Category Archives: Security

A hidden cost of reading articles and visiting websites

02 Monday Jan 2023

Posted by in Security, Tools

Leave a comment

Tags

,

Part of my morning routine is to have a skim over the stories showing up in my Feedly list and have a look at anything that seems of interest whilst munching on some cereal or toast and washing it down with a cup of coffee. A couple of articles peek my interest from sites that I have used before but now want more information from me as a payment to view the content.

These are not sites that have a pay wall as such where you subscribe to read content, but cookie and consent walls. Whilst cookie walls are not new, the uptake of them has increased with more and more sites wanting to get hold of your data in exchange for reading an article. Cookies days are numbered and there are ways to protect yourself, but to the majority of internet users being presented with an option to accept or reject cookies can present complexity to those who don’t understand what is actually happening. This is the hidden cost that you are paying to read that article or visit that site.

First off though I want to thank the websites and companies out there that have made the choice of accept or reject really simple with two buttons and clear options and information. There are a lot out there who do however add complexity with all the options and legal jargon that can catch people out.

Here is an example:

I have removed the name of the site from the picture above. There are many ways that these walls are presented to the user and you are not presented with the easy way to optout other than close the page and say no thanks. I wonder how many people press the “Consent” button without actually looking at what they are consenting to?

Clicking the “Manage options” the screen on this particular site presents 30 or so options to select from. Some sites have even more and there is no standard – everyone is asking for different things and information.

This is at least one of the better set of options and it does allow you to unselect or turn off all of the options. There are sites I have seen that you cannot select on and off and you have no choice if you want to read the site. One site I visited recently the UI was badly or cleverly made so that when you deselected all the options you don’t want to expose to a company that the save on continue button was behind a Chat to Us now button with a large on focus area that you could not go any further forward.

Visiting some sites you are presented with the option to either accept the cookies or leave. If its a site you want to visit or purchase something from you are left with only one choice to accept not knowing exactly what is going on behind the scenes.

How does legitimate interest work?

Sites asking for legitimate interests are using your personal data on the basis of their legitimate interest and are basically asking you for permission to process this data under GDPR. I have found that this differs between sites and not every site explains what they are actually looking at or wanting to use the data for. Some sites are being generic about this area and not been really clear as to what they are collecting, rather saying cookies that allow our website to function without error.

The ICO (Information Commissioner’s Office) have a good article on what are Legitimate Interests.

The Future

The future of cookies has been previously announced by Google with chrome browsers as in Jan 2020 it was announced that they would eliminate third-party cookies in the browser, but this is now delayed until the second half of 2024.

2023/24 will be the year for companies who rely on cookies to look at how they can make advertising relevant for a cookie less future. API’s and API’s with context will be available for companies to use which will protect users better and also provide context based relevant advertising.

How to protect yourself

In the first instance make sure you have Anti-Virus protection. Most packages do include an amount of protection to your devices around this topic, however you should check what is available through your chosen vendor.

To help users keep their privacy companies led by Google have introduced and initiative that is currently in development called Privacy Sandboxes which replace functionality of cross-site tracking and removing third-party cookies. The Privacy Sandboxes also help in mitigating the risk of device fingerprinting. The link to Googles Privacy Sandbox initiative site is below.

Privacy Sandbox

For now there options available that can block certain trackers through browser addons that can protect you and stop tracking cookies. As an example Privacy Badger is available for a number of browsers. Its good and protects you well and you do have the option to turn off and on cookies.

Privacy Badger

Even if you don’t use an add on you should consider blocking third party cookies which allow companies to sell your data onwards.

Remember to clear out your cache on a regular basis to remove any unwanted trackers from your device.

There are other methods and tweaks you can make that can help your online protection. Here are some links to further reading and advice.

FTC – How to protect your privacy online

Clear, enable, and manage cookies in Chrome

Device Security Guidance

Posting Security ID’s in Social Posts

01 Thursday Sep 2022

Posted by in Security

Leave a comment

Tags

With the changes in the world following the pandemic and the opening up of job roles, there has been a rise on the number of people changing roles and jobs which have been reflected on Social Media such as LinkedIn/Twitter and possibly other social channels. One of the biggest trends I have noticed is the posting of security passes and work ID’s to show that the person worked at their current employer and the dates/times that they have been at that company.

