google decided to release the results of their inadvertent Wi-Fi detection and collection activities to the public.
A CNET user named wolivere wondered about this when he said:
"How do you accidentally collect the data for four years????"
We have to assume Google is being good by telling us how good they are with the release of this information. As another user named ikramerica2008 reasoned:
"This is only a problem if your motto is "Do Evil." Luckily Google, by telling us they are not evil, are by all logic, not evil. I mean, nobody doing evil would ever claim to be doing good, would they?"
Although the real reason could be to do with US law enforcement agencies having trouble tracking down criminals who are piggy-backing on people's free networks to do their dirty work. By closing down the loopholes, it may be easier to track down the criminals while still being able to view the data from a central server (e.g. Google).
Since then, Google has claimed all the data collected has been destroyed.
Where privacy is not breached in the Wi-Fi data collection activities, Google is at least doing the right thing by offering from mid-May 2010 to encrypt all searches people make on the Google web sites to help stop people like the Chinese Government from trying to intercept the searches and determine the location of the users via IP address or other means. However, you need to remember that in order for Google to provide its service, your search information will have to be decrypted at Google's server end. There is absolutely no perfect security solution on the internet while servers intercept the information and provide the service you want. You must either encrypt the data at the highest military grade level and send it directly to the trusted person without any intermediary servers, or not use the internet.
At any rate, the mere awareness of the poor security aspects could be enough to get more people to tighten up their security.
To improve the security of your Wi-Fi network, there has to be an option when creating a Wi-Fi network to enter a password so that everyone else must enter the same password on their computer before gaining access to your Wi-Fi network. When you create a Wi-Fi network, click the "Require Password" option. Next, enter the password (has to be a fixed number of digits and letters, usually 13 in total). There should also be an option to set the security level to highest. Unfortunately the best you will be given is probably around 128-bit. But it should stop 99.99 per cent of average citizens on the street from gaining access to your Wi-Fi network (not those who are in the business of checking on citizens eg. ASIO, CIA etc).
NOTE 1: Free Wi-Fi internet services being offered at McDonalds, public libraries and cafes are not encrypted. Furthermore, if you don't encrypt your data when sending it across these networks, anyone at the server end can sit there and gather the data and later read it.
NOTE 2: The level of encryption available on all consumer Wi-Fi products are not military grade. The encryption is only suitable for public consumption. US law enforcement agencies, the US military, and intelligence organisations can still decrypt the information and read what you have sent. All they need is access to a server.
25 October 2010
Google Australia is currently being investigated for breaches in the privacy legislation by the Australian Federal Police (AFP) after learning about Google's eavesdropping and data collection activities on people's unsecured Wi-Fi networks. As Dan Svantesson of the Australian Privacy Foundation said:
"Google is claiming that they were intending to pick up only certain types of information and, in fact, they picked up more information than they were intending to do." (Today Tonight: Channel 7. 25 October 2010.)
The Australian boss of Google has claimed the company will delete the information it has collected, presumably very soon. Although why it is taking a little longer in Australia (about 5 months) to notice the same news about the activities in the US and needed an investigation by the AFP to entice Google Australia to consider deleting the information collected in this country remains unclear at the present time.
Perhaps a little more data collection from Australian residents was needed by Google in the US for some unspecified activity beyond highlighting insecure Wi-Fi networks?
1 November 2010
Google has been grilled by the Australian Senate Committee on Environment and Communications regarding its eavesdropping activities and methods of gathering information on users when searching online. The overall impression from the responses provided by Google representatives Ishtar Vij, a public policy manager, and Larla Flynn, head of public policy, suggest the online company has enormous power in the information it can receive and so long as there are no breaches to the laws of the country in which Google operates (including privacy laws) and the public are made aware of this situation, there is nothing the company is doing is wrong other than make it clear it will delete the information it has gathered from Wi-Fi networks of people's homes. Although precisely what was collected is not clear, the Google representatives have made it clear they have no plans to re-introduce those Street View cars containing Wi-Fi receiving equipment. Although technically it is not against the law for anyone to be driving a car with a laptop and turn on Wi-Fi to see what is available. So it can happen again. It is just that if there is a next time, Google will probably say nothing.
As for concerns that Google is able to collect information and use it to target users such as during an online search as well as perhaps link this information to Google's own free web-based email service through IP addressing and the personal details users provide to the company, Google re-emphasise how it claims to follow the privacy laws of each country even though it has admitted that it is still developing its own standard practice privacy laws to work across all countries. As Labor's Doug Cameron asked:
"I was a bit perplexed by your response that you're bound by the laws in the country that you operate. People at Nike have been using that for years to exploit workers... it seems to me a standard corporate response why can't Google establish a best-practice approach on this and apply it across all of its operations?" (Stafford, Patrick. Senate slams Google over privacy problems: SmartCompany.com.au. 1 November 2010.)
