Good To Know – A Consumer privacy guide from Google

The European Public Policy blog of Google yesterday announced Good to Know,  a consumer advertising campaign designed to give people practical guidance on staying safe online. The aim of this service is to educate and create awareness among online citizens with regard to their privacy and data.

According to Google, most people would like to stay safe online but aren’t equipped to do so. The Good to Know site is the answer to the lack of an in-depth, easy to understand guide to privacy and security for the majority of internet users.

Today we’re also launching a new section of the Google website that makes learning about security and privacy easier for the average consumer. We know that in-depth resources like privacy policies and terms of service are often too long, complex and legalistic. In the past few years, we’ve tried to make it easier to learn about privacy by creating short videos and by working to reduce the length and complexity of our privacy policy. The new Good to Know website builds on this commitment to explaining things in simple language. The in-depth resources are still there, but we hope a more layered approach will make this information more accessible for everyone.

[VIDEO] What Google and Facebook are Hiding

Eli Pariser of the progressive organization MoveOn says the Internet is hiding things from us, and we don’t even know it. In this TED Talk he calls out Facb, Gog. and other corporations who are transforming the Internet to suit their corporate interests. Very well worth watching.

“A squirrrel dying in front of your house may be more relevant to your interests than people dying in [sic!] Africa” Mark Zuckerberg, CEO of Facebook

LulzSec “Leader Arrested”

The Met Police service in the UK has arrested an alleged member of the LulzSec hacking group according to a statement on their official website

“Officers from the Metropolitan Police Central e-Crime Unit (PCeU) have arrested a 19-year-old man in a pre-planned intelligence-led operation.

The arrest follows an investigation into network intrusions and Distributed Denial of Service (DDoS) attacks against a number of international business and intelligence agencies by what is believed to be the same hacking group.”

The LulzSec group is suspected of masterminding high level cyber attacks on very high profile targets including Sony and the FBI. More recently, it’s been accused of hacking into the infrastructure of the UK Census bureau, a claim the group denies according to this tweet on their account. 

It’s not clear if it’s a member of the group that has been arrested as the authorities claim given these words by LulzSec via their twitter account

Seems the glorious leader of LulzSec got arrested, it’s all over now… wait… we’re all still here! Which poor bastard did they take down?

Get this Anti-Virus for your Nokia Smartphone!

Using a smartphone, unlike a feature phone, is like running a computer, complete with its attendant security risks and headaches. For Nokia Symbian S60 phone users, Netqin mobile AV available from the Ovi Store or GetJar should be a must have if you are interested in having control over the security of your phone.
I personally like this one for its simplicity, resource efficiency and cost. It’s features include
  • Realtime monitoring
  • Fast scanning
  • Firewall
  • Anti-spyware
  • Anti-Virus
  • System Optimization management 
  • Light footprint
The simple interface also makes finding your way around the app a breeze. Working in the background, it scans all the files you work with to make sure nothing untoward happens on your handset. The parameters for the real time scan are customizable to individual preferences. 
If you are interested in security on your Symbian powered Nokia phone, you might want to take a look at this app!

Why Every Internet User in the West Must Use Gmail

With an ever increasing number of kids seeing it as a profession worth their time more than school, Gmail might be a handy tool to help combat it. This piece on Myjoyonline caught my attention and got me thinking as to how people from the West, believed to be the most advanced societies of mankind today, can fall for shams from children as young as 17 years from countries like Ghana and Nigeria.
I find it difficult to not believe that people take every mail that lands in their inbox folder as credible, otherwise how can anyone possibly believe any of the superfluous stories that they fall for?

“I work for this rich man in Ghana who died leaving $1,000,000 US in his bank account. He’s got no heirs and so the money lies idle there. To help me get it, please send me your bank credentials, and $50,000 to cover the legal fees required for the transfer after which you and I will get married and enjoy this money happily ever after.”

What hogwash! And then people FALL for such glaringly stupid absurdity. If you are using Gmail, such mails hardly land in your inbox folder thanks to its advanced filtering system. There is no other mail service out there that catches these kind of sham like Gmail.
You might ask why this post. I am a Ghanaian, and it really saddens me to see the name of my country blacklisted by agencies like the FBI for being a top hub in internet fraud or 419 scams, popularly known as Sakawa in local parlance. Just saying you are a Ghanaian sometimes casts a heavy cloud over your head when dealing with people who actually know what your compatriots are capable of.
I have always argued that if people in the West get to be just a little circumspect and mindful of how they ship their hard earned cash to so called girlfriends and business associates down here, this menace to society can be reduced to the barest minimum. And if you ask me, one of the best tools for this is Gmail.

Security in Firefox

Continuing our posts about security, we’ll speak of a door, a window to the outside world that can be a potential security breach.
Let’s talk about how to protect our beloved Firefox browser.
I will present some extensions and one tip to improve security in Firefox.

1. Adblock Plus 1.1.3
Have you ever been annoyed with all those ads and banners on the internet that often take longer to download than everything else on the page? Install Adblock Plus now and get rid of them. That’s what the plugin does: cut the advertisements. If at home you also zap the TV when it enters the advertising commercials…

2. BetterPrivacy 1.45
This will protect your system of cookies that can not be excluded, known as “super-cookies”.

3. NoScript 1.9.9.35
The best add on / plug for safety you can find in a web browser!
Allows