Is Google Plus the Rumble in the Jungle?

July 19, 2011 Leave a comment

If you don’t remember the Rumble in the Jungle, it was a boxing match between George Foreman and Muhammed Ali. Back in 1974 names like Foreman and Ali were as famous as companies like Google and Facebook are now. Google, like the older Ali, has been taking punches in the early rounds of the social networking bout, but is this the rope-a-dope strategy? Can Google score a later round victory with Google Plus? Currently Google Plus has landed a couple of punches that Facebook has noticed, but the reigning title holder is nowhere close to the ropes right now.ž

With Google Plus growing from virtually nothing to 10 million users in two weeks and reportedly on the verge of doubling that a week later it seems that Google is landing some significant punches. Skeptics will point out the failed Google Buzz, however unlike when Google hired the Keystone Kops to design, manage, and execute the Buzz launch, Google appears to have put a more seasoned professional in charge of the launch of Google Plus. The launch has not been without hiccups, such as running out of disk space, but nothing has been done to doom the roll-out as was the case with Buzz.

Despite a high satisfaction rate reported among Facebook users, this does not mean that users cannot or will not be swayed to a better platform. Google Plus clearly presents a far more honest and intuitive grouping mechanism that is much more reflective of real life in almost all respects. Google Plus will clearly continue to grow rapidly for a while, however ultimately Google has control of its destiny. Google will continue to be hammered over privacy issues until it cleans up its act.

Despite misconceptions that other major companies claim similar rights to content, Google’s claims of perpetual and irrevocable ownership of ALL content a user submits may be its Achilles heel and dynamically differentiates Google from most other services.

Currently, under the Google’s Terms of Service, any content you post is theirs. Here specifically is section 11.1 of the Google Terms of Service.

11.1 You retain copyright and any other rights you already hold in Content which you submit, post or display on or through, the Services. By submitting, posting or displaying the content you give Google a perpetual, irrevocable, worldwide, royalty-free, and non-exclusive license to reproduce, adapt, modify, translate, publish, publicly perform, publicly display and distribute any Content which you submit, post or display on or through, the Services. This license is for the sole purpose of enabling Google to display, distribute and promote the Services and may be revoked for certain Services as defined in the Additional Terms of those Services.

Understand that this appears to mean Google has the right to republish your email and even photos that they claim are uploaded to a private album. Google claims much broader ownership and acceptable use rights of your data than most, if not any other major online company. This is where Facebook can punish Google Plus.

Contrast Google’s wide open and unrestrained Terms of Service with Facebook’s terms.

Sharing Your Content and Information

You own all of the content and information you post on Facebook, and you can control how it is shared through your privacy and application settings. In addition:
1. For content that is covered by intellectual property rights, like photos and videos (“IP content”), you specifically give us the following permission, subject to your privacy and application settings: you grant us a non-exclusive, transferable, sub-licensable, royalty-free, worldwide license to use any IP content that you post on or in connection with Facebook (“IP License”). This IP License ends when you delete your IP content or your account unless your content has been shared with others, and they have not deleted it.
2. When you delete IP content, it is deleted in a manner similar to emptying the recycle bin on a computer. However, you understand that removed content may persist in backup copies for a reasonable period of time (but will not be available to others).
3. When you use an application, your content and information is shared with the application. We require applications to respect your privacy, and your agreement with that application will control how the application can use, store, and transfer that content and information. (To learn more about Platform, read our Privacy Policy and Platform Page.)
4. When you publish content or information using the “everyone” setting, it means that you are allowing everyone, including people off of Facebook, to access and use that information, and to associate it with you (i.e., your name and profile picture).
5. We always appreciate your feedback or other suggestions about Facebook, but you understand that we may use them without any obligation to compensate you for them (just as you have no obligation to offer them).

Currently Facebook offers users far better assurances of data privacy than Google does and that may be a tough body blow to repeatedly endure.

Google has a shot with Google Plus, but like Ali did when he fought Foreman, Google is going to have to change their strategy to maintain momentum and be a real contender.

Randy Abrams
Director of Technical Education
Cyber Threat Analysis Center
ESET North America

Filed under Security Features Tagged with ,

Free WiFi: Price? All your personal information

July 15, 2011 2 Comments

Sitting in an airport you rarely frequent, you grab your laptop and snap out a couple e-mails to send, and look, there’s a free WiFi hotspot. Bang, you connect and send, and are off on your way. What you don’t know is the free WiFi may come with a price: your login credentials and network traffic being sniffed and captured before sending them along to the real WiFi hotspot, and your information stolen enroute, undetected.

The unsuspecting business traveler or coffee shop hounds will use WiFi wherever they find themselves. Usually the establishments they frequent will have a WiFi hotspot for customers. Airports often have free WiFi for travelers, supported by the business community who may have a splash page with ads when a user logs in, to offset the cost of providing the service. Usually these type services are clearly posted in some conspicuous location, which clear instructions for use. Many times (though not all), “official” hotspots will be secured using some kind of authentication, so you may have to enter a passphrase to login, which is a “good thing”, meaning the communication is more secure.

What raises the flag of awareness is when there is a hotspot with a name you don’t recognize, or that is very similar in SSID (name) to the official one, maybe one character off. Be especially aware of “unsecured” hotspots, ones where you don’t need to enter a password to gain access. Most of the time, scammers will create an unsecured WiFi hotspot for their shenanigans using common laptop hardware and a couple crafty applications, but it normally won’t require a passphrase, making it “easier” to use for unsuspecting travelers.

The magic happens through a proxy technology, which intercepts your WiFi communication, captures and stores a copy locally on the scammer’s laptop, then sends your information on to a “real” WiFi hotspot. This will slow down your traffic a little, but with congested networks, it’s hard to tell if your traffic’s being snooped, or just many users logging on at the same time to a “real” hotspot.