Flynn responded by saying:
But how hard is it to establish a standard practice privacy law for the company to follow if it is aware of the privacy laws of other countries? And how long does it take to establish one?
At any rate, Google also added that if people aren't happy with the way Google targets users with additional information by way of ads during a search, they can always go elsewhere. Does this mean the Australian Government will have to create their own search engine for Australian and world users to ensure privacy during online searches? But then again, will a R-wing government with access to people's search requests and locations be used for political advantage, defence-related matters, intelligence gathering for secret organisations as well as the usual law enforcement? And therefore how much more different would this be than allowing a company like Google from doing the same thing?
Whatever is really happening at Google, it seems Google is in a certain level of damage control and is trying to convince everyone in the Committee that it won't happen again.
And next time, Google may never say to the public exactly what it is doing. It will be very hard for anyone to know for sure if users are able to conduct private searches online and have the confidence inknowing their own Wi-Fi technology is not being compromised.
If it isn't the radiation coming out of wireless technology, it may end up being the trust in the technology that will dictate the choice and decisions people make in how they intend to achieve something and whether technology will ever be a part of that equation. Maybe people will only trust their electrical whitegoods and anything that tries to connect to a network will be met with suspicion.
And the responsibility for this will rest on businesses selling the technology as well as the governments of any country that chooses to employ the technology for public use.
The only way to get around this is to incorporate world-class encryption technology of military-grade into every network-enabled electronic device and for the search engine itself to be developed independently by a university where the programming can be stored on a ROM chip and run on a server housed inside a secure vault that can only be opened by several known and reputable members of the public (e.g. scientists).
Somehow, in a world where profit is the motivating drive for businesses and governments are concerned about the activities of some of its citizens, it is unlikely this will ever take place.
Perhaps the Committee enquiry was there to make the public feel there are checks-and-balances in the world of technology and that it is okay to continue using it?
Come to think of it, the problem with all network-enabled technology are the people themselves. Technology has to face a kind of paradox where the public must be given the perception that technology is safe to use, but in reality the government has to find a way to be able to see what people are doing with the technology. And if businesses can do the same, great. It just means bigger profits.
People are the problem. Depending on the motivation, people who are in a position to manage the technology at the right place (e.g. at a server somewhere in the world), the temptation is there to snoop around and see what kind of information you are transmitting and sending through a network. If people cannot be at the right place and time and/or don't know precisely what to look for, it becomes imperative to create a copy and store the packets of information for later analysis.
This is how it works.
Take the people managing the networks out of the equation and incorporate independently-produced technology services with miltary-grade encryption into all network-enabled devices and ensure the servers themselves are secure and cannot be accessed by humans, then maybe people can trust their technology. If you don't, people will eventually question the value of such technology in the long term.
Never carry unencrypted sensitive data on a USB stick
Along the same lines must go to those USB sticks which people seem to find indispensable. USB sticks are convenient to carry around and can store a remarkable amount of data. But "small" often means "easy to lose". And once you lose it, it is a haven for would-be thieves, law enforcement agencies, intelligence organisations and the works to gather considerable information about you.
Never carry sensitive data in a USB stick. If you must, always encrypt the sensitive data using the highest level of encryption available to you. For example, consider using the 256-bit encryption method employed by Apple Inc. to create a disk image using Apple's own Disk Utility. Then store the data inside this disk image. So if you should ever lose the USB stick, the only way people can access the data is to know your password. Which means only you should know the password.
On a separate issue, it is remarkable to see how many people think it is okay to store only one copy of their important data on the USB stick thinking it is safe and secure even when using a good password encyption method and looking after the USB stick. Then one day, the USB stick decides to pack it in probably because of stici charge build up or the stick gets physically damaged. Recovery of the files are not considered reliable compared to the magnetic variety of storage disks. Once the flash memory chips collapse, it is virtually useless to do anything with it.
Never store your data on a USB drive that isn't backed up on another secure storage unit. Whether it is a home computer or backup external drive, always keep at least a second copy elsewhere.
Be weary of brand new laptops and desktop computers sold by computer manufacturers
On 30 March 2011, news emerged of a disturbing security issue. Whether or not it is true, it shows the potential in today's IT to breach your privacy if you are not vigilant.
