“You just need to read and accept these terms…” but golly, don’t scroll down and actually read what’s in there:
“MBNA accepts no responsibility for any damage caused by viruses contained within the electronic files at this website.“
Sometimes companies go the extra mile to truly make you feel like a “valued customer”. Well done, Bank of America.
Leave a Comment » | 
awareness, policy, security, technology | 
Permalink
Posted by apapadop
Sun Oracle has been giving us a few reasons to get rid of the Java Runtime Environment (JRE) from end-user machines for a while now.
I’ve been struggling with this decision, as I need Java for my favourite mind mapping software but I don’t want it to be used against me by Internet criminals.
My initial reaction was to remove Java completely and just keep the installation package around, for whenever I needed to do mind mapping. This soon got ridiculously cumbersome, so I’m now on to the next model:
Keep Java for local use, but disable Java for the browsers.
This still allows local applications to use Java, but stops Web-borne remote exploits from being delivered to my machines.
First things first. Always ensure you run the latest software. Visit http://java.com/en/download/installed.jsp?detect=jre&try=1 to verify that you have the latest version (currently 1.6.0_24)
If you haven’t got the latest version, download and install it from http://www.java.com/
Then verify that auto-update it turned on and frequent enough. For Windows users, go to Control Panel -> Java. Switch to the “Update” tab of the window that comes up and then click the “Advanced…” button. This should show you something like this:
The default is to check for updates once a month, which is a bit pathetic. Change this to weekly at the very least, or daily if you’re serious about your computer’s security:
Then click “OK” to save & close this dialog and “OK” again to save & close the Java settings window.
Now, onto the browsers:
Go to Tools -> Add-ons and you see something similar to this:
Click on “Disable” for both Java extensions, to get this result:
Don’t restart Firefox just yet! Now, onto the “Plugins” tab of the same window:
Click on both Java entries and on the corresponding “Disable” button of each entry, until the window looks like this:
Now it’s time to hit that “Restart Firefox” button in the Add-ons window to restart your browser.
After you’ve restarted, visit http://java.com/en/download/installed.jsp?detect=jre&try=1 with Firefox to verify that Java is disabled.
You should get the following result:
Congratulations – Java has been disabled in Firefox!
Note: Some people may point out that using the NoScript plugin achieves the same goal in a more elegant way – i.e. it allows one to selectively allow the execution of Java code in Firefox. The problem here is that NoScript works on the premise that websites you trust will not deliver malicious code to your machine. Unfortunately there are reports that claim that up to 75% of websites serving malicious code are legitimate websites that have been compromised. Add to that the fact that malicious code can be delivered to your machine through ads served from trusted domains like google.com and yahoo.com.
The only way of protecting against this headache is really to keep all browser plugins updated and disable the ones you don’t absolutely need. Java is not the only culprit here, Adobe’s PDF reader and Flash plugin, as well as Microsoft’s DirectShow and Media Player are also repeat offenders.
If you’re forced to use Internet Explorer (e .g. because some luminary in your organisation had the brilliant idea that the “free” SharePoint server was a good developing platform for your corporate websites…), follow these steps:
First, make sure you have the latest version of the browser. Microsoft itself is begging people to stop using IE6, as it’s an open window for remote control of your machine by criminals. Download and install the latest version of IE.
Now, let’s disable Java in Internet Explorer:
Go to the menu “Tools” -> “Manage add-ons”.
(this example is from IE version 8 on Windows XP, your version might be slightly different)
In the “Manage add-ons” window, select “Show add-ons” on the left hand side pull-down menu:
Now you can see all Java add-ons listed. Select each of them with a single click and hit the “Disable” button:
The final result should look like this: (all Java add-ons disabled)
Now click the “Close” button on the bottom right and close your browser.
Annoyingly, I’ve found it necessary to also disable the Java plugin from the Java Control Center – as disabling it from IE only seems to not be enough…
Go to Control Panel -> Java and then to the “Advanced” tab. Make sure the options look like below:
Save & close with “OK” – you will get a popup similar to this:
Click OK and then fire up Internet Explorer to visit http://java.com/en/download/installed.jsp?detect=jre&try=1 to verify that Java cannot be executed in IE.
You should get one or more of the following popups:
(this means you disabled the add-on in IE but not in the Control Panel. Unfortunately this seems to result in Java code somehow getting executed regardless!)
(surreal web page, telling you both that Java *is* and *isn’t* working, but there you have it)
If you’ve disabled everything appropriately you should see the following:
Clicking “OK” will eventually land you in this page:
…which is lying to you. You don’t have an old version of Java. You just have a disabled installation.
If you need to use Java for local applications, that’s the best place to be.
Otherwise, if you’re tired with all this faffing about, just uninstall Java completely to get it over with and have one less thing to worry about.
Leave a Comment » | awareness, Interface design, privacy, security, technology | Permalink
Posted by apapadop
No it’s not.
Most pages on the web nowadays:
What does this mean for you?
Well, for starters it’s important to leave behind the misconception that a web page is a simple thing. There is usually a lot going on in the background that you don’t see. But it’s there. This is how online advertising revenue is generated, and how “advanced” online services operate.