If you want to login to check bank balances, buy something for your wife or catch up on e-mail, your computer sends the login information across the network, this is the goldmine scammers look for. Normally, if you login to a bank website, you’ll see the bank address beginning with “https” rather than “http”, this means the traffic is encrypted, which is far better than unencrypted http traffic. But if scammers capture the encrypted credentials, they can still run a program later that will try many combinations in an attempt to decrypt your encrypted credentials. If they have the information, they have all the time in the world to work on decrypting it, so you may notice fraudulent account activity days or weeks later, long after you’ve left the coffee shop or airport. If the login information you send is unencrypted to begin with, like typing username/password on a normal “http” site, it makes the task all that much easier. Remember, scammers are lazy, and will try for the lowest hanging fruit first. It’s the old analogy that thieves want to steal A car, not necessarily YOUR car, so they’ll steal the easiest one they can get, that looks like it’ll generate the most profit for them.

Sometimes you have to do banking and other more secure transactions on the road. If you can manage to wait until you can get to a network you know and trust (like home/work), you can have a little more peace of mind. If, however, you’re a road warrior or just need your morning latte, spend an extra couple seconds verifying that you’re logging in to the network you are expecting to, not a fake.

Cameron Camp
ESET Research Systems Manager

Filed under Security Features Tagged with

The Irish prove their rebellious nature online

July 13, 2011 2 Comments

1 in 3 Irishmen regularly exposes himself, 5% of Dubliners don’t use any protection, but Irish women are less likely to spread infection.

Well, the real subheading was actually meant to read “Too many Irish skip their Antivirus’ warnings, according to latest ESET Ireland’s survey about computer security”…but we just couldn’t resist. The topic, unfortunately as is the case with most we do, is a more serious one.

When an antivirus’ message pops up, do you do what it says or ignore it? Do you visit web pages flagged as dangerous by the antivirus? Do you run programs the antivirus recognises as dangerous? These are the sort of questions ESET Ireland (http://eset.ie) asked Irish computer users in their latest computer security survey carried out by Amarách research.

The results were a bit shocking, as 34% of the surveyed computer users ignore the alerts their antivirus shows them. Furthermore, according to detailed demographic statistics:

  • the worst behaviour is displayed by a young male from the Dublin area
    (54% of age group 15-24, 35% of males and 41% in Dublin ignore warnings),
  • while the safest is displayed by a female over 55 from Connaught or Ulster
    (only 23% of age group 55+, 33% of females, and 31% in the north ignore warnings)
  • also concerning is the fact that 4% of the Irish don’t use any antivirus software.
    (8% of the young and 5% of Dubliners)

The data collected in the survey suggests that 1,2 Million Irish computer users may infect their computers intentionally. While women are proving more careful, a large percentage of young men won’t be told what to do and will click on anything they please. Even if just 10% actually get infected, that still means 120,000 potential infections in regular intervals. This sort of behaviour results in thousands of lost documents, computer reinstallations, frustration and many wasted work hours.

“The relation between risk factor and demographics implies that the more someone considers themselves an experienced computer user or feels ‘they know what they are doing’, which certainly would be the case with young urban males, the more they are willing to take the chance of getting infected, just to run that program or view that website they wanted, no matter how risky it could be,” comments Urban Schrott, security analyst at ESET Ireland, “It may seem like a paradox, but less computer savvy users are treating security much more carefully. Because, unfortunately, no matter how good your antivirus program is, it serves little purpose if you ignore its warnings or reverse its security protocols.”

Antivirus software often relies on computer users to allow or disallow certain things from occurring on the computer. But while making the wrong decision could be potentially troublesome, it is people who turn their antivirus completely off, while it is trying to protect them from infection, that we find hard to understand. Urban Schrott elaborated on this topic less than two months ago in a blog titled “Push a fork into the socket to see who’s viewing your profile”

For more information on cyber threats,
follow us on Facebook https://www.facebook.com/eset.antivirus.ireland
or Twitter http://twitter.com/eset_ireland

Additional Resources

The overall survey results (click on image for full size picture):

And some of ESET experts’ previous articles dealing with security practices and avoiding being the weakest link:

Filed under Security Features Tagged with ,

Security and Privacy of Facebook Video Calls powered by Skype

July 11, 2011 6 Comments

Introduction

Facebook and Skype announced the launch of Video Chat on Facebook using the Skype platform.  Users must download the newest version 5.3 (although 5.5 beta is also acceptable).  If a person takes the plunge and installs the new version, logs in and grants Skype permission to one’s profile on Facebook then pay attention please.  The news stories are not talking about this for those interested in privacy.

And we found in our recent Harris Poll survey that nearly 70% of respondents are indeed concerned with privacy on social networking sites.

ESET Harris Poll Survey

What are the lessons we aim to walk away with?  Let us explore this using the 5.5 Beta thru the following questions:

  1. What does this mean to me as someone who will use this new service?
  2. Why I should care about this new service if I am not even using it?

As the reader steps thru this article, please feel free to click on image thumbnails for an enlarged view.

Installation & Setup

Once the new version is installed and running and after logging into Skype there is a new Facebook tab available with an option to connect.

Skype to Facebook Connection

I begin to step thru the connection process and found the familiar Facebook login screen as shown next.

Login to Facebook from Skype

Facebook Permissions

Upon logging into Facebook via the Skype client application I am duly presenting with the “Request for Permission” screen as shown below.

Facebook Request for Permission by Skype

Let us break these out for observation.

Access my basic information

From what I have observed over time this is a fairly routine and “required” access setting.  Facebook defines it as:

Includes name, profile picture, gender, networks, user ID, list of friends, and any other information I’ve shared with everyone.

Send me email

Same observation as above, defined by Facebook as:

Skype may email me directly at … .