According to the article at the time, an IT consultant based in Toronto named Mohamed Hassan performed a scan for spyware of two brand new Samsung laptops (the first being the Samsung R525, and later the more powerful Samsung R540) in February 2011. During his scan, he detected a keylogger program called "Starlogger" written by de Willebois Consulting. As the makers of Starlogger stated, they claim the program:
"...is completely undetectable and starts up whenever your computer starts up. See everything being typed: emails, messages, documents, web pages, usernames, passwords, and more."
And, more importantly, the consumers where not told about the program at time of purchase. If this is true, this would clearly constitute a breach in the privacy laws by Samsung (or any of its employees) if it is found the program was installed into its new laptops.
Every indications suggest that this was normal practice for Samsung if we can go by Hassan's claims after he spoke about the spyware program to a Samsung representative. According to Hassan's recollection, the representative allegedly said: "...we just put them there to find out how the computer is being used." (McMillan, Robert. "Samsung Investigating Report of Keylogger on Its Laptops": PC World. 31 March 2011.)
Irrespective of whether Samsung or any other company wants to know how the computer is being used for alleged marketing purposes, it is the responsibility of the company to inform the consumers at time of purchase that this is the case and to give advice on how to remove it if consumers choose not to have the Starlogger program.
A real shocker and a true embarrassment for Samsung if it is found to be true.
A Samsung spokesperson has reportedly stated the company will look into the claims after looking a bit perplexed about the situation when asked by PC World. Samsung is claiming no knowledge of the spyware program and have never heard of de Willebois Consulting. As the spokesperson said:
"We have no understanding of a relationship with this company and we have no prior knowledge of this software being on our laptops."
The question remains: was it a rogue employee(s) from a particular location who managed to install the program into the laptops? Or is this now a new secret policy by Samsung to learn more about its customers for marketing purposes?
On 4 April 2011, an independent analysis of Samsung laptops has found no evidence of Starlogger or any other keylogging program installed on the machines. The work was performed by Norwich University Center for Advanced Computing and Digital Forensics. The laptops used in the study R540 were randomly selected and purchased by Samsung from a retail store in New Jersey and flown to the university where the unopened boxes were handed over by Samsung representatives.
Or should the laptops have been obtained by the university directly from a randomly selected store in the UK or Europe?
At any rate, the study found no obvious signs of a keylogger program installed anywhere. Therefore, consumers must assume a rogue employee from Samsung may have done something he should not, or Hassan may have been mistaken and possibly misread the scan for another type of innocent program. Whatever happened, today it is seen as an isolated incident and assumed to be a mistake on the part of Hassan and is not expected to be a standard policy of Samsung to install such programs without the awareness of the consumers.
Nevertheless, if this is going to be the norm for other computer and software manufacturers in the future (it certainly has happened in the part with Sony BMG being caught out on the same spyware issue through their own laptops), users intending to purchase a brand new computer should ensure they wipe the hard drive completely on receiving the machine and install a clean copy of the OS. Then install a spyware detection software to ensure no further spyware programs can be installed on your computer.
More details of the original interview with Hassan by Network World and subsequent investigations and study can be found at the following pages:
M. E. Kabay and Mohamed Hassan. Samsung installs keylogger on its laptop computers: Network World. 30 March 2011.
M. E. Kabay and Mohamed Hassan. "Samsung responds to installation of keylogger on its laptop computers": Network World. 30 March 2011.
Robert McMilian. "Samsung Investigating Report of Keylogger on Its Laptops": Network World. 30 March 2011.PDF
Peter R. Stephenson. "Samsung laptops clean: No keylogger or spyware of any kind found": Network World. 4 April 2011. PDF
Be weary of commercial software applications asking you to activate while you are online
Another method of grabbing personal information is through the personal details you enter during software registration and in your Apple Address Book or Microsoft Outlook package. Rarely do commercial software manufacturers go to the trouble of asking you to activate their software to prove you own a legitimate copy if they can't identify the person/organisation who is running the software and where. Software manufacturers need to gather this information from some location on your computer. So naturally the best places are in the software itself where you enter your personal details to register, in the OS when you first use your computer, and at the moment you need to activate the software. For example, in Microsoft Office 2011, Microsoft Outlook often needs to run quietly and quit (leaving the icon on the Dock when you know you have removed it) in order to provide some kind of identifying personal details in your email account(s).
For Apple Inc., the best place to check is in the Address Book (which is why it is never improved by the company beyond simply storing addresses). The company only needs your name, physical address and IP address in order to track you down.
And if you are moving around a lot just to make it harder for the commercial software manufacturers, it is usually a bonus if they can get you to buy and carry around a smartphone with your personal etails stored on it. Then it is just a simple matter of using certain software by the manufacturer to extract this information when registering your phone and later watch where you go with GPS tracking.
The perfect solution for all marketers, law enforcement officers and anyone interested in seeing what you do.
