On Vancouver Island, you might pick up the Times Colonist newspaper to see what’s happening. There are little to no privacy risks if you buy it from a stand. However on the internet, where the company has the opportunity to protect you even more than the physical space, they’ve decided to try a different angle… sharing your reading habits with other companies. If you use ghostery you can see that by viewing timescolonist.com, they are sharing your viewing habits on every page you visit to at least 10 different companies, with little to no disclosure on what those third parties do with your information.

If your local newspaper isn’t a concern, which it should be, what about your financial institution?

Why are these organizations providing your private news reading habits, and online financial transactions to 3rd party companies?  If you decided to ask them, perhaps also ask how much money are they making from providing your information?

How does your local news website score? What about your financial institution? Download ghostery and find out for yourself.

It should be noted that 10 trackers doesn’t necessarily mean worse than 1 tracker; if your personal information is provided to a tracker, you have no control of what happens to it when it gets there… they could sell it to 50 more companies.

If you find any other interesting results from ghostery, let us know on twitter and we might add it!

One of the most common ways your computer gets compromised, is by malicious scripts opened by your web browser. This means you go to a website that might look normal, but it’s doing bad stuff in the background that you don’t see, potentially giving the attacker full access to your computer. This is a particularly nasty problem, as when you go to a site, you want everything to work as the website developer intended, but allowing all scripts on untrusted site creates a risk.
The most popular way to avoid this is to block scripts by default, but take note it moves the responsibility on to you to decide what sites to trust… or not.

There are various no script plugins, depending on your browser:

• If you use Firefox, download the NoScripts plugin.
• While not quite as good as NoScript, Google Chrome has a the NotScripts plugin.
• Opera also has a NotScripts plugin.
• Internet explorer has a cross side scripting (XSS) filter

Once you have installed the plugin, restart your browser. You should notice a new icon or bar at the top or bottom of your browser, for your new plugin. If you click your mouse over that icon on any given website, you can allow scripts to run on that site, either temporarily (as long as your browser is open that session) or permanently. Don’t allow scripts to run on websites you’re not sure whether to trust. It’s better to be safe than give a stranger full access to your computer!

If you’ve not heard of #SOPA yet, you likely will today. As of right now, it’s only something that techies and internet crusaders seem to be aware of. Like many of the scariest laws of the last decade, you should name your legislation something that sounds really good, but in the end does the exact opposite of what the name implies. The US PATRIOT ACT  and the Canadian Safe Streets and Communities Act are perfect examples of this. Like the US Patriot Act, it’s easiest to pass draconian legislation through when citizens are distracted and afraid, using their fear against them. My speculation is today’s public outcry will have the bills tabled… until there’s some ‘emergency’ where they can be rammed through without proper public debate.

The latest attack is on the internet as we know it, and it’s entitled the Stop Online Piracy Act. While this sounds good simply by the name, if you read it, it’s scary. It allows American private sector organizations to effectively control the global internet. They could turn your organization’s website off, if they wanted to. There’s a lot more to it, which you should read about and understand for yourself. It’s so scary, that many of the internet’s most popular websites have declared today a “blackout day”, to give you an idea of what the internet can and will be like should this legislation pass. As of writing this, Wikipedia, Google, XKCD, boingboing, reddit, oatmeal, craigslist USA, the Whitehouse and dozens of others have at least taken an official anti SOPA stance, if their site isn’t blacked out altogether for Jan 18th, 2012.

The organizations that support SOPA are American, and rely on legacy and outdated policies and legislation around copyright and intellectual property. Instead of effectively working with technology and technologists, and their users, to make the world better, they insist on controlling it with SOPA, a virtual weapon. This is like trying to ban CDs if you’re a company that makes 8 tracks. This entire industry will be completely different in 10 years, and SOPA will be an embarrassment to all involved at that time, even more so than it is now.

Over the week-end, the University of Victoria’s new administrative building was broken into. A payroll server with the personally identifiable information (PII) of over 11,000 people was on it, including social insurance numbers (SIN), as well as bank account information. I’ve been told there were no cameras or alarms in the area, and the information was not encrypted. If your organization handles personal information, let this be your final reminder to ensure that all personal information is encrypted both while in transit (transport layer) as well as on the computer (storage layer).

I was interviewed for over 30 minutes by CBC BC today, a few second made it onto the news. Check out this clip from the top of the 6pm news.

One of the tips I gave but didn’t make it in, is to annually request a copy of your credit report. This is free once a year to do if you send your request in writing, and is the best way to determine if you’re a victim of  identity fraud. When you do this, put it in your calendar as a reminder to make the request again in a year from now.

UPDATE: Jan 13, 2012:

Saanich news is reporting that UVic will pay for $1.7M worth of credit reporting monitoring as a result of this breach. So if you’re thinking your organization can’t afford an organization like PrivaSecTech to protect the personal information of your staff and clients, this is another example of how being proactive would have been less than 1% of the reactive cost. It costs you nothing more than an email or a phone call to see what we can do for your organization. We look forward to working with you to ensure this doesn’t happen to you.

What is your computer doing on the internet without your knowledge?

Does it ever seem like your computer is working, even when you’re not telling it to do anything? Have you ever wondered if there is someone else accessing your computer, or if your computer is transferring information over the internet without your knowledge? If you’ve never checked, it’s probably doing a lot of things–some of them not good! Viruses may be working, hackers could be connecting to your computer, and “legitimate” programs may be transferring information about you that you didn’t authorize.

How do I find out what programs are running secretly on my computer?