Post to my Wall

Another common observation I have seen, and described by Facebook as:

Skype may post status messages, notes, photos, and videos to my Wall.

Access my data any time

This option (and those that follow) is where we start to head into permission settings that are questionable to me (and to some extent even the options preceding).

Skype may access my data when I’m not using the application”.

Access posts in my News Feed

Undefined by Facebook.

Access Facebook Chat

Undefined by Facebook.

Check-ins

Defined as “Skype may read my check-ins and friends’ check-ins”.

Access my profile information

About Me, Birthday, Hometown, Current City, Website and Facebook Status”.

Access my photos and videos

Photos Uploaded by Me, Videos Uploaded by Me and Photos and Videos of Me”.

Access my friends’ information

Birthdays, Hometowns, Current Cities, Websites, Photos, Videos, Photos and Videos of Them, ‘About Me’ Details and Facebook Statuses”.

Allowing Skype on Facebook

For purposes of this article, I click ‘Allow’ and check further.

Facebook Allow Button

Facebook View from Skype

Once enabled, this is the view of my Facebook page thru Skype.

Facebook page thru Skype

Facebook Permissions for Skype

Immediately I visit my Facebook Privacy Settings for Applications through an Internet Browser and check the Access Log for Skype.  Snapshot is provided below.

Skype to Facebook Access Log

Information Accessed in the first minute

In the minute that Skype has had permissions to access the following bits of data from my Facebook profile:

  1. Basic Information
  2. News Feed
  3. Likes, Music, TV, Movies, Books, Quotes, About Me, Birthday, Hometown, Current City, Website, Education History and Work History
  4. Mobile Phone Number
  5. My Friends’ Photos

I wonder why Skype would like to know about my friend’s’ photos?

Changing Permissions

A person may modify the changes to the initial “Approve/Deny” selection for Skype’s permission request.  These are the following options that are fixed and removable:

Facebook permissions for Skype

Table version:

Required / Fixed Optional / Removable
1 Access my basic information Post to my Wall
2 Send me email Access posts in my News Feed
3 Access my profile information Access my data any time
4 Access my photos and videos Access Facebook Chat
5 Access my friends’ information Check-ins

Minimal Settings

Permission for Skype on Facebook look like the following screen shot after all the options to Remove have been executed.

Pared down Skype Permissions on Facebook

However, Skype is still permitted as a “Requirement” to access information on my friends.

What’s the Meaning?

Skype is asking for access to lots of information about you, and also about your friends.  The key in using this application either by yourself, or by a friend is to configure your own Privacy Settings for your Facebook profile.

Even if you do not use Skype for Facebook, it is important to review your settings.  Be sure to read my Guide on Facebook Privacy:

Facebook Guide to Privacy

http://blog.eset.com/2011/05/25/facebook-privacy

Pay particular attention to “info accessible through your friends”, a snapshot of which is provided below.  If your settings look like this (default by Facebook), then a friend of yours who installed Skype and connected with Facebook has already accessed your data.

Facebook info accessible through your friends

While you are checking this, confirm what you are sharing publicly if your desired interest is to remain private.  If your intention is to be public, then your current settings may be just fine.

It is my intent to let folks know that should you elect to bypass using Skype on Facebook, be wary of what you share with your friends and what your friends are permitted to re-share.

For Me

Skype can access virtually anything about a profile on Facebook if a person gives it permission including phone number, photos, videos and chat.

Skype may access your information directly.

For my Friends

Should you elect to deny permission (skip Facebook and Skype integration), your own friends may choose otherwise.  So if a person permits their information to be shared through their friends, Skype can still access that person’s data.

Skype may access your information indirectly.

Conclusion

Your own privacy mileage may vary yet I leave you with the ultimate question (may apply to anything on the Internet, not just Skype or Facebook):

Do you want your life without your knowledge accessible by Skype (now owned by Microsoft) through your friends, or by you?

It would be nice to know your choice, so please let me know by commenting on the blog or by sending me a message.

In the meantime, enjoy the new feature if you are using it.  I signed up for this using my work Facebook account.  See you around the Internet!

Since many folks are indeed concerned with Privacy on social network sites, feel free to check into the LinkedIn Privacy Guide article.

Please implement good password techniques and keep our ecosystem free and safe.

Paul Laudanski
Director of CTAC, North America

Filed under Security Features

Facebook Facial Recognition – A picture is worth a thousand words

June 30, 2011 Leave a comment

Facebook recently launched a facial recognition feature that allows you and others to “tag” photos with your name. As has been the norm for Facebook, this “feature” is turned on by default and users must take their own initiative to limit, or turn it off. The implications are wide-ranging, so if you or anyone in your family has a Facebook account, you should be sure to revisit your security settings as soon as possible, if you haven’t already. We give you instructions on how to disable this component later in this post.

Is it really a problem?

Many bloggers and reporters don’t believe that facial recognition is an issue worth worrying about. I’d rather err on the side of caution and have turned the feature off in my Facebook account. Google’s Chairman, Eric Schmidt described the increasing accuracy of the service as “very concerning” at Google’s Big Tent conference in June of this year. One of my litmus tests on privacy is: If Google (not known for believing anything should be private on the Internet) is indicating any level of concern, we all should be very concerned.

This issue is like an iceberg … the tip doesn’t look too bad but what lies beneath is very troublesome

The “tip” is facial recognition. There are benefits to having your photos be another way of identifying you from all the other people in the world that have your same name and a Facebook account, but there are also risks in so doing. It’s your choice up to a point, but the main issue is having others “tag” you regardless of your Facebook settings. You can control the “tip” by changing your Facebook security settings to make sure that the photos you upload to your Facebook account are not tagged with your name.

The iceberg issue beneath is someone else posting a picture of you and then tagging that picture with your name and a link to your profile. Anyone with a Facebook account can tag a photo they have uploaded with the name of any friend or friend’s public page, regardless of whether you are Facebook friends, friends of a friend, or have ever been associated with them in the past.