Whilst this may make the person feel good about their move, they have most probably breached a security policy within their existing/old employer by posting their full pass online. With modern technology its easy to replicate the pass and then try and gain access to a companies office.

A quick search for the word Security Pass on LinkedIn shows a huge amount of passes that can be easily replicated and used by others to breach a companies security boundaries

Best practice is not to post this type of document on social. The last contact from your old company might be through a lawyer!

Sign Up and Forget Culture

01 Wednesday Jun 2022

Posted by in Security

Leave a comment

Tags

Have you ever visited a website that you have signed up to and created an account and then never used it again?

There have been a number of stories appearing recently that highlights a growing problem with the abundance of services and account sign ups on the internet. The story I will focus on is about a home owner who found a car parked on her property that she knew nothing about. The outcome was that the landlord had signed up for a carparking service a few years back and never cancelled it.

Mum’s fury as driver ‘parks car on her driveway for Birmingham Airport’

Mystery solved into holidaymaker parking car on furious mum’s drive for Birmingham Airport

Over the many years of the internet how many services and pages have you signed up to and have subsequently forgotten about as you have moved onto other services or simply not used it in a very long time?

GDPR is there to protect and ensure data is up to date and correct, but is it really being applied to accounts on systems. There does seem to be a lack of reminders or removal of accounts that have been dormant/not logged in for some time from systems.

You will probably have key accounts that you maintain and use:

  • Daily – such as Social Networks, Shopping, Banking
  • Monthly – such as Utilities (Water, Gas, Electricity)
  • Yearly – such as HMRC/ Inland Revenue for a Tax Return

What else have you signed up to and then not used? Forgotten or unused accounts could pose a security threat to your identity. A good way to see if your details have been gathered by hackers and being sold is through the website Have I been Pwned. https://haveibeenpwned.com/

My Top 5 recommendations to consider when creating an account are:

  1. Think about the system/service you are signing up for. Is this a one off transaction or something you will use on a regular basis.
  2. Use a password management tool to help you track all the sites you use and have accounts on and review this once a month or every couple of months.
  3. Consider cancelling/deleting accounts that you no longer need.
  4. Use different passwords on different systems. A password management tool will help.
  5. Check your emails for changes to accounts/terms and conditions on systems you haven’t used in a while.

Social Engineering on Social Media

10 Friday Sep 2021

Posted by in Security, Social Media

Leave a comment

Tags

,

Opening my social feeds this morning for a quick browse over a cup of coffee and some toast, it doesn’t take long of scrolling down to find a post asking “What was the first car you owned? No Lying <laughing emoji>”. This post has 61k likes, 959k Comments and 8.4k shares and was only posted on 9th August. And people wonder why they get hacked.

Password systems for a long time have used a similar set of questions as they are usually easy to answer and remember, because they were life events. Questions such as:

  • What is your mother’s maiden name?
  • What is the name of your first pet?
  • What was your first car?
  • What elementary school did you attend?
  • What is the name of the town where you were born?

These types of social engineering data gathering posts are nothing new, but it would seem that people do not understand the greater risks around answering them.

With the large amount of data appearing on the dark web for usernames and a persons details (even if they don’t contain passwords) matching this data with the answers from social posts such as the one above gives a potential hacker more information about you. They now have the ability to reset your password using the answers you have provided to the security questions and take control of your accounts.

How many of you reading this post have answered the question similar to “What elementary school did you attend” or anything to do with education, but forgot that the same information is already lurking in your LinkedIn profile?

One way to check if your in any data on the dark web is to check using your email address at a service such as https://haveibeenpwned.com/

If you see a family member or friend post these types of questions on social media, it may be worth a conversation with them to advise of the dangers of such posts and the consequences of social engineering.

Tips to stay safe

Here are some tips for staying safe with your identity.

  • Don’t answer these types of posts on social media, even if its a friend who has posted it.
  • Check your not using an answer to a security question that is already in your social profile.
  • Use fictitious information instead of real information, but something you can remember.
  • Treat these answers like passwords and think about adding complexity to them.
  • Use two factor authentication where it is available on a system.

Further Reading

Are you patching your network devices at home?

14 Friday May 2021

Posted by in Security

1 Comment

Tags

There is nothing more annoying when your working on your computer and that popup appears saying “Reboot Now to complete the patch”. Thankfully some vendors have got wise to this over the years and have added changes to update at reboot/shutdown or allow to to choose a time. Annoying as it is, these patches are important and should not be ignored or delayed too long before applying.

