Technology

Cool Firefox Extension

Following the great work done by SiteAdvisor in rating sites for how much unwanted junk they include with their downloads (think spyware, adware, trackers, “search-enhancers”, toolbars etc) they’ve produced a cool little Firefox extension which warns about sites that they consider “unsafe” with little icons and a statusbar highlight. Another useful weapon in your armoury to keep your PC free of nasties…

http://www.siteadvisor.com/download/ie.html

It’s also available for IE (for those who are forced to use it) – for whom it’s probably even more valuable!

Advertisements
Technology

Security and Banks

450658_notebook_keyboard.jpg

I just got an interesting message from my bank (via their website)…

Do You Use Wireless Broadband (Wi Fi)? Then you should be aware when using wireless networks to always ensure all security features are turned on so nobody else can access your information. We strongly advise you to review your configuration and ensure that strong encryption and authentication features are turned on. Features such as “128bit WEP” and more recent, and more secure, “WPA encryption technologies” are essential to protecting your data. For further information on Wi Fi security go to http://www.getsafeonline.org.

I think this is good thing – if people who are running unsecured WiFi networks start getting advice about securing them from their bank (rather than via techies or their ISP) maybe they’ll take heed. After all, they already know that security is important with money, and maybe seeing a message like this will help people make the connection between poor PC security habits at home, and the risks they face.

Now if the banks would start putting messages out about Phishing, Spyware, and BotNets then maybe it’ll start to turn the tide of the hordes of compromised PC’s out there.

Computer Security, Technology

The Google Desktop story continues

Several high profile security analysts are now coming out and expressing their concerns regarding the “Search accross PC’s” feature of the latest version of Google Desktop – echoing my post from a couple of weeks ago.

Silicon.com is reporting that Gartner and the Electronic Privacy Foundation are now both advising that this software should not be used – or should be “locked down”.

In my opinion, all companies who are concerned over Google having copies of their confidential documents, should ban the use of the Desktop Search on PC’s connected to their network, and should take steps to prevent the software sending documents “home” if a user should install it against company policy. Certainly your firewall needs to block all traffic to the Google servers where the data is transferred to.

I have yet to identify the server in question, but it should be possible to install the software on a “clean” test machine, set a couple of “dummy” documents, and watch the network traffic that the search tool generates when it sends those files home, however I’d suggest that concerned network admins contact Google via the link at the bottom of this page and ask something like “what rules should I apply to my firewall to prevent PC’s within my network which have Google Desktop installed on them communicating with Google’s servers?”

I’m not sure that it isn’t going too far to call this tool “spyware” – although if you read the agreements it’s not hiding what it’s doing, and you can turn on and off the feature – but even so, how many people are really going to take the time to configure this properly, the earlier versions required little configuration at all to be very useful, will this version require very little configuration to be a security risk?

I’m not going to install it to find out.

Update – Apparently Google agrees that it’s a security risk, but their only advice is “use the Enterprise version” – which apparently allows the feature to be switched off as a global setting – however there’s still nothing to stop end users downloading the personal version – or provide information to help sysadmins configure their network to prevent this.

Unfortunately it’s well know that users are the weakest link in computer security as was proved a couple of weeks ago when “free valentine” CDs handed out in street managed to bypass a number of companies security rules and procedures and “call home” from office PC’s across London – proving that despite many large companies having policies on installing unapproved software on desktops – they’re routinely ignored by a percentage of users.

Computer Security, Technology

Anonymous E-Cards

It seems that (rather predictably) hackers are exploiting valentines day to send out fake anonymous e-cards with suitably “romantic” subjects to get people to click on the link in the email to open the card.

Instead of course, they’re clicking on a link to install some piece of spyware or a virus.

Remember on this day renowned for receiving anonymous expressions of romance, treat any email the same as you would any other day – don’t click that link – you don’t know what it’s going to do.

Also, as a responsible computer user, you shouldn’t be encouraging people to open anonymous emails by sending e-cards on valentines.

Story from BBC News

Computer Security, Technology

Google Desktop 3 – time to worry

Google have today released version 3 of their excellent search tool – and it contains a feature that I am worried about, both personally, and as an employee of a large IT company.

Now the feature that has me worried is this one

Search Across Computers makes the following files searchable from your other computers:

* Web history (from Internet Explorer, Firefox, Netscape, and Mozilla)
* Microsoft Word documents
* Microsoft Excel spreadsheets
* Microsoft PowerPoint presentations
* PDF files and Text files in My Documents

So a copy of my documents is going to be stored somewhere I can access from anywhere I can log onto Desktop search – so that’ll be some big server at Google then.

Now stop and think for a second – how many Word documents do you have that are personal letters, maybe letters you’ve written to your bank, your solicitor/lawyer/attorney, your MP. Would you want Google having access to your web history – every page on every website you’ve visited? Would you want the spreadsheet you do your personal finances on stored on Googles servers?

Thought Not.

Note that although you can tell Google Desktop not to put files on the central server, it seems to be “all or nothing” – you can’t share files selectively – you want to share some of your files, you have to share them all.

Now add into that the prospect of staff at your company indexing your servers with this tool – think of all the “confidential” reports that could be accidentally sent to Google.

Realise this – you could be fired for distributing company confidential information without even realising it. Company’s should make a rule now about Google Desktop – up till now it’s been a harmless (and far better alternative) to the general searches in Windows. Now it could be sharing your secrets with Google.

This is (in my opinion) a “very bad idea”. Yes, the search tool was good in V1 and 2, but this version goes too far, and sacrifices privacy for the sake of convenience. I won’t be installing Version 3 – so I cannot confirm that the default for sharing my files is “don’t”

Yes, Google has a privacy policy in place, and yes

Google treats the contents of your indexed files as personal information

However can you see the value to a hacker of all that personal information stored over at Google – I can see some unscrupulous characters hitting that server farm fairly hard for the information contained in it.

Better make sure your password is really good, and if your employer has any sense they’ll ban this thing from their network, and block the traffic at the firewall.

URL: http://www.google.com/desktop/