Here’s a quick and easy way to open a window onto what your computer is doing over the internet:

* For Windows download and install TCPView
* For Macosx, go to Applications -> Utilities -> Terminal and run “lsof -i”
* For Linux, you can also install lsof and run “lsof -i”

If you run one of those programs right now, you may see 50 activities or more in a long list. That’s a lot of communication going on between you and your computer without your knowing about it, isn’t it!

One item in the list you will see is a connection from your computer, to TCP port 80 of privasectech.com (67.205.0.134) which is where this website is currently being hosted.

If you see the word “LISTEN”, that means it’s a program waiting for people on the internet to connect to it. Are you sure you want these programs running even when you didn’t tell them to?

How do I learn about what these unknown programs are doing?

The list you’re seeing shows the applications on your computer that are using the internet right now. The list also shows the “Remote Address”, which is where your computer is connecting to. If the remote address is an internet address (IP), you can find out where or what that address is if you resolve the DNS.

Next week, I’ll show you how to identify exactly what all those programs are, and how to stop, remove or gain control of them.

If you want this done for your organization in an automated fashion, with reporting as part of an internal audit, this is a service that PrivaSecTech.com provides.

While working in information security for the largest company in Canada, I realized there was no one internally, actively attacking the password database to see what passwords could be cracked. After raising this concern, I became the prime for resolving this.

There are a lot of password crackers out there, that anyone can download for free. The priorities for password cracking involve the processor power you have, how optimized your cracking algorithm is, and your keyword database. I built a pretty monster database, using many languages, as well as popular keystroke patterms like qwerty or bhunji. When I was finally ready to start cracking passwords, I was able to crack (decrypt) thousands in the first hour, if I recall correctly over 9,000 in the first day alone. This means if someone steals the encrypted password database from any website you frequent, they can run the same tools on that database to find your password.

The two questions I hope you’ve asked yourself while reading this, is “How hard is my password to crack?” and “If someone cracked my password, what other sites could they use it on?”

In order to determine how hard your password is to crack, there are a lot of tools out there, but I’ll recommend you try howsecureismypassword.net. But before you do, I have no affiliation with this website! This means you should not trust it, it could be a phishing attempt (they could be  logging the passwords you enter, and trying them on Gmail or Facebook for example). Don’t use any of your real passwords, but enter a few dozen different passwords, to get a general idea of how hard a password is to crack. I wouldn’t recommend using anything that would take less than 100 years to crack, as this site shows how long it takes with a single desktop PC. Advanced attackers have a lot more resources than a single computer.

Sometimes when an organization has their encrypted password stolen, it is published online for others to crack. If someone cracks your password for one website, where else can they use it? I hope nowhere. One idea is to have a dynamic password on every website you go to. For example, say my base password was secretpassword%^&. I could then add something in the middle for each site I go to. Let’s say I choose the first 3 letters of each site I go to, after the http://www. part, and put those 3 letters in the middle of the password. I would have secretpasswordfac%^& for Facebook and secretpasswordgma%^& for Gmail. A clever attacker might recognize the fac or gma, so maybe you reverse those letters. Hopefully you get the point, find a base password that would take a long time to crack, and then add something unique to it on an individual site basis that is not visually obvious.

If you want to try password cracking your own encrypted passwords on your personal computer, check out this list of password crackers that are free for anyone to download.

You’ve probably heard of Google analytics, which takes logs of your website visitors, and all of their activities, and provides you some very pretty, and useful, reports. What you might not be aware of is that they are also a tracker service. It means that in order to provide you this information, they also take all of that information on your users, and log it for themselves as well. What do they do with that information? Who can they sell it to? You’ll want to review their privacy policy and terms of service for yourself.

If you want the same useful information, but want it without selling out your clients and customers personally identifiable information (PII), check out Piwik and/or Open Web Analytics. If you’re not a techy, One Day Website will install either of these for you, or you can ask your local tech support to do so for you!

If you want to know what trackers websites are using to track your website surfing habits, and likely selling to any and all bidders who want that information, check out the post on ghostery.

If you’re a citizen of British Columbia and concerned about the government’s handling of your personal information, you probably want to read Bill-3 (full text of the proposed amendments) which has already passed second reading in the BC provincial legislature. These are proposed amendments to the Freedom of Information and and Protection of Privacy Act.

What they want to do is remove accountability for which Ministry is responsible for the data, instead, they’re hoping to build a monster database, which they call Integrated Case Management (ICM), and allow effectively anyone in government to read your personal information. As an investigator for breaches in British Columbia, it’s probably a good time to remind you that most breaches are not from hackers on the outside, but inside employees abusing the access they have. This puts your personally identifiable information at an exponentially greater risk. In fact, there would be nothing stopping them from also sharing this data with “partner” organizations, which include private companies, and/or foreign governments.

This is the most important bill this year in British Columbia regarding your personal information, be sure to share your concerns with your MLA!

EDIT: It’s a done deal, as of October 25, 2011, this bill passed third reading.  (watch the 3rd reading video, or read the transcript)

It’s not often we’ve given Google credit for privacy or security steps, but this week is one of them. Following the steps by Facebook and Twitter we announced back in May, five months later, Google has just announced they are now offering SSL searches! Mind you this is a more significant step than that of Facebook or Twitter, as those involved in SEO/optimization will quickly realize that search keyword data is no longer provided to you as the web manager (They’ll provide you the top 1000 through their webmaster tools). And while optimization folks won’t be pleased, on behalf of the privacy and security community, I would like to give credit where credit is due, thanks Google!

Tech tip: Both https://www.google.com and https://encrypted.google.com work now, update all of your Google bookmarks, so others between you and Google can’t quietly see what you’re searching anymore!