To make this aspect more secure, always use anonymous personal details to register your OS and software, and activate your software from a free public internet cafe or elsewhere. Use a utility called fseventer 2.7.6 to record the location and name of the file(s) created by the commercial software applications during activation. Keep a copy of these files should you need to re-activate your software. Use alternative email software that doesn't rely on the commercial software manufacturer's own tools. Or use software tools from the more independent software developers such as the owners of SUNRISE Contacts 2011 to send and receive emails.
Do not enable the browser option to automatically run downloaded files
This is a classic security risk you should be aware of. In Apple Safari, the web browser of choice for OSX, it is called "Open 'safe' files after downloading" in the Preferences section. In Microsoft Explorer for PC users, it is called "Allow software to run and install even if the signature is invalid" in the Advanced tab of Internet Options. These are, strangely enough, turned on by default.
For the freeware FireFox, there is no option so by default it should download the files and do nothing else (more sensible than the commercial software manufacturers of Apple and Microsoft).
When you see these options in Preferences or Internet Options, turn them off (by making sure the tick is removed from the check box). In a recent CNET article titled "New MacDefender malware discovered for OS X", a Trojan horse named "MacDefender" can be inadvertently downloaded from malicious web sites and the installer run automatically should the browser be set to open what it thinks is a "safe" file. The reality is, nothing can be further from the truth. Every download of a file you do perform should do nothing more than sit there in the Download folder until you decide whether or not to double-click and install the contents. It is for you to make sure the files you have downloaded are the right ones. If not, or the name of the downloaded file looks remarkably obscure or doesn't look familiar to you, immediately delete them.
As Topher Kessler recommended in the CNET article:
"Be sure to never install software that automatically downloads from the Internet. If you see the installer screen for MacDefender show up, or any other installer window without your prior intent to install the software, be sure to quit the installer. Force-quit it if you have to by pressing Option-Command-Escape to bring up the force-quit window. This will ensure you do not interact with the installer's interface, which in itself may be suspect." (Kessler, Topher. New MacDefender malware discovered for OS X: CNET News. 2 May 2011.)
Also search for "MacDefender" in the names of files on your hard disk and remove the files. And get a malware detection software to test your computer for all known nasties lurking in your system. One such tool worth investing for the reasonable price of US$29.95 is MacScan 3.0. Alternatively, if you are a business user and want to check your own and other people's web sites for potential malware, sign up for the free web site scanning service known as QualysGuard Malware Detection.
And don't take lightly the warning messages you see from Google search engine lists against various web sites if the company suspects malicious software exists. There is usually a good reason for showing this message. The same is true of the warnings you see in FireFox when the software detects similar issues as you visit web sites.
Be weary of software tools and online web sites scanning your hard disk for alleged updates you need
You should also be weary of software updates claiming to give you the benefit of updating your software or check for and fix security breaches while you are online. Some may legitimately obtaining your personal information in an attempt to combat software piracy. But other people can illegitimately steal the information.
It is recommended that you should manually update files by observing the version number of the files you think needs to be updated (or why update them at all?). And if your computer's hardware and software is sufficiently anonymous and doesn't contain your personal information (probably encrypted in a database developed by a trusted third-party software manufacturer not affiliated with any government or major company), the updating could be done with a software tool if you can access anonymously through a free public internet connection (e.g. the public library). But make sure the software tool is something you can trust. If not, don't use it.
How to properly delete all call history in Microsoft Skype 5.x
It's amazing to see how many people claim to know how to delete call and chat history in Microsoft Skype 5.x (the new organisation managing the software as of 2011). Unfortunately everyone mentions the standard approach of going under Skype menu and choosing Preferences, followed by Privacy section to clear chat history, and calls in the Recent subheading. Yet other users make it clear the calls in the History subheading remains and want to know how to clear it. The answer is, "Yes, it can be cleared. But Microsoft will not make it easy to achieve this."
To clear all call and chat history properly, move to the trash the following folders and files:
/Users/[user]/Preferences/Macromedia/Flash Player/#SharedObjects/[the folder containing skype.com]/
Restart the computer and trash the files. That's it. On launching Skype 5.x you will require to enter the username and password and sign in. But when you do, you will find the call history and other history information are properly deleted.
More internet security measures
With so many hidden scripts able to be downloaded through your browser and run on your computer from a web site (and now from software you may download and purchase thinking they are legitimate and providing a secure service), including the malicious ones, you should install browser extensions called ClickToFlash (or FlashBlock for Mozilla Firefox), and also NoScript for Firefox. These controls provide good protection from harmful java-based scripts and the more dubious Flash movies and you can select which web sites you trust to enable these hidden scripts and Flash movies to run in order for you to achieve certain things (e.g. log into your bank account, or watch a genuine video etc).