It’s also important to realise that “trust” is a very thorny issue. Visiting the website of (for example) National Geographic shouldn’t be an issue – I mean they’re a respectable business, right? But hang on, on closer examination, look what happens when you visit a single page:
All of a sudden it’s evident that this web page, hosted on nationalgeographic.com is requesting content from EIGHT (8) different domains, not all of which have an obvious relevance to the web page you are trying to see.
Do you know and trust all of them?
Further, aggregating content from many different domains in one web page usually translated to executing code in your browser, on your computer, from all those different domains you had no idea you were communicating with!
All you did was request to see a web page from nationalgeographic.com – which you trust.
Subsequently, and without your express permission or knowledge, your computer was instructed by nationalgeographic.com to download content from virtualearth.net, zozi.com, google-analytics.com, 207.net, quantserve.com, dl-rms.com, imrworldwide.com and ngeo.com.
Your computer also downloaded and executed programs (scripts) from the following domains: googleadservices.com, google-analytics.com, 2o7.net, quantserve.com, virtualearth.com, dl-rms.com, scorecardresearch.com, and doubleclick.net.
I’m only aware of this carnage because of two Firefox addons I use: NoScript and RequestPolicy. But they’re cumbersome to use and require constant adjustments.
Have that in mind next time you catch yourself thinking “I’m safe online because I don’t visit random websites”.
Leave a Comment » | awareness, privacy, security, technology | Permalink
Posted by apapadop
I’m very glad someone took the effort to prove this can be done, for all the denialists and optimists-to-the-point-of-criminal-negligence out there to get a grip:
“A team of security researchers has created a proof-of-concept Trojan for Android handsets that is capable of listening out for credit card numbers – typed or spoken – and relaying them back to the application’s creator.”
Source: ThinkQ article
This means that installing a single malicious “app” for your smartphone can turn it into the ultimate tool to steal any of your confidential information. Notice that anything you *say* over the phone is also suspect.
Blog post by Bruce Schneier with good links here.
The funny part with this is that the optimists will say “yeah, but it needs user permission!”, as if they know exactly where each and ever piece of software they installed on their computer/phone came from. Or as if automated remote installation of smartphone apps will not come knocking on our doors as it did for personal computers.
Leave a Comment » | awareness, phish, policy, privacy, security, technology | Permalink
Posted by apapadop
What an utter load of baloney:
Not that I expect any self-respecting reader to pay heed to what such papers tout, but this fear mongering is still impressive.
Here’s what a more respectable organisation (BBC) has to say on the exact same issue:
Risks of cyber war ‘over-hyped’ says OECD study
And here is the OECD study itself (pdf)
Now, why is the Metro trying to mislead and scare the public like that?
Leave a Comment » | awareness, freedom, policy, propaganda, security | Permalink
Posted by apapadop
I recently booked some tickets to fly to the USA and noticed this little gem:
But what is the “September 11th Security Fee“?
It would appear this is a tax on passengers imposed by the US government to finance our continued abuse by the TSA. There’s a certain irony in that… Thoreau might have had a snigger.
The name itself is pure propaganda, implying that paying this extra money keeps us safe against incidents like the Sept. 11th 2001 attacks in New York City.
Leave a Comment » | freedom, policy, security | Permalink
Posted by apapadop
MBNA (Bank of America) customers getting new credit cards might notice a new feature thrown in for free: A card that does not require the owner to insert the card anywhere, but instead communicates with the payment terminal wirelessly.
The cards come with an A5 sheet of paper explaining the new features:
You may be thinking – what about security?
The asterisk points to the following footnote:
Let us go through some of these statements:
“Even though you aren’t entering a PIN, your transaction is still completely secure as your card has the latest chip in it…”
This, on its own, is hogwash.
“…and uses the same payment technology as a Chip & PIN transaction.”
Here the bank is saying that *not* using your PIN is secure because you’re using the (presumably infallible) Chip & PIN technology. It’s like saying it’s okay not to use your seatbelt, because your car has got power brakes & seatbelts. Only with Chip&PIN it’s worse, since the security of the whole system falls apart without the PIN.
Further down we read:
“To speed up the transaction you generally won’t be given a receipt…”
Great. There are very good reasons receipts are mandatory for any kind of transaction, whether it’s buying a toothbrush or electing the next president of a nation. Let’s teach the next generation that receipts are pesky pieces of paper that slow us down.
“You will also still be covered for any fraudulent activity on your card just the same as chip & PIN transactions”
Fabulous. All these “completely secure” systems and they’re slapping this warranty on top! It’s just too good to be true.
“…providing you let us know as soon as you notice any unrecognised transactions on your statement or notice your card is missing.”
Ahh, here’s the catch. You need to check your statement every month, putting the onus on you to find the fraudulent transactions. If you don’t, it’s your fault and the bank will not refund the money stolen from your account.
Doesn’t look like such a hot deal after all.
