WiFi Tricks and Threats

Leave a comment

Last week the Huffington Post commented on how to avoid hackers, especially for celebrities.  It was an article full of useful information, but only if you know how to use it.  The fourth of these was to avoid WiFi networks.  Well, that’s nice, but what is it and how does one avoid it?

One can define WiFi as the technology that allows an electronic device, such as your smart phone, laptop or iPad, to connect to the Internet wirelessly (using radio waves).  In order to connect, you must be able to send information to a hotspot (or access point).  Such hotspots are limited inside because walls, furniture and other physical objects can block the signals, but have a greater range outside.  Wi-Fi allows cheaper deployment of local area networks, and  in spaces where cables cannot be run, such as outdoor areas and historical buildings.

You may well have used WiFi at your local Panera (or St. Louis Bread Company as it is known here) while eating.  Bookstores, restaurants and lobbies of hotels also generally provide WiFi coverage to their customers.  Most devices attach easily to WiFi, and may attach automatically (with no obvious signal to the user).  It is a convenient way to access your email, social networking, or web searches from your portable device.

But, it is also an easy way for others to access your email, social networking or web searches.  Most public WiFi networks have no security associated with them (as indicated by the fact that you have no password or other requirements to join the network).  Since there is no security on the network, anyone can attach any device to the network and do on it what they want.  Some people, then,  attach devices that can read any non-encrypted transmission over the network.  That includes your passwords, credit card numbers, confidential corporate information or your surfing history.  This is comparable to the person eavesdropping, except it is with the computer.   They may also be able to masquerade as another device and send requests for information (such as data or pictures) to your computer (which your computer thinks it should honor).  As I have said before, sometimes people do this for fun, or to learn what they can do.  Others engage in such behavior to find information that might be sold to magazines or used to blackmail people.  Still others engage in the behavior to steal confidential information (such as credit card numbers) that they use to steal money.

So, what do you do?  Of course, the normal precautions of having your security software up to date will prevent someone from unleashing a virus or malware on your computer.  But in addition, many security experts suggest you avoid such networks.  Or, if you do use them, set up a virtual private network (or VPN).  You may already be familiar with a VPN because you may use that to login to your company’s computer.   VPNs typically require remote users of the network to be authenticated, and often secure data with encryption technologies to prevent disclosure of private information to unauthorized parties.  This software prevents sniffing of the material sent over the network, ensures that communications come from the place they say and that information is not intercepted inappropriately.

A Mobile VPN gives a user the same level of security when using public WiFi networks.  Instead of requiring a stable location on a network like the traditional VPN, a mobile VPN maintains a virtual connection to the application instead.  It allows the computer to move among WiFi networks which changes the “address” of a computer, and handles the changes of the addresses transparently.  This kind of security has been used by police officers as they move among cell towers, and by hospital personnel as devices move with patients.  Both applications require absolute security.  Using a mVPN may involve additional hardware and will involve additional software provided by a third party.

It is, of course, an extra step.  But, if you do not want the world to know the data you process, then perhaps the extra step is necessary.

 

A Sobering View of the Absence of Privacy

3 Comments

It has been said that a picture is worth a thousand words, and so it is with a view of privacy.   There has been much discussion in the press of late about the change in Google’s privacy policy and how that will impact Google’s ability to track everything about us.  That all by itself is troubling.  But, it is not only Google who wants to know how you search — so too do other organizations with which you do business.  To learn just how much of my behavior is being recorded, I installed the new add-on to Firefox called Collusion.  The whole purpose  of Collusion is to help you track who is tracking you in real time.  According to their website,  Collusion “shows, in real time, how that data creates a spider-web of interaction between companies and other trackers.”

There are two handy tools they provide, wonderful visualizations (as we will discuss in a moment) and an audio clue whenever information is being shared about your surfing.  The audio clue is a clicking sound that resembles the sound of a typewriter key hitting the paper.  I recommend you turn it on for a while because it quickly helps you become very aware of just how much information is being shared.   The constant clicking when you select a link — and even clicking when you are not using your browser if you have a page open and it refreshes — helps to sensitize you to the amount of information being shared.  After a while, it gets annoying, so remember how to turn it off too!