Padlock Gates

When you think about patching/upgrading what do you think of?

  • PC/Laptop/Tablet
  • Mobile
  • Network

The typical focus of home users is around the end device we use rather than the other parts of the homes IT infrastructure.

A lot of home users these days rely on service provided network equipment such as routers from their internet service provider, but are these kept up to date? A recent study by Which found that millions of routers are not updated to the latest patches or had weak passwords and providers have been stated that they monitor and update their routers.

If you have your own router on the end of a connection, time to check when it was last updated. If its a managed device you can usually log in to it and check the last patch applied date. Is it being updated?

A recent discovery of FragAttacks (attacks that exploit security vulnerabilities that affect Wi-Fi devices) have shown that it is possible to steal data from any WiFi network that’s not patched, however its not an easy attack to recreate and vendors have been issuing patches to protect against this. This highlights the need for patching and updates to not just your end user device, but network devices as well.

As per a previous blog post – Good practices to adopt are

  • Check the manufactures website for firmware or driver updates on a regular basis – All devices within the home
  • If the device software allows a check to be made for updates on a regular basis make use of the tool
  • Use strong passwords
  • Change any default passwords
  • Don’t use the same password on different systems
  • Use passwords on your video calls
  • Use a VPN if working from home
  • Turn on two factor authentication on applications that allow it
  • Use Anti-virus and malware apps

If this is all second nature to you that’s great, however it may not be to others. Reach out to your family and friends and talk them through what they need to do so it becomes second nature to them.

You are only secure as your last update/patch!

Further Reading

Everyone needs good Cyber Security knowledge

19 Tuesday May 2020

Posted by in Security

3 Comments

Tags

Padlock Gates“Everyone needs strong good Security knowledge”. With the increase of connected devices that are entering our lives and the number of vulnerabilities being found in technologies that are becoming common place in our homes, people will need to be more savvy around Cyber Security and know what is going on with our devices and information.

Recent times have also seen an increase in the usage of devices, applications, social media and video calls. It has also seen an increase in the number of scams and security issues increase.

Sales of technology to allow remote working and to stay in touch with family and friends was rapid at the start of the pandemic and this also saw the cost of some devices increase as stocks reduced. The rush to buy was huge and lots of items were quickly plugged into devices to get online and talking. A lot wont have looked at updating any versions of these add ons firmware, drivers etc to the latest versions, which may cause issues later.

Security however cannot be an after thought and should be one of the first things you think about. Also helping your family and friends to make sure that they have updated to the latest versions and are secure.

Our devices are only as good as the last updates/patches applied and security measures that we have in place. The UK Government has previously reported planning new laws to cover smart gadgets sold which includes stronger passwords and length of time before an update. There are already a large number of devices already installed and in use. A number of these wont have had any updates or changes applied since first being installed if they are a manual process for the user to initiate.

Good practices to adopt are

  • Check the manufactures website for firmware or driver updates on a regular basis
  • If the device software allows a check to be made for updates on a regular basis make use of the tool.
  • Use strong passwords
  • Change any default passwords
  • Don’t use the same password on different systems
  • Use passwords on your video calls
  • Use a VPN if working from home
  • Turn on two factor authentication on applications that allow it

If this is all second nature to you thats great, however it may not be to others. Reach out to your family and friends and talk them through what they need to do so it becomes second nature to them.

Further Reading

 

 

Your Digital Exhaust – The data we share

06 Wednesday May 2020

Posted by in Connected Home, Data, Security, Social Media

2 Comments

Tags

, , ,

Dont say a wordEveryone who uses a computer or mobile creates their own digital exhaust in the form of data that we leave behind and spew out of our devices – from location data to social media posts and videos. Other things we own such as cars and houses are also generating data from SatNavs to Smart Meters.

If we could measure individual volume of data and information against todays climate change measures and visualise it, we would probably call it an ecological disaster on a person by person scale, however we go about our daily lives creating data with and without knowing it.

To be clear creating data does have a climate effect as there are systems behind what we create and they all need power, cooling etc. However, putting any talk to the side around the ecological effects of this as there is enough said already about climate and climate change and focusing on the data itself.

At the beginning of 2020, the digital universe was estimated to consist of 44 zettabytes of data, which is 44 trillion gigabytes and growing. That’s a lot of data!