Depending upon your historical behavior, you have already faced risks of inappropriate photos showing up on friends’ accounts, but now, that risk is compounded by one or more of those photos being “positively” identified as you. Those photos are outside of your control. As the number of “tags” of you grows, the more accurate the identification becomes and the more likely an untagged photo outside your control will show up with your name as a suggestion of the name associated with that photo.

As with all things related to personal privacy, it is your decision if you want to disable this feature on your Facebook account, or that of your children. At the minimum, you might want to make sure your Facebook friends are also aware so they can decide what to do for themselves.

Even though you may decide to change your Facebook settings so “Only Me” can see photos and videos where you are tagged, some tests indicate that they still show up on friend’s pages. I’d recommend you run a test with one of your close ‘real-world’ friends to be sure. It’s better to be safe than sorry.

Steps to Protecting Yourself

It’s not just one step unfortunately. It takes a number of steps, but here’s how to disable tagging in your Facebook account.

  1. Login to your Facebook account
  2. At the top right of your Facebook you will see the “Account” tab
  3. Click on the tab to see the drop-down menu
  4. Click on “Privacy Settings” … It’s the third item on the list
  5. In the “Sharing on Facebook” section, click on “Customize”
  6. Near the bottom of that page is “Customize Settings”. Before clicking on it, uncheck the “Let friends of people tagged in my photos and posts see them” if you have not done so before. (This makes you a good netizen by not increasing the likeliness of facial recognition for your friends).
  7. Next click on “Customize settings” (in blue with a pencil icon in front).
  8. Under “Things I share” you might want to uncheck “Include me in “People Here Now” after I check in”. Announcing here is the same as saying you are not at home (or work). Your boss, significant other, or a criminal might be checking where you are.
  9. Under “Things others share” click on “Edit Settings” of “Suggest Photos of me to friends”
  10. In the drop-down menu, click on “Disable” and then on “Okay” to be sure your changes stick
  11. In the same section click “Edit Settings” next to “Friends can check me into Places” and disable that option so friends cannot tell others where you are (if you don’t know why you should do this, please give it more thought)
  12. Since you are “in the zone” review your settings in the “Contact Information” section and be sure you are only giving out your email address and mobile phone to those you want. Even better delete your mobile phone number, just in case Facebook “accidentally shares this information sometime in the future.
  13. While you are at it, review all your other security and privacy settings
  14. Set a recurring reminder in your electronic or physical calendar to check your Facebook security settings at least once per month.

For a comprehensive overview of Facebook Privacy and settings, Paul Laudanski’s blog of June 3rd of this year is highly recommended reading: Facebook Privacy

Keeping the information you want to be private online is not any easy task, but it is unnecessarily reckless not to try. Talk to your friends and family and encourage them to take the steps we have outlined above … Today.

Remember … Technology + Awareness = Cybersecurity

David Carnevale
Director of Consumer Marketing
ESET North America

Filed under Security Features Tagged with , ,

LinkedIn Privacy: An Easy How-to Guide to Protecting Yourself

June 24, 2011 Leave a comment

Introduction

LinkedIn is a social network platform whose specialty is connecting professionals together to build relationships and create business opportunity. Recently the company became publicly traded and grabbed the attention of the world as its initial public stock offering more than doubled on the first day. Here we focus tools and options for user privacy on this professional social network. Previously I have written a similar blog about Facebook Privacy one may read here. It is worth noting that LinkedIn is working on new privacy and security features, so keep yourself informed. Akin to my Facebook Privacy blog, I set about showing a framework guide on what is available for LinkedIn Privacy and what one possible set of options looks like.

For a sample of what a profile looks like when browsing LinkedIn anonymously, view mine at http://www.linkedin.com/in/laudanski.

Your own mileage for options may vary because this network is indeed built to foster professional networking and opportunity. You may want to have enhanced advertising enabled. Whereas for Facebook you may want to lock down settings, here, you may choose otherwise. And there are many selections to choose from, and not all are in the same location. For instance, there are settings for Groups and each particular group you are part of.

Assumptions

For purpose of this blog, the following are assumed unless stated otherwise:

  • Desktop based web browsing,
  • A person already has a LinkedIn user account.

Social Networking/Cybersafety Survey

We recently conducted a survey via Harris Interactive to track concerns about privacy and security with respect to social networking sites. 87% of those who responded rate Security and Privacy as their highest concerns as shown below:

Figure 1: Security and Privacy Highest Consumer Concerns for Social Networking

And respondents also indicate that updating their privacy settings are done at very low frequencies if at all.

Figure 2: Privacy Setting Update Frequency

Settings and options are constantly evolving on sites like LinkedIn and Facebook, so it is important to check your own selections more often. Thus the purpose of this article, to spread awareness of where all the various options exist at LinkedIn and what those selections might offer. The most important thing to note is the status updates shown below and accessible on the homepage:

Figure 3: Status Updates

If a person enters something here (and perhaps through Twitter or a blogging platform), the information is accessible (defined by your privacy controls). Personally, I do not post my travel; however some folks do. There are external sites that track this kind of status update and raise awareness of these dangers. So be mindful of what you share.

For instance, I shared this blog and Claudio, another ESET employee shared it on his network:

Figure 4:Sharing Status Updates

Viewing my Profile one can see (based on my privacy settings) my status update:

Figure 5: Viewing a Profile

Logging In

Let us begin by stepping through a typical log in process. In order to maintain completeness, we start from zero. Here we see the usual home page for a person when they are not logged into the service.

Figure 6: LinkedIn Home Page – Not Logged In

Next, we observe what the login procedure:

Figure 7: Logging into LinkedIn

Observe that the connection during login is ‘https’ which translates into ‘secure browsing’. During our how-to, this is the one of the times https is enabled transparently by the provider. Another instance is during the Account Settings page.

