The cloud is a current buzzword in technology, referring to remote storage space on the internet. The big challenge with using it, as a privacy advocate, is you don’t know what the people on the remote end are doing with it — are they reading or reviewing the files you put there? Are they selling them or providing the information about those files to third parties like advertisers? Is anyone legally responsible if it is hacked/compromised? If they’re offering it for “free”, you’re likely providing the product being sold.

The most controversial as of writing this is the newly announced Google Drive, whose Terms of Service currently suggest that while you own the copyright for files you put there, Google could use the content as well:

“When you upload or otherwise submit content to our Services, you give Google (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content.”

That being said, there are a lot of benefits to using the cloud, I just don’t recommend you do it for anything you’d not want public someday. If you want to store confidential files there, encrypt them with something like GNU Privacy Guard, that way only you can read them.

If I’ve not scared you off, here are a few different free solutions, you can use one or all of them for over 10G of free storage space!

• Dropbox
• Google Drive
• Microsoft SkyDrive
• Apple iCloud

If you know of any others, let me know and I’ll add it to the list!

I’ve spoken about trackers before and recommended four steps/solutions for protecting your browsing privacy:

• Script blocking (browser plugin that blocks scripts by default, the most important plugin one can have!)
• Ghostery (browser plugin that shows how many trackers any given website is using)
• Ad Block Plus (browser plugin that blocks ads on websites, which often includes trackers)
• A replacement hosts file from my friend Dan Pollock (redirects attempts to bad sites to your own computer)

Companies are increasingly more interested in selling your personal information than protecting you (see a few Canadian examples here).

Yesterday I was interviewed by CBC regarding a viral video of a speeding motorcycle here on Vancouver island, and spoke about the potential to track the anonymous poster of the video using the internet. The irony is, I can’t watch the video that I’m in, as CBC has required tracking by Doubleclick (s0.2mdn.net) in order to view it (Read my friend Chris’ detailed article on why Doubleclick is a concern.

If you’re able to watch the video above, you haven’t taken sufficient measures to ensure your browsing security and you should be aware that you’re likely being heavily tracked.  In essence, having the ability to watch the video equates a violation of your privacy.  Since most attacks these days are browser-based, you will be well served to take the steps listed above to both protect your browsing privacy and to make your computer(s) more secure overall.

I would argue the four steps listed above are even more important these days than having anti-virus software installed. The first three are browser plugins, so they should be easy to install. The fourth one is a little more complicated, so don’t hesitate to contact me if you need help going through this process as an individual or for your organization.

This is a time sensitive post, CBC is a National Canadian treasure, and can resolve the tracking ability of their website at any time. Notify me if/when this happens and I will update the article as such, once verified. –Kris

There have been a lot of stories about what happens when you reveal your social network profile, especially your geo-location information. Probably made famous first with Please Rob Me which would post open Foursquare profile data, showing when you’re not at home. While it’s since been shut down, such information is still being used. The Girls Around Me app is getting media attention this week, which shows women in your area, with links to their online profiles.

I have no issue with using open profiles and geo-location, as long as you’re aware of the risks and making an education decision. If you’re not aware of the potential repercussions, you probably want to stay away until you’re better informed.

On all social networks, there are options to close your profile, so it’s not open for the general public to see. This applies to Facebook, Twitter, LinkedIn and Foursquare, for example. Try looking yourself up on each of these, see what you can find!

If someone hacks into your laptop/computer, and it has a webcam, they can control turn it on whenever they’d like. This video, based on a true story, should motivate you to cover your webcam:

One tech tip, don’t put tape directly over the camera as I initially did, as it will leave sticky artifacts on your lens. Instead, put a piece of tape on each side of a piece of paper, and place the paper part on top of the camera.

Most of my clients are running anti-virus on their home and work computers, but are they using it right? There are 3 key steps to running anti-Virus software correctly.

1. Install it. This probably seems obvious, but any computing device you connect to the internet should have anti-virus software installed. If you’re using Microsoft Windows, Microsoft offers Security Essentials for free. This includes portable devices like laptops, tablets and smart phones, and yes, if you’re using an Apple computer, you should also be using anti-virus, otherwise you’ll likely never know if your device has been compromised!
2. Download the latest definitions, regularly. Every day 100s of new viruses are found in the wild, on the internet. Your anti-virus company will provide you with a chance to download the latest definitions of theses viruses likely every day or two. It doesn’t make sense to move to step 3, without doing this step first. Otherwise, your anti-virus software will only be able to find viruses with the latest definitions file it has.
3. Scan your device. A lot of people think steps 1 or 2 are all you need to do, but that is incorrect. You need to have your anti-virus do a regular, deep scan of your device, so see if it finds any matches between it’s list of definitions, and files on your computer. If it finds a virus, it will offer you a way to remove or quarantine it.

How often do you scan your devices with the latest definitions?