We go about generating data without knowing or thinking until a news article catches our attention about something someone said many years ago. Recent times have seen an almost doubling of the use of the internet. This in turn increases the amount of data being created as people discover ways to help elivate lockdown with video calls to new dances on TikTok.

To put this into perspective a bit, with a trolley full of phones you can create a virtual traffic jam, but dont try that at home. This example illustrates the data being generated from a device and how others are using it, in this case to look at traffic patterns

In this increase of posts and data about people across the many different platforms available, are you stopping to think about what your posting?  We go about generating data without thinking until a news article catches our attention about something someone said many years ago that has been found on a social platform somewhere.

Sci-Fi moment alert! – Having watched an episode of “The Orville” by Seth MacFarlane called “Lasting Impressions” where the crew of the Orville open a Time Capsule and recreate someones life in a holodeck using just the data from a iPhone (after accessing a video on the phone where the person who’s phone it is, gives their consent for the data to be used in the future) and recreate and interact with the phones original owner. This provides the crew with a view into that persons life and what they were like.

Have you through about what would happen to your data in the future?

This concept can easily be recreated today and there are TV programs that investigate and look at people to check who they really are (Catfish the TV show). Its easy to see how people leave a trail of digital evidence and clues from what they post and are not secure on what they do or think about what they post.

Here are some good tips to help secure your online presence:

Privacy and security settings exist for a reason: Learn about and use the privacy and security settings on social networks. They are there to help you control who sees what you post and manage your online experience in a positive way.

Once posted, always posted: Protect your reputation on social networks. What you post online stays online. Think twice before posting pictures you wouldn’t want your parents or future employers to see. Recent research found that 70 percent of job recruiters rejected candidates based on information they found online.

Your online reputation can be a good thing: Recent research also found that recruiters respond to a strong, positive personal brand online. So show your smarts, thoughtfulness and mastery of the environment.

Keep personal info personal: Be cautious about how much personal information you provide on social networking sites. The more information you post, the easier it may be for a hacker or someone else to use that information to steal your identity, access your data or commit other crimes such as stalking.

Know and manage your friends: Social networks can be used for a variety of purposes. Some of the fun is creating a large pool of friends from many aspects of your life. That doesn’t mean all friends are created equal. Use tools to manage the information you share with friends in different groups or even have multiple online pages. If you’re trying to create a public persona as a blogger or expert, create an open profile or a “fan” page that encourages broad participation and limits personal information. Use your personal profile to keep your real friends (the ones you know and trust) up to date with your daily life.

Be honest if you’re uncomfortable: If a friend posts something about you that makes you uncomfortable or seems inappropriate, let them know. Likewise, stay open minded if a friend approaches you because something you’ve posted makes him or her uncomfortable. People have different tolerances for how much the world knows about them respect those differences.

Know what action to take: If someone is harassing or threatening you, remove them from your friends list, block them and report them to the site administrator.

Keep security software current: Having the latest security software, web browser and operating system is the best defense against viruses, malware and other online threats.

Own your online presence: When applicable, set the privacy and security settings on websites to your comfort level for information sharing. It’s OK to limit how and with whom you share information.

Source: https://staysafeonline.org/stay-safe-online/securing-key-accounts-devices/social-media/

Additional tips are available at this source.

Further Reading

Tips on being Social Media Savvy

A night at the Museum – Late Session

08 Tuesday Oct 2019

Posted by in Security

Leave a comment

Tags

,

latesI recently had the opportunity to help run a stand at one of the Science Museum in London, Lates sessions with some colleagues.

The topic of the table was “Privacy vs National Security”. This was a drop in table to provoke discussion around this topic. The main point of this topic was to engage with the general public and understand their view points whilst discussing things in the news and the consequences that happen.

The brief was “Where does privacy start and end? How do you protect privacy and also provide national security? How do you monitor the bad guy? What do you think?”

The discussions ranged from the recent stories around the facial recognition cameras at Kings Cross, London to GDPR Post Brexit and is Alexa listening to everything I am doing?. A wide range of discussions. The discussions were going on and engaging that we still discussing as we dismantled the stand and left the Museum. the topics covered were discussed at length and I will write some future blog posts on some of these.

As well as the discussion I had a Raspberry Pi 4 and a USB Camera running Tensorflow and OpenCV to perform a level of people recognition displaying on a large screen in the Museum. This also helped generate conversation on the night and bring people onto the stand.