Take great care in choosing the right software for your computer
Malicious codes may also be embedded in software you purchase, install and run. A classic example is CryptoLocker (or any variants of this type of file encryption tool). The tool may look on the surface as a useful way to encrypt files for better protection and may look innocent, but look out. After a period of time when the software has encrypted everything including whatever is stored on your network drives, the software may rear its ugly head by showing you a message asking that you pay anywhere up to $100 to the software developer in order to provide a new key to unencrypt the files. If you don't within 72 hours of seeing the message (assuming a non-Christmas period when it happens), all files will be deleted automatically. Perhaps a form of top notch security. But not necessarily if you are the one who is the legitimate owner of the files and don't want to lose those files. You already have paid once, there is absolutely no need to pay again in order to reverse the encryption.
This kind of tool can come in handy to people such as the U.S. military as a means of stopping certain individuals and organizations from revealing the biggest secrets so long as these individuals and organizations choose to encrypt all their information. It can also be seen as a godsend to commercial software giants such as Apple, Inc. to instil fear and encourage consumers to purchase software only from safe locations (e.g., the App Store). Or the tool can also be a powerful way for criminals to make easy money by holding you to ransom by paying extra money if you want to reverse the changes made.
If you see this message to pay extra appear on your screen for software you have purchased and installed on your computer, you may have no choice but to pay these people the money (even though the authorities will recommend not to so long as they have the tools to help you unencrypt your files within reasonable time but don't count on it, so try people like Panda software). As soon as you have the files unencrypted, you must immediately uninstall the encryption software application and backup all your unencrypted data. Then you must inform the authorities and people online to avoid the software.
When you pay for any software, it should be once and once only and any changes you make to your own data with the software should be reversible and continue to offer this reversibility for as long as you require the software. This can be with a encryption key that you create and can use all the time, or simply to allow the option to Undo numerous changes under the Edit menu. Only when you save the changed data will it be the time when you can say you are happy with those changes and need not require the Undo command. As for encryption, no software tool should ever hold you ransom to pay extra in order to access your files.
If you see such tools, they are called ransomware. Avoid them like the plague at all costs. It is bad enough for big commercial software giants such as Adobe, Inc. to force consumers to pay extra to upgrade their Adobe software in order to make them work again on the latest operating systems. It we are all serious about helping people to achieve goals for the improvement and advancement of society, whatever you buy must be software that you can use for as long as you require it. And that may be for as long as you are alive. Hence all operating systems must allow for adequate backward compatibility for anything that people wish to run. Consumers should not be forced to purchase the latest software just to make older software (which are probably perfectly fine and still useful to this day) work again.
How to be more secure on your computer
Here are the essential steps to a more secure computing experience:
Create a non-admin account on your computer (not critical, but highly recommended).
For most activities you are likely to perform on your computer, a non-admin account would be sufficient. Set one up and it will greatly limit the damage some people can do to your computer through trojans or even direct access to your computer.
Update your internet browser and email client applications
The latest software will often have improved security patches and solutions to minimise the threat of attack from malware such as viruses and trojans. But beware. The latest internet browsers and email applications from companies such as Apple Inc. are also being designed to invade your privacy and store on the iCloud all your histories and personal details. Look for the genuine independent and trusted third-party internet browsers and email application solutions available on the internet (e.g. FireFox) instead of the commercial variety or those from big companies.
Use an internet browser that contains "sandbox" technology
Google Chrome sports the latest sandbox technology. Combined with a solid track record by Google of updating Chrome regularly and silently with an automatic update mechanism built-in, and it makes the browser more safer than even Apple's Safari (which, although also uses the latest sandboxing technology on OSX "Lion", is slow as buggery to keep up-to-date of the latest security updates. NOTE: Some commentators will suggest getting the latest OSX "Mountain Lion" will be more secure. Obviously it would suit Apple, Microsoft and other companies right down to a tea in order to make more money. Perhaps it wouldn't be surprising if the sudden appearance of these trojans is a way for the companies to entice users to upgrade their OS. Nevertheless, there are simple measures you can do on your existing OS to make it more secure.