The banks are using the term “Chip & PIN” as a magic wand – hoping that some of its “complete” security will spill over to the new contactless, PIN-less world. They are using something that is already broken to argue that a not-obviously-related product is also secure. If this is really the foundation these systems are built on, it’s not sound.
How is that not a harbinger of trouble for consumers?
1 Comment | awareness, policy, security | Permalink
Posted by apapadop
I got the following email from hotels.com the other day, asking me to provide feedback on their service and the last hotels I stayed at.
Nothing wrong with that – I have no direct benefit from this but believe in the power of community feedback etc. So I thought what the heck, let’s take the time to complete a quick survey.
So I clicked on the “write a review” link in the email, which directed me to this URL:
http://click.mail.hotels.com/?qs=d022f9b41a16aff5d6ebfc436e6bb406416e73ed4926ea9826856a4c9a1a5fe9571b8d186c7913567898645f30c4bdb9
…which redirected me to:
http://ad.doubleclick.net/clk;229503547;53487117;m?http://www.hotels.com/submitreview.html?lastName=mylastname&itineraryId=53807570&intlid=review&rffrid=eml.hcom.UK.400.00.2011.01.18.src00.00.00.0000.0000.00.0000&pos=HCOM_UK&locale=en_GB&et_jb=2&et_j=17173477&et_e=my_email_address&et_l=1935712_HTML&et_u=196887636&et_mid=198875&_dc_ck=try
…which finally takes me to a webpage that demands I download and execute Javascript code in my browser before displaying anything:
http://reviews.hotels.com/7014h-en_gb/7310/writereview.htm?format=embedded&user=6bf4d77c00a3e7254a885e86b510cf53646174653d3230313130313138267573657269643d35333830373539305f2d3130342650726f6475637449443d37333130264850726f706572747949443d32373431363226545049443d2d31303426545549443d3533383037353930264c6f6249443d33264974696e49443d3533383037353930264c69643d32303537264272616e6449443d39264f726967696e3d73697465&submissionurl=http%3A%2F%2Fwww.hotels.com%2Fsubmitreview.html
Asking for the “Privacy Policy”, takes me here:
http://ad.doubleclick.net/clk;229503547;53487117;m%3Fhttp://www.hotels.com/customer_care/privacy.html?rffrid=eml.hcom.UK.400.00.2011.01.18.src00.00.00.0000.0000.00.0000&pos=HCOM_UK&locale=en_GB&intlid=FTR.TR.SUR.eml.privacy&et_jb=2&et_j=17173477&et_e=my_email_address&et_l=1935712_HTML&et_u=196887677&et_mid=198875
(I substituted my real information for the red text in the above URLs)
It’s an Orwellian world when requesting a privacy policy sends one’s personal information to a DoubleClick tracking page…
PS: If you want to know & control which websites your browser connects to, use Firefox with the RequestPolicy addon.
Leave a Comment » | awareness, privacy, security, technology | Permalink
Posted by apapadop
Good question.
There is ample information on the Web chastising people for doing this and that wrong, for clicking on things, for being tricked into agreeing to install a “plugin update”… reams of articles saying “DON’T DO IT – whatever it is, JUST DON’T!”
But realistically, with drive-by malware attacks picking up and malware being created to specifically evade traditional antivirus programs, people don’t have much chance… it’s just too easy to get infected with malware.
What nobody out there seems to have an answer to, is the simple question: What do you do on the day after?
I am also unaware of a simple answer.
Microsoft publishes a Malicious Software Removal Tool every month. Commendable effort, but it doesn’t stand a chance against resident malware.
Online articles that advise you to “scan your computer with the latest antivirus software” are dangerous because they lead to a misinformed public. The truth is that there are simply too many ways to avoid detection and too much money to be made in the online crime industry. This means that highly skilled, organised and motivated people are writing malware to avoid all known safety nets. Malware has it much easier than all the defenders in the world – the attackers need only one way in, and they have control of your computer for good. And running all the antivirus scan in the world won’t change that.
The only thing you can do, is backup your important data (you do have backups, don’t you?), find your Operating System installation discs, erase your entire hard drive and then re-install everything from clean, trusted media, being extremely careful not to be re-infected by your old files or devices. E.g. infected USB sticks can re-infect the new installation.
To (hopefully) avoid this, follow these rules:
Leave a Comment » | awareness, phish, security, technology | Permalink
Posted by apapadop
As of January February July 2011, there are at least three four perfectly legitimate free antivirus products for Windows. In my order of preference they are:
These are the ones I have used. There are at least 6 more to choose from.
Please note that the following products are NOT free to use:
If you’re using one of them and not paying for it (unless of course your organisation has paid for it), you are at risk, as malware authors use warez and similar types of “freebies” and “cracked versions” and “key generators” to infect your computer with the very software you’re trying to defend against.
The only (temporary) exception to this is time-limited versions of antivirus software you usually get with brand new computers, but you must do something about those as soon as the gratis period expires: either buy the product or uninstall it and install one of the free ones.
Remember, an expired antivirus that is not updating its definitions is almost useless.
1 Comment | awareness, Interface design, phish, security, technology | Permalink
Posted by apapadop