By the end of the evening we really did have a Night at the Museum, but without the exhibits coming to life.

If you are in London on a last Wednesday of the month I recommend that you visit the Lates sessions at the Museum. Book early as spaces do go quickly.

https://www.sciencemuseum.org.uk/see-and-do/lates

If you have any thoughts on the topic, please add comments on this post.

Facial Recognition – here to stay?

23 Friday Aug 2019

Posted by in Security

1 Comment

Tags

,

Facial RecognitionLove it or Hate it Facial Recognition technology is here to stay. What is now being recongnised is a need for governance and controls over systems that use it and in line with any current country legislations and data laws.

The ability to recongnise objects and faces is not new, but an evolving technology that is getting better at what it does.

When the use of ANPR (Automatic Number Plate Recognition) systems came out similar debates were had and these systems are controlled and governed by a set of strict guidelines. ANPR systems are now widely used across the world from Police Forces to Car Parks checking the time you have stayed against the ticket you have purchased.

Our acceptance of these Facial Recognition systems may take a similar route.

There have been a lot of stories recentrly about Facial Recognition and its use such as the UK Kings Cross Development which is now under investigation by the ICO around the storage and use of the data.

Many Police forces in the US have been using it and in the UK there have been trials of the technology with some trials not going forward due to human rights discussions and also some technology not picking up everyones faces correctly. Advancements are being made in the systems to resolve these issues and increase the ability to capture and recognise the information.

Some states in the US have banned the use of the technology (or are considering banning) and the EU are also starting to consider bans.

The UK Home Office and Border Force are currently looking at a version of Facial Recognition to help cut down on the queues at the border. The e-queues already do facial matching from camera pictures to passports to automate the system.

For me I am okay with the technology as long as its being used to help us police and keep us safe. Also the ability to recognise for financial and security systems. You can build your own system that you can teach it to recognise your face using a Raspberry Pi,

 

 

 

More Scam Callers – time for some fun

10 Friday Aug 2018

Posted by in Security

2 Comments

Tags

PhishingIt it just me or is this on the rise? Recently I have noticed an increase in the number of scam phone calls that I have been receiving on my land line and on mobile. All from different countries and trying various scams to get information, money or both.

ts nothing new, calls like this go on all the time and unfortunately people do get scammed as they fall for what is being said on the other end of the line.

The game is how long you can keep them on the phone so they can’t spend time trying to scam someone who doesn’t know they are being scammed.

Recently an automated call with a computer voice called my home number saying that my internet router was going to be shutdown from my service provider as it had been identified as being hacked. Yeah – Right! So I played along and decided to record the call, which I will probably use in a future podcast. I got put onto a woman in India who evidently didn’t know what type of scam front end had put me through. She then went on to tell me my computer had a virus. Eventually I did ask “How many people had she scammed today”. The reply was lots and she put the phone down. – Time on call 30 Mins

Another call today was one of those, insurance accident ones, but this time they tried a different tack. Saying it was a follow up call to my wife about the accident she had. Again scam and I asked the lady who called if she had job satisfaction scamming people. This call came from London so I have reported it to the action fraud centre. – Time on call 5 Mins.

And as I am writing this post another call comes in – Can you spare me 20 seconds to answer 2 questions, then starts to ask me to confirm my phone number and tries to ask me about my home ownership. When I ask whats the end part of the the call, are they trying to sell me something or scam information out of me they hang up. Another call from London so again have reported it to the action fraud centre. – Time on call 5 Mins.

At least that’s 40 mins that other people haven’t been bothered or scammed by these callers.

A lot more can be done though and needs the teleco’s and authorities to go after the numbers where these calls come from and start prosecuting or at least shutting them down. That said the police get these calls as well – here is a great video on youtube of an IRS scammer trying to scam a police officer and he gets the scammer to explain how that particular scam works.

Lots of people already add numbers to online systems such as Who Called Me, and these are normally the first place I go when number comes up I don’t recognise. You can also put the number in the search engine which bring up sites where its been logged as a problem/scam caller.

If you don’t know how to protect yourself on the phone, one of the best place to get tips is from your or other banks websites. Plenty of good information on keeping safe on there.

Just because you call saying your from my bank doesn’t mean I’m going to answer your security questions.