Uninstall Flash Player
A common source of headaches for users worried about security attacks are the built-in scripts for running Flash-based movies. These scripts can be designed to exploit weaknesses in the Flash Player and ultimately your computer. Remove Flash Player if you don't need it using the Adobe Uninstall Flash Player tool (for OS X, or PC). For further details, check this Adobe help page. For flash-based movies you like to see, we recommend finding browser add-ons or extensions designed to convert flash movies to HTML5 movies. If, on the other hand, you need Adobe Player, we recommend improving your privacy by setting Flash Player settings correctly, deleting Flash cookies, and setting folder permissions to stop the cookies from being stored again and the Player settings file from being changed without your permission. Open the Flash Player preference pane, set Peer-assisted Networking to "Block all sites from using peer-assisted networking", set Camera and Microphone Settings to "Block all sites from using the camera and microphone", set Local Storage Settings to "Block all sites from storing information on this computer", and click the Delete All button to ensure there is nothing stored on your computer. In the Advanced tab, choose "Never check for updates" unless you have an absolute need to regularly update Flash Player. Please note that each time you update Flash Player, these settings will naturally revert back to the default settings (an Adobe annoyance more than anything). So we will have to set the permissions of the folder containing this setting and the setting file itself to "Read Only" (in other words, to prevent the Flash Player from trying to store unnecessary amounts of information about what you do, where you are located, and who you are). Go to [user]/Library/Preferences/Macromedia/Flash Player/. In this folder you will find #SharedObjects. Delete everything in this folder. Get Info on this folder and set the [User] that is you to "Read only". Do the same by setting "Read Only" to this folder after deleting everything except settings.sol: [User]//Library/Preferences/Macromedia/Flash Player/macromedia.com/support/flashplayer/sys/. This should stop cookies from appearing in this folder. Also set "Ready Only" to the settings.sol file. This should permanently keep you safe (until the next time you upgrade your OS, or Adobe finds a way to bypass these security measures).
Update to the latest or turn off Java altogether
Similar to Flash movies and the Flash Player needed to run them, Java also relies on a scripting language to run certain Java-based applications and extra features on various web sites. In most cases, Java is not needed and there is no harm in turning it off. Apple understands this and by default the technology is not installed and enabled automatically when installed OS X "Lion". But if you want to check yourself, or feel inclined to turn it off, then open the Java Preferences application in Applications/Utilities and remove the tick in the check box against the name of the Java platform (e.g. Java SE 6) in the General tab.
Update the OS of your computer
While we may not like to use the additional bloated features of the latest OS (especially those capable of compromising our privacy), unfortunately, this is the only way to benefit from the latest security improvements to your OS. Or better still, stick to your current OS and consider installing a utility called Little Snitch. This will monitor every outgoing information passing through any port on your computer from any software that attempts to contact someone you don't know on the internet. In fact, this tool will be particularly useful in protecting your privacy (more so than trojans, viruses and other malware) when working on the latest OSX 10.8 "Mountain Lion".
Use a keychain
Use sophisticated passwords for most things and store the passwords in a "Kaychain". Then remember only one good password to access all services you need. Don't leave this one good password on your computer unless it can be seriously encrypted.
Turn off unnecessary networks
A common way for people to access your computer is through networks you may not realise has been turned on. For example, consider disabling network technologies such as IPv6, AirPort and Bluetooth when they are not needed. Also go into the Network system preference pane and remove the ticks in all the check boxes for services you don't use (ideally there shouldn't be any services turned on here).
Enable automatic disk and/or file encryption
OS X "Lion" version 10.7 and OS X "Mountain Lion" are fully equipped with full disk encryption (now part of FileVault 2). The traditional FileVault 1.0 version would simply encrypt your home folder. FileVault 2.0 will now encrypt the entire disk for you (a far better security measure). This should stop civilian hackers from gaining access to your personal data (but not the experts from the military etc).
Update Adobe Reader and Acrobat to version 10 or higher
Showing once again why Adobe is the slowest software company to update its products, Adobe Reader and Acrobat with their ability to run built-in scripts stored in PDF files are able to exploit certain software weaknesses leading to an attack on your computer. To avoid this, the minimum version should be 10 as the company has made a slight effort towards making this software more secure for users (what pushed them to achieve this remarkable feat?).
Install an anti-virus software tool
Most people seem to swear by Kaspersky Anti-Virus for Mac. Others think Sophos Anti-Virus software is more than powerful enough to do the job and costs nothing for the Home Edition version. While some software companies may request you pay an annual subscription for this level of protection, it may be worth paying the price if you intend to regularly access the internet and read lots of emails from people you don't know. Whatever you do choose, make sure the software is designed well enough to not slow down your computer. Or get a multi-processor (e.g., quad-core) computer to make the checking of new files and applications seem invisible and unobtrusive to you as possible. Also, make sure the tool will have the quickest and the easiest anti-virus definitions update capabilities possible. Or, if you like the idea of an online virus checker that's free and fast, try Bitdefender QuickScan.