Once successfully signed on, we step into the familiar LinkedIn user screen home page, a slice served below:

Figure 8: Typical LinkedIn user home screen slice

Account Settings

Now that we are firmly foot in the door at LinkedIn we want to hop over to account Settings located in the upper right hand portion of the page:

Figure 9: LinkedIn account Settings

We are taken to the following screen:

Figure 10: Account Settings Main Screen

Here we visit “Change” Primary Email, bringing up the following screen of options where email addresses may be removed or promoted to “Primary” from “Secondary”:

Figure 11: Add and change email addresses

Next we visit the Change Password option (to read more about password strength and techniques visit my blog on No Chocolates for my password please!):

Figure 12: Change Password

Profile

For the next set of options, I will be displaying what the screens look like so the reader may be aware of these settings.

Figure 13: Turn on/off your activity broadcasts

Figure 14: Select who can see your activity feed

Figure 15: Select what others see when you’ve viewed their profile

Figure 16: Select who can see your connections

Figure 17: Change your profile photo & visibility

Figure 18: Manage your Twitter settings

Email Preferences

Figure 19: Email Preferences

Figure 20: Select the types of messages you’re willing to receive

Figure 21: Set the frequency of emails

Figure 22: Select who can send you invitations

Figure 23: Set the frequency of group digest emails

Figure 24: Turn on/off LinkedIn Announcements

Figure 25: Turn on/off invitations to participate in research

Figure 26: Turn on/off partner InMail

Groups, Companies & Applications

Figure 27: Groups, Companies & Applications

Figure 28: Turn on/off group invitations

Figure 29: Turn on/off data sharing with 3rd party applications

Account

Figure 30: Account

Figure 31: Manage Social Advertising

Figure 32: Turn on/off enhanced advertising

Figure 33: Customize the updates you see on your home page

Figure 34: Customize the updates you see on your home page (Hidden)

Figure 35: Get listed in the service provider directory

Account Types

Account Types and the information available to those who purchase.

Figure 36: Promoting Opportunity

Figure 37: Account Types

Figure 38: See Expanded Profiles

Figure 39: Talent Finder Subscription

FAQ

As the reader can observe there are lots of controls for one’s account. Visit the LinkedIn FAQ available at http://linkedin.custhelp.com/app/answers/list/ when you have queries.

Figure 40: Frequently Asked Questions

Apps

Application Directory provides a user to add additional tools onto one’s profile.

http://www.linkedin.com/static?key=application_directory

Figure 41: Applications

Profile Edit

Editing one’s profile is also another location for choices to be made, available at http://www.linkedin.com/profile/edit. These are just some of the settings to be mindful of:

Figure 42: Edit Profile (Top View)

Figure 43: Edit Profile Personal Information

Groups

My Groups, http://www.linkedin.com/myGroups, is a place where a person can join discussions for a particular company or organization. Here is just one example:

Figure 44: My Group Directory Display Example

Figure 45: My Group Deep Dive Settings

Figure 46: My Group set to Open

When a Group is set to open, LinkedIn displays the following message when the reader enters:

“Previous discussions are stored in a read-only archive for members only. All new discussions can be seen by non-LinkedIn members, shared on Twitter and Facebook, and indexed by search engines.”

Account Closure

If a person is interested in closing their LinkedIn account, this is the process (just be mindful of the Privacy Policy restrictions):

Figure 47: Close Account

Companies

Companies are another location, http://www.linkedin.com/companies, to make adjustments. Here I provide examples of how one’s profile may show up for others.

Figure 48: Companies

Statistics http://www.linkedin.com/company/eset/statistics are available for viewing as well.

Figure 49: Companies Statistics

Profile Viewing

Who’s viewed your profile is a service that one may purchase. Here is some information to be aware of.

Figure 50: Profile Stats Upgrade

Figure 51: Upgrade Options

Connection Removal

Remove Connections is a page that enables the reader to maintain their connections.

http://www.linkedin.com/connections?displayBreakConnections

Figure 52: Remove Connections

Privacy Policy

Privacy Policy is a page that everyone should read. Here are a few quoted highlights:

http://www.linkedin.com/static?key=privacy_policy

Personal information collected

We collect information:

When you register an account to become a LinkedIn user (“User”), such as your name, e-mail, employer, country, and a password.

When you view and interact with LinkedIn pages, features, and functionality, including LinkedIn mobile applications, software (like adding to your profile, participating in Groups, uploading contacts, etc.), and platform technology (like “Share on LinkedIn” buttons or third party applications). We also collect your IP address, browser type, operating system, mobile carrier, and your ISP, and receive the URLs of sites from which you arrive or leave the LinkedIn website, or sites that have embedded LinkedIn platform technology.

Through cookies and other technologies that allow us to recognize you, customize your experience, and serve advertisements both on and off LinkedIn. Learn more about cookies, beacons in Sections 1G and 1H, below. You can opt-out of advertising off LinkedIn here.

When you interact with third party services available through LinkedIn like surveys, polls or other third party research undertaken with your consent.

Your Information Choices

You can:

Review, enhance or edit your personal information through your personal profile page;

Control what information you make available to search engines through your public profile;

Choose whether you install or remove any third party applications;

Control whether your profile information is shared with third parties through Developer Applications installed by your connections by clicking here;

Control the messages you receive from LinkedIn and other Users;

Change your settings to control visibility and accessibility through our website;

Control whether LinkedIn personalizes its professional plugins across the web using your LinkedIn account here.

Control whether LinkedIn uses your name and profile photo in social ads; and

Tell us to close your LinkedIn account.