I mentioned a few months ago for those wanting to leave Google search to give DuckDuckGo a try. There’s another alternative as well, called ixquick. Give it a try as well, and see which one you like the best. You can follow the DuckDuckGo post to make ixquick your default search engine as well.

If you’re in the Victoria, British Columbia region, we’re going to start a community-based reverse engineering class, and you’re invited. Reverse Engineering is understanding someone else’s software well enough to be able to do what you want with it. You can follow the latest on the REclass page on the Ideas – Victoria  wiki.

You don’t need any software or computer programming experience, but it will definitely help. You will have to be willing and eager to learn. You can do a search online for “introduction to computer architecture” and “introduction to assembly language” to get an idea of what to expect.

You might also watch on their Facebook page and/or Twitter account for updates.

UPDATE Feb 15: See the initial syllabus as presented by Guy: Reverse Engineering Brainstorm Session

One of the most common ways your computer gets compromised, is by malicious scripts opened by your web browser. This means you go to a website that might look normal, but it’s doing bad stuff in the background that you don’t see, potentially giving the attacker full access to your computer. This is a particularly nasty problem, as when you go to a site, you want everything to work as the website developer intended, but allowing all scripts on untrusted site creates a risk.
The most popular way to avoid this is to block scripts by default, but take note it moves the responsibility on to you to decide what sites to trust… or not.

There are various no script plugins, depending on your browser:

• If you use Firefox, download the NoScripts plugin.
• While not quite as good as NoScript, Google Chrome has a the NotScripts plugin.
• Opera also has a NotScripts plugin.
• Internet explorer has a cross side scripting (XSS) filter

Once you have installed the plugin, restart your browser. You should notice a new icon or bar at the top or bottom of your browser, for your new plugin. If you click your mouse over that icon on any given website, you can allow scripts to run on that site, either temporarily (as long as your browser is open that session) or permanently. Don’t allow scripts to run on websites you’re not sure whether to trust. It’s better to be safe than give a stranger full access to your computer!

Over the week-end, the University of Victoria’s new administrative building was broken into. A payroll server with the personally identifiable information (PII) of over 11,000 people was on it, including social insurance numbers (SIN), as well as bank account information. I’ve been told there were no cameras or alarms in the area, and the information was not encrypted. If your organization handles personal information, let this be your final reminder to ensure that all personal information is encrypted both while in transit (transport layer) as well as on the computer (storage layer).

I was interviewed for over 30 minutes by CBC BC today, a few second made it onto the news. Check out this clip from the top of the 6pm news.

One of the tips I gave but didn’t make it in, is to annually request a copy of your credit report. This is free once a year to do if you send your request in writing, and is the best way to determine if you’re a victim of  identity fraud. When you do this, put it in your calendar as a reminder to make the request again in a year from now.

UPDATE: Jan 13, 2012:

Saanich news is reporting that UVic will pay for $1.7M worth of credit reporting monitoring as a result of this breach. So if you’re thinking your organization can’t afford an organization like PrivaSecTech to protect the personal information of your staff and clients, this is another example of how being proactive would have been less than 1% of the reactive cost. It costs you nothing more than an email or a phone call to see what we can do for your organization. We look forward to working with you to ensure this doesn’t happen to you.

What is your computer doing on the internet without your knowledge?

Does it ever seem like your computer is working, even when you’re not telling it to do anything? Have you ever wondered if there is someone else accessing your computer, or if your computer is transferring information over the internet without your knowledge? If you’ve never checked, it’s probably doing a lot of things–some of them not good! Viruses may be working, hackers could be connecting to your computer, and “legitimate” programs may be transferring information about you that you didn’t authorize.

How do I find out what programs are running secretly on my computer?

Here’s a quick and easy way to open a window onto what your computer is doing over the internet:

* For Windows download and install TCPView
* For Macosx, go to Applications -> Utilities -> Terminal and run “lsof -i”
* For Linux, you can also install lsof and run “lsof -i”

If you run one of those programs right now, you may see 50 activities or more in a long list. That’s a lot of communication going on between you and your computer without your knowing about it, isn’t it!

One item in the list you will see is a connection from your computer, to TCP port 80 of privasectech.com (67.205.0.134) which is where this website is currently being hosted.

If you see the word “LISTEN”, that means it’s a program waiting for people on the internet to connect to it. Are you sure you want these programs running even when you didn’t tell them to?

How do I learn about what these unknown programs are doing?

The list you’re seeing shows the applications on your computer that are using the internet right now. The list also shows the “Remote Address”, which is where your computer is connecting to. If the remote address is an internet address (IP), you can find out where or what that address is if you resolve the DNS.

Next week, I’ll show you how to identify exactly what all those programs are, and how to stop, remove or gain control of them.

If you want this done for your organization in an automated fashion, with reporting as part of an internal audit, this is a service that PrivaSecTech.com provides.