Do some research on new software you download and purchase
Don't download any sort of software and run them. Learn more about the software you may wish to purchase, download and run. Ensure there are no negative reviews of the software to suggest something malicious may be present. Furthermore, the software should be able to run for as long as you require. In other words, it should not force you to "pay extra" or "go online to activate constantly from a remote server" the software. Also change the date on your computer to 100 years into the future and make sure the software can still run (i.e., not time-limited) after paying for it. If at any stage you discover the software is cripple-ware or stops working altogether, get a refund and notify everyone of the problem. This is the only way developers will wake up and provide stable, high quality and timeless software to consumers.
And finally be friends to everyone and help everyone out. Usually there is a reason why hackers and others who build these trojans and other sinister malware do this kind of work. Sometimes the effort is to highlight clear security or programming flaws in commercial software and force these big companies to spend more money on improving security. At other times, people do it to gain an advantage over you in order to live a slightly better and more secure life. Well, that's the way we have built our society. Until society is changed for the better and sees all people as equal partners able to contribute in their own unique way to a better world and support them, we must all be prepared to deal with people who are desperate to do things they shouldn't.
No https in the address bar? You are vulnerable to attack by hackers, government spies, and other shady characters.
Web site owners offering services resulting in cookies being created on your computer will need to take heed of expert advice regarding better security for their online users. This comes as news reaches the public of a FireFox add-on called FireSheep. Eric Butler, a freelance web application and software developer and the person who created the add-on, wanted to highlight a security problem for web users, especially when they visit social web sites such as FaceBook.com and a public insecure Wi-Fi hotspot at libraries, airports, cafes etc.
Firstly, for this add-on to work, it needs to access a network. As there are many insecure Wi-Fi hotspots at cafes and libraries and some airports, this makes it easy for hackers to pass the first security gate accessing a network. Even if the network does require a username and password, any hacker who knows the login details to the network can still exploit the next level of vulnerability the web sites.
Of particular concern are those social media sites for allowing people to blog and communicate with friends such as FaceBook. It is here where a lot of your personal information can be revealed to a user running Firesheep.
Aren't web sites secure? Not always.
Security provided by many web sites tend to be restricted to just the login page. So when you see the https in the address bar when logging in, you know you are secure (well, short of ASIO, CIA or other secret agencies checking you out). But after the login process is complete and you are successfully into your account, many web sites switch back to the insecure (ie. http) web addresses for normal activity. This is where Firesheep can take advantage. It can literally observe all your communications going through the insecure Wi-Fi network. So whatever is stored in the cookies will be observed by Firesheep.
Firesheep will displayed a sidebar in the FireFox browser showing a list of insecure account names of other users accessing the insecure web site services through the network. Just choose an account name and watch the communications taking place.
While Wi-Fi networks can be made secure, there are three best solutions to making your online presence more secure. Firstly, set up a VPN. This provides a secure communication tunnel right through the whole communication lines and so make it harder for anyone else to see what you are doing. Secondly, web site owners need to do everything they can to improve security at all stages of a user's experience on a web site. This means encrypting the information that gets stored in the cookies. As Mr Butler said:
"Websites have a responsibility to protect the people who depend on their services. They've been ignoring this responsibility for too long, and it's time for everyone to demand a more secure web. My hope is that Firesheep will help the users win."
And thirdly, if everything else fails, don't communicate on any social media web site. Or else, if you don't see the https in the address bar, don't do anything that might compromise your privacy and personal details.
Already Facebook has announced a roll out of https by default to all users according to this article from PCWorld Australia. Other social media web sites will follow soon
For a fourth solution, trying installing the FireFox add-on called ForceTLS. This will allow your browser to change http to https on sites that you specify in the add-on configuration as requiring a secure connection (and hopefully web sites will accept this encrypted information, which they should if they used any kind of https to encrypt your login details). If you don't like to do any configuring, try HTTPS Everywhere. Produced in collaboration between The Tor Project and the Electronic Frontier Foundation, this add-on should provide the best protection available until all web sites are secure.
NOTE: Using https may slow down your web experience. Hopefully not by much. If you have trouble getting adequate speed, use ForceTLS on only those specific sites you definitely need to have the best security.
I want to learn more!
As the range of clever techniques to gather your personal information and methods to compromise your security takes shape and expands into the future, you can gather some of the latest information in thie field from the following business web site:
To help further improve the security of your Mac running OSX "Snow Leopard" 10.6.x, Apple is offering to Mac Administrators (i.e. you with your administrator password) the Apple FIPS Crytographic Module 1.0 as a separate standalone download file. While the module is already installed as standard for OSX 10.6, you will need to perform an additional step to enable your system to be running in "FIPS Mode" for full compliance with standards used by people working in non-military government and business enterprises (e.g. those in the United States). It is also recommended this module be installed by government contractors.