Default Settings

Because the mission of LinkedIn is to connect the world’s professionals to enable them to become more productive and successful, we have established what we believe to be reasonable default settings that we have found most professionals desire. Because Users may use and interact with LinkedIn in a variety of ways, and because those uses may change over time, we designed our settings to provide our users granular control over the information they share. We encourage our Users to review their account settings and adjust them in accordance with their preferences.

LinkedIn accounts are also defaulted to allow Users to be contacted to participate in polls, surveys and partner advertising. Click here to change these settings.

Security Timeout

It is worth noting that after a brief period of time, LinkedIn’s default behavior is to prompt the user for their password to access Settings or other features of the site, shown below:

Figure 53: LinkedIn timeout password request

Progress

And, LinkedIn strives to improve itself so sometimes you may see this.

This concludes our awareness blog for LinkedIn and all the various tools available in locations around the site. I myself have been using LinkedIn for years professional and has been well worth it.

Paul Laudanski (http://www.linkedin.com/in/laudanski)
Director of the Cyber Threat Analysis Center, ESET

Filed under Security Features Tagged with

The Social Networking/Cybersafety Disconnect

June 23, 2011 Leave a comment

Survey Reveals Chasm between Users’ Concerns and Behavior

A recent Survey commissioned by ESET and conducted online by Harris Interactive from May 31-June 2, 2011 among 2,027 U.S. adults 18+ found a startling disconnect between user concerns about privacy and security and their actions on social networking sites.

To start, the study found that 69% of online social networking account owners are concerned about security on social networking sites, yet 1/3 of them have never changed their passwords for their social networking accounts and another 15% last changed their password more than one year ago.

Moreover, the survey revealed that one in ten online Americans with social networking accounts have reported that an unknown party gained unauthorized access to their social networking account to spread malicious links and comments. This is particularly alarming since unauthorized access can threaten account owner’s cybersecurity as well as that of their contacts—we’ve seen countless examples, including recent scams around the death of Osama Bin Laden.

The survey also found that 67% of account owners claimed that they were concerned about privacy issues, yet 55% of the account owners update their privacy settings less often than once every six months, if ever. This can be problematic. For example, Facebook makes it extremely difficult to know when you need to change settings because they virtually never advise users when they are making changes that may affect user privacy.

While 69% of account owners were concerned about security and 67% expressed concern about privacy there were other significant concerns reported as well.

• 37% of were concerned about someone creating a fake account in their name.
• 95 percent of social networking account owners accept friend/follower/connection request always or sometimes.
• 71 percent of social networking account owners are concerned that their personal information entered on social networking sites may be sold or shared without their knowledge for profit.
• 17% were concerned about their children using social networking sites.

So, what can you do to secure yourself and your contacts on social networks?

A common misperception seems to have many users believing that social networking safety and privacy is entirely outside of their control. This is not the case—you can easily improve your online security if you follow these simple guidelines:

#1: Be smart about passwords.

How important is it to change your social networking password on a regular basis and at what interval should you change it? This is actually a subset of the question of how often should you change passwords in general. The answer to this question depends upon a few factors.

Do you use the same password for your multiple social networking accounts, email accounts, and other online services? If you answer yes to this, then about once every 5 minutes is the optimal interval for changing your password. When you use the same password everywhere it only takes one Sony-style mistake to compromise all of your accounts. Remember, your passwords are on the Internet, and they are not entirely under your control. Is your password a word in any language? A number such as 12345. If so, then perhaps an interval of once every 10 minutes is appropriate. To put it simply, you can’t change your password often enough if you are using a poor password. For some tips on using good passwords I recommend that you refer to ESET Researcher Paul Laudanski’s blog “No chocolates for my passwords please!

Assuming a good password and no significant enemies, I am unaware of a scientific formula for the optimal period for password changes. In general I would expect for a service like Facebook, every three to six months will be sufficient, yet the survey found that 70% of social networking account owners have not changed their password within the last 90 days. Events like breaking up with a vindictive partner, finding that your computer or smartphone has been compromised, etc. would tend to mandate a password change sooner rather than later.

#2: Know your options when it comes to privacy, and check back often.

Facebook may report to the media that they are making a change, but often the change is gradually rolled out and secretly slipped past users. Facebook appears to deliberately use this approach to drive adoption of “features” they fear users will find nefarious. The reality is that with Facebook you probably should be checking your privacy settings every couple of weeks if you want a chance to keep on top of what Facebook may have changed in your account. Once again, Paul Laudanski has an excellent blog about Facebook privacy settings with best practices and tips to keep Facebook users safe. Don’t be fooled though, Facebook privacy has never been “set and forget” and is not likely to be anytime soon. As hard as you work to control your privacy, Facebook’s marketing department is working twice as hard to find new ways to share your data without informed consent.

#3: Know who your real “friends” are.

Be sure that anyone whose “friendship” or connection you accept is someone you know and trust. For the 11% of social networking account owners that indicated concern about the number of friends/followers/contacts they have, all I can say is that it is your choice and you have to make your own decisions. We can provide you with advice and guidance, but we can’t and won’t tell you who to associate with.

#4: When in doubt, seek help from outside resources.

For those of you concerned with your children’s use of social networking sites, I would highly recommend a visit to http://www.safetynetcc.org/, a collaborative cyber safety education program of the San Diego Internet Crimes Against Children Task Force and the San Diego Police Foundation.

Methodology
This survey was conducted online within the United States by Harris Interactive on behalf of Schwartz Communications from May 31-June 2, 2011 among 2,027 adults ages 18 and older, of whom 1,476 have social networking accounts. This online survey is not based on a probability sample and therefore no estimate of theoretical sampling error can be calculated. For complete survey methodology, including weighting variables, please email us here.

Randy Abrams
Director of Technical Education
Cyber Threat Analysis Center
ESET North America

Filed under Security Features

Support Scams: Cold Calls, Cold Hearts

June 20, 2011 Leave a comment

Here’s a diagnostic window that your shouldn’t panic over, certainly if some cold-calling scammer directs you to it by persuading you to run a diagnostic on your own system.