Now for the visuals.  I downloaded the application and began to do some surfing.  The map of the information sharing is shown below.

The visualization is interesting.  The circles with the halos represent places that you have visited during your surfing, while the circles in gray are ones you have not visited.  An arrow from one to the other indicates that the first site has sent third party cookies to the other site.  I recognize some of the icons like Blogger, LinkedIn, Adobe, Facebook, MSNBC, and Northwestern University.  Others have no icons or they are not ones familiar to me.

If you hover over any of the circles, you will get the URL for the site (for example as I hover over the Facebook logo, I see facebook.com).  In addition, it will highlight all of the connections to and from that site.  So, I see that Facebook sent third party cookies to bit.ly, cbs.com, and reference.com.  I also see that cbs.com sent third party cookies to facebook.com.

I was surprised by the number of hits and the links between the hits because I am careful about not accepting cookies from sites that I do not know.  So, I decided to clean out all of my cookies  and surfed some more.  The number of hits reduced for a while as shown below.

Another View of Surfing Behavior with Collusion

Things were a little better, but notice how much information is being shared even without the cookies.  That is because the websites use third party applications to collect the data and share the data.

After a few hours of surfing by my husband or myself, the map looked like:

A Map of Surfing for a Few Hours using Collusion

And, after an entire weekend, the map looked like:

The Data Collection from A Weekend of Surfing with Collusion

If you did not think people were watching your behavior before, you certainly should be convinced with this image.  Further, the links between the sites, where they now have joint data begins to paint a picture of who you are and what they might do to get or keep your business, or how they can sell your data to others who want to market to you.

The creators of Collusion recognize that the tool is a work-in-progress.  The website says they are working on adding more features, such as the ability to click on any node in the graph and tell Firefox to block third-party cookies to that site, and visualizing other methods of tracking besides third-party cookies.

Using Collusion was an eye-opening experience.  I am looking forward to that add-on that allows us to block these third-party cookies.  What I do is private, right?

How Private are your Facebook Posts?

Leave a comment

There were  two disturbing stories in the press today, both of which involve Facebook and how others use your data.  The first was in Forbes, and asks What Employers Are Thinking When They Look At Your Facebook Page.  Many people who looked at that story were amazed to learn that employers were looking at their Facebook pages at all, and even more amazed to learn they use the information in hiring decisions.  Potential employers are looking at your Facebook page to decide what type of person you are and whether you would fit into the culture of their organization.  According to the article, potential employers will look at the page, including photos, posts, status updates, conversations, causes and games and rate individuals on their levels of extroversion, agreeableness, conscientiousness, neuroticism, and openness to new experiences.   As I look at postings, I ask what potential employers learn when someone posts every time he or she has a spat with a significant other, says unpleasant things about sports teams, spends significant time playing games, spells poorly, uses bad grammar or slang, and/or has many negative conversations.  If you look at your postings, are you the type of person with whom you would like to work?

I agree that you can learn many things about a person by reading their Facebook page and it might just provide insights into whether the person will be successful at certain companies.  However, what I fear is all that information taken out of context.  I remember when I first started teaching students how to design web pages and one of my students provided a link to “Bare Naked Ladies.”  I was taken aback until I realized that it was a band.   Today I frequently am confused with posts that refer to music I have never heard or television shows I do not watch.  I have committed more than a few faux pas commenting when I thought I understood the context, but was totally wrong.  While I try hard to think about context, I have found myself misunderstanding the meaning of posts by good friends and even my son.  The key here is that Itry to think about context before making an opinion …. what are the odds that overworked HR staff will cut the applicants the same slack?

This article was troubling enough until I read Govt. agencies, colleges demand applicants’ Facebook passwords.  Yes, you read that correctly, demand passwords, and access to all of the postings on one’s Facebook page.  Thanks to the ACLU, they do not get the passwords, but now expect people to log in and allow the interviewer to watch as they click on every link, photo, conversation, etc.  Campus athletes too must provide administrators access to their social networking sites  and allow them to monitor what is said to ensure the athletes are not saying negative things about the program.  What is next?  Will the bank administrator demand to see what I tweet and post before deciding on giving me a mortgage?  Will the government decide whether or not I am an undesirable by looking at my Facebook posts?

For the record here, I will note that personally I leave most of my posts open on Facebook because I post items that I want people to share, such as about this article. Hence I am not bringing this to your attention because I am concerned about what people will think of me.  Instead, I am bringing it to your attention for two reasons.  First, everyone needs to take responsibility for what is on his or her social networking sites and what is visible.  If you have things you do not want a prospective employer or college recruiter to see, then make sure your security settings prohibit them from seeing that material.   Put yourself in their place and see if the image you get is what you want them to have, and adjust your settings, friends and postings accordingly.

Second, I am posting this because I think we have lost the line between due diligence and invasion of privacy.  The post-9/11 world has brought increasing invasions of our privacy because we have let it happen.  If we are going to give up the right of privacy as a society, I think we should do it consciously.  The fact that information is in digital form does not make it any less private.  We need a dialog about what is happening and  the cultural implications of what is happening.  I am hoping we start it today.

Viruses and Trojan Horses

1 Comment

A virus is an unwanted application (software program) that attaches itself to your computer without your knowledge. It attempts to reproduce itself and change or delete files under specific circumstances. For example the virus might be activated each time a specific day of the month, or when a specific file is opened, or when certain actions are observed. This activation is referred to as the “payload”. Some viruses do nothing but reproduce themselves. Some perform trivial extras like beeping the keyboard, or forcing the file to be saved in a specific format. Some are more destructive and attempt to rename or erase files or destroy the hard drive. There are many varieties of viruses, each with a specific set of actions it intends to complete.

Macro viruses are programming code, created by hackers or unethical programmers, which is either annoying, prankish or harmful. The macros are written to attach themselves to the default document of a software package such as Word or Excel. When an unsuspecting user opens a document containing a macro virus, the virus attaches itself to the default document. Each time a document is created or edited from this time forward, the virus attaches itself to that document. The problem escalates as the document is passed on to other computers by file sharing or e-mail. The virus continues to spread until it is removed.  Boot sector viruses attach themselves to the part of the disk that is read by the computer when it starts up. The boot sector contains important information about the disk. In most cases, the virus relocates this information to another location and displays its own code.

A computer virus is a program and not a microorganism, but it is infectious and can be highly complex. Viruses implant instructions in other programs or storage devices that can attack, scramble, or erase computer data. They are often obtained by downloading executable software from emails, the web or social networking sites.  It is usually the unwary who get computer viruses. ALWAYS run virus detection software on your computer.  Equally important, however, is updating the program regularly.  This is similar to getting a flu shot each year because the strain of flu changes somewhat from year to year.  You must get the latest update to be sure that your computer is protected from the latest strain of computer viruses.  ALWAYS keep a back up of important files in case your computer does get a virus (or has another form of failure).  Obtain new software from reputable sources and check new software (and other files) with virus protection software before saving to your hard drive.

A Trojan Horse is similar to a virus, in that it is a malicious, security-breaking program that is disguised as something benign, such as a directory lister, archiver, game, or (in one notorious 1990 case on the Mac) a program to find and destroy viruses! When these programs are executed, the embedded virus is executed too, thus propagating the `infection’. This normally happens invisibly to the user.  It cannot, however, infect other computers without assistance, such as downloading files from websites. The virus may do nothing but propagate itself and then allow the program to run normally.

Virus problems are terribly costly to individuals and to businesses.  The best defense is virus protection software and frequent updating of the protection files.