The module in this installer contains administration tools to enable FIPS. It has received approval by receiving the FIPS 140-2 Level 1 Conformance Validation Certificate #1514. To activate, run the installer, choose the volume to enable FIPS, type your administrator password, let it install the module and restart your Mac. To verify the system is in FIPS mode, execute the following Terminal command:
The result should be:
[FIPSPerformSelfTest][ModeStatus] FIPS Mode Status : ENABLED
FIPS is the acronym for Federal Information Processing Standards and is developed by the United States federal government. And now it is available for anyone in the world to use.
Can we truly trust the locked padlock icon in the web address field?
In April 2014, a Google security researcher and a small team from a Finnish security firm has identified a serious security flaw in the OpenSSL technology used by nearly two-thirds of all web servers on the internet. OpenSSL is a tool for encrypting all the electronic information sent out by your web browser for all the things you need to do safely on the internet using the popular SSL/TTL encryption method. This is particularly useful in the situation where you are presented with a username and password on a web site because you have personal information kept by the web site owners. A classic example would be if you have an email account with Google or Yahoo, or a personal blog account with Facebook. Or what about the information you supply or receive from financial institutions and tax offices? Generally you don't want unauthorised individual gaining access to your online accounts and reading your financial or other personal data or change anything such as your password or see a sudden drop in your bank balance by someone wanting your money.
Well, now it seems security experts have found a way to bypass the encryption and read the data transmitted across the internet using a tool called HeartBleed. It means a variety of online communications and electronic commerce web sites will have been affected by this vulnerability especially where the security of your personal details is meant to be protected by these web site owners. And worse still, the security flaw was not been detected for more than 2 years. That's a very long time in the computer industry. So it is quite possible for someone else to have known about this situation and have quietly been gathering all your passwords and sensitive information. It is only now that a handful of security experts have spoken up about it, and at last the biggest and most popular web sites carrying your sensitive information are scrambling to apply security patches (hopefully by the time you have read this, the security flaw will have been eliminated).
The only question is, has all the security flaws been patched? No one really knows. And it doesn't matter if the data is encrypted (according to this latest bug) because it is apparent that the actual software tools themselves that does the encryption can still leave security holes for others to exploit at some point in time. This is why it is so important for all software manufacturers to spend the extra time and money to make sure their products are truly secure, especially where electronic cash and your personal information is at stake.
Thus when you see the padlock icon in the URL address field of your favourite web browser, beware. This may not necessarily be a sign that you are completely secure. As the people who run the popular web site Tumbir have bluntly said to its users:
"This still means that the little lock icon (HTTPS) we all trusted to keep our passwords, personal emails, and credit cards safe, was actually making all that private information accessible to anyone who knew about the exploit. This might be a good day to call in sick and take some time to change your passwords everywhere especially your high-security services like email, file storage, and banking, which may have been compromised by this bug."
Now that's a really re-assuring statement for its users.
In the meantime, Google says it has implemented the patch so quickly that it is re-assuring its 425 million Gmail, YouTube and other Google account holders that they do not have to change their passwords. On the other hand, other web sites such as Yahoo have taken longer and are recommending everyone should change their passwords as a precautionary measure. But then again, as they say, the horse may have already bolted from the stables at this point and people may already know a lot about you at the present time.
At any rate, computer security experts are still advising people to consider changing their online passwords.
If you want to know whether a web site has fixed the OpenSSL vulnerability, go to https://filippo.io/Heartbleed. Enter the URL and click the Go button. It will tell you how quickly the web site owners have fixed the problem if they are using the OpenSSL technology. For a more comprehensive list of web sites that were affected, check this document.
NOTE: Apple, Inc., claims OS X and iOS are not affected by the HeartBleed bug as they do not use the OpenSSL technology (Apple uses its own proprietary encryption technology in Safari and other Apple applications). But don't assume Apple products are more secure. It just means Apple products have not been affected by this specific bug for now. As for other vulnerabilities, these have yet to be detected by security experts. And a company that has sole dominance in certain applications can do things to increase the security vulnerability of its software (and not do anything to fix it even when told about it) if it means giving the company greater market dominance in those applications. A classic example would be Apple's own FileMaker Pro Advanced 13 and the company's efforts to put a serious security vulnerability in people's personal information stored in third-party FileMaker Pro databases solutions in order to make consumers think Apple applications are more secure to use. For further details, visit here. And if it isn't for anti-competitive practices, other software companies can be paid sufficiently by certain clandestine organisations such as the CIA and NSA to place certain security vulnerabilities for spies to gather your personal information, which means anything software-related that's commercially available to consumers can contain deliberate security flaws.