But I’m getting ahead of myself.

You might think I’ve blogged more than enough about support scams already – you know, where someone calls you out of the blue to “help you” with a malware problem you didn’t know you had, or to check your system for problems – but the issue seems to have come to life in the media again. Not that it’s ever gone away as far as the victims are concerned.

The interest derives from a survey by Microsoft into this “emerging” threat. Well, if you’ve been following these blogs, you’ll know that this threat has been emerging for well over a year now, but the survey came up with some interesting if disquieting figures. Out of 7,000 respondents in the US, Canada, Ireland and the UK:

  • 15% had received “a call”: actually, in my experience, once they have your number, you’ll get a lot of calls, though they finally seem to have given up on me.
  • 3% of the sample (22% of those who received a call) fell for it.
  • 79% of those who fell for it sustained direct financial loss (on average, $875), and 53% lost even more money fixing problems caused by the scammers (up to $4,800).

There’s some good advice in the Microsoft press release, but the assumption is that if someone calls you out of the blue to tell you that you have a computer problem, it’s going to be a scam. Well, that’s probably true in the countries mentioned, but it’s actually more complicated than that. As we explained here, there are circumstances in which you might be cold-called legitimately in certain countries and in certain circumstances: our friends at Sophos have addressed some of those scenarios with some excellent advice here. In this white paper, we’ve tried to address some of the legal issues as well as providing a comprehensive picture of how the scams tend to work (they do change over time, though, and I put that paper together last year: it might be due for a revisit).

Two points the MS press release didn’t mention:

  • Most (though not all) of these scams rely on persuading you to run Event Viewer, which is pretty useless as a diagnostic tool unless you already know enough about Windows internals not to fall for the scam. It flags a whole bunch of transient errors that may frighten a technically-challenged victim, but don’t actually signify a real problem at all, so if someone tries to get you to run a program called EVENTVWR, that’s a pretty good scam heuristic in itself.
  • While the survey didn’t include Australia, that’s also a very commonly targeted population: CNET is incorrect in saying that only the countries surveyed are seeing the problem at the moment. It’s true, of course, that other countries with a large English-speaking population could be targeted, and that the scammers might start targeting speakers of other languages.

John Oates also flagged this survey in The Register.

David Harley CITP FBCS CISSP
ESET Senior Research Fellow

Filed under Security Features

The Irish are using safer passwords than global average

June 1, 2011 3 Comments

Acording to survey, the passwords situation in Ireland is a bit better than the global average

Globally the most widespread passwords are still “123456″ and “password” as well as other very simple ones. This seemed just too terrible to us, so we ordered another survey in Ireland, to see if the Irish are any smarter than that. Well, we’re happy to say, yes they are! At least a bit.

ESET Ireland had a survey conducted to find out what sort of passwords the Irish use and how secure they are. We asked Irish computer users if their passwords resemble any in the several groups we made available, which resemble different levels of complexity and therefore increasing levels of protection.

So, acording to the survey, the passwords situation in Ireland is a bit better than is the case with the global average, but still there’s no room for complacency, because after all, cybercriminals are after YOUR money.

At least a third of Irish computer users have set up passwords that include letters and numbers, rather than just a simple sequence of letters or numbers. Unfortunately though among a fifth of the Irish, even more in Connaught and Ulster, simple passwords are still most widespread. Another fifth however, uses complex, hard to crack passwords, that include lowercase and capital letters and numbers or even a punctuation mark for good measure. Here are the survey results:

(click on picture to see it full size)

Cybercriminals want our passwords. They can hack into our email, our social networks, then steal our identity and mail our friends or insitutions with financial scams in our name, which could even get us in trouble. They try to get into our PayPal, eBay and Amazon accounts, into other online shopping sites, even our online banking – to steal our money. All these use a password and if it is weak, then our accounts are vulnerable.

ESET Ireland’s 5 quick tips on secure passwords

1. Letters-numbers-punctuation. Use all these in a password.

2. Don’t use easy to guess things such as your name, date of birth or other similar info that can be gathered from your Facebook profile.

3. Invented or misspelled words are better than real ones for passwords.

4. Don’t use the same password on several accounts or machines.

5. Change your passwords in regular intervals.

To learn about all the tips and tricks to create a strong password in detail, read this guide by ESET security expert David Harley, as well as the password strategies here. Or see if you can make use of this password generator.

Research was carried out by Amárach on behalf of ESET Ireland, to investigate IT and online security among Irish internet users. In order to make a valid survey, a varied target audience, totalling 1000, was used. An 850 sample was derived online and a 150 sample was conducted face to face to ensure fully representative sample:

(click on picture to see it full size)

Filed under Security Features Tagged with , , ,

Security Feature: Protecting Consumers from Rogue Online Pharmacies

May 30, 2011 Leave a comment

Over the past couple of years rogue online pharmacies have been advertising their domains on search engines and promoting themselves through search engine optimization.  Legitimate pharmaceutical companies have their own measures in place to work on taking these sites offline.  The problem with rogue online pharmacies is that they do not meet federal regulations.  To be a legitimate online pharmacy they must meet certain requirements including:

  1. Having a physical pharmacy in the state in which they conduct business,
  2. If they have a doctor, they must have a relationship with the customer when providing a prescription,
  3. The online pharmacy must work with those prescriptions,
  4. In order to sell to customers in the USA, they must again have presence in the United States.

Domain Incite broke news on a new UDRP filing covering 209 domains (hat tip to Garth Bruen from KnujOn for posting this as a status update on his LinkedIn profile).  Those domains have a word in common: “cialis”.  This is a registered trademark owned by Eli Lilly.  Although not conclusive, the Kevin Murphy from Domain Incite alleges Eli Lilly sounds like the most reasonable complainant.

The UDRP stands for Uniform Domain-Name Dispute Policy and is an agreement adopted by ICANN-accredited Registrars that is included in domain registration agreements.  It provides a mechanism for trademark holders to file a complaint that shows there is harm being done to the trademark holder’s brand, and if successful, the domain may be reclaimed by the legitimate party.

Aside from industry efforts to help spread awareness and enforcement on the subject of rogue pharmacies like LegitScript, the National Association of Boards Pharmacy has an accredited program named “VIPPS” or Verified Internet Pharmacy Practice Sites to help with this matter.

Directly from the NABP:

Rogue Online Sites

Unfortunately, because it is so easy to create a Web site, there are thousands of sites pretending to be legitimate online pharmacies. To date, NABP has reviewed nearly 7,000 sites – only 4% of those online sites appear to be in compliance with pharmacy laws and practice standards. Using these rogue sites puts patients at risk of receiving counterfeit or adulterated medications. VIPPS accreditation ensures that an Internet pharmacy is a bona fide pharmacy, and it is the best way for patients to determine that they are getting the quality care they deserve.

VIPPS Online Sites

To ensure public health, VIPPS accreditation requires an Internet pharmacy to comply with the licensing and survey requirements of its state and each state to which it dispenses pharmaceuticals. VIPPS-accredited pharmacies meet nationally endorsed standards of pharmacy practice, and they demonstrate compliance with standards of privacy and authentication and security of prescriptions, adhere to quality assurance policy, and provide meaningful consultation between patients and pharmacists.

VIPPS VIPPS pharmacy sites display the VIPPS Seal on their Web sites. The Seal is a key benchmark for consumers to measure the quality of a pharmacy’s practice, and by clicking on the VIPPS Seal, they are able to access verified information about the pharmacy.

 

So it is a good thing that we’re seeing this kind of UDRP Filing.  I tried to visit a random set of these and found only an HTTP 200 OK response with no DATA.  However, search engine being one’s friend and the suspect sites not enabling “do not cache” settings, here we see some snapshots of what they looked like. (click images to enlarge)

rogue pharmacy cialis site one

 

rogue pharmacy cialis site two

 

rogue pharmacy cialis site three

 

Notice on some of these images the same repeating image below.  It is to enable a purchase of the illicit pharmacy.  Clicking the image takes a person to the same type of site.  Two of the above landed me on the same location, an image of which is shown coming up next.

rogue pharmacy site cialis purchase

 

purchase site for online illicit pharmaceutical cialis and viagra

At two of these sites in the footer was the following text with a hyperlink to the same location.  Images of both are shown:

Hanei Marketing

The end site:

Hanei Marketing Site

We’ll pursue that and domains in a moment.  Just one more thing to mention about the purchase site.  There is an affiliate program where participants start earning 22% commission.  This snapshot is shown below (and many of these rogue sites operate in affiliate programs).

rogue pharma purchase site affiliate program

Now let us explore some information about domains.

WHOIS on the Hanei Marketing Domain

Registrant:
     Dmitry Nekrasov domains@rsuog-hosting.com +1.4036192124
     Hanei Foundation
     1633 17 Ave. N.W.
     Calgary,Ab,CA t2m0r8

I’m not exactly sure what their involvement is; however, these illicit sites have the Hanei Marketing domain in their footer and worth pointing out.  Searching for “haneimarketing” on the engines shows it has its domain, potentially as a template, for many rogue pharmacy sites, and apparently poker sites too.  Snippet below…

haneimarketing search results

WHOIS on the Illicit Drugs Purchase Site

Registrant Contact:
Flex Trading Group LTD
David Pearlman (webmaster@cashadmin.com)
Ground Floor Blake building Corner Eyre & Huston streets
Belize City, BZ, bz BZ0000
P: +650.4750882 F: +.

Also worthy to mention, that this particular purchase site is listed on the NABP’s “Not Recommended Sites” list.  The list is pretty large, and is accessible here.

WHOIS on one of the affiliate sites

Registrant:
Igor Palchikov hanei.meds@gmail.com +7.9163942040
Hanei Marketing LTD
Andreevskaya 2
Moscow,Moskva,RU 117418

WHOIS on a second of the affiliate sites

Registrant:
Igor Palchikov hanei.meds@gmail.com +7.9163942040
Hanei Marketing LTD
Andreevskaya 2
Moscow,Moskva,RU 117418

There, we have a match with Igor Palchikov.  We can go on and explore each of the other domains.  Chances are, we’ll find the same sets of Registrants, the same ISP hosting location, and potentially the same affiliate IDs.  I’ve personally helped in this kind of investigation before that led to the demise of the Herbal King Spammer under the now defunct CastleCops.  This was also part of my work in my previous employment at Microsoft.  However I must say, kudos to the complainant, if it is Eli Lilly for issuing UDRP Complaints against the domains.  I am sure they investigated each one and confirmed they are illicit pharmacy sites.  And as a trademark owner, they have the legal right to do this.  In fact, did the simple act of filing cause the small random set of sites I checked to go dark on HTTP DATA?

For further reading, check out the work by LegitScript in this ecosystem by working with industry and government spreading awareness and education.

If you are unsure of the site you may always check with NABP VIPPS Verification tool, or simply continue using your brick and mortar established pharmacy.  One may also check NABP’s “Not Recommended Sites” List.  Otherwise, stay away from online pharmacy sites, as they may be rogue!

Play it safe and be wary, these purchases often come laden with the wrong ingredients, toxic ingredients, and sometimes worse may cause death.

by Paul Laudanski Director of CTAC, North America

Filed under Security Features Tagged with ,

Older posts

Newer posts

Follow

Get every new post delivered to your Inbox.

Join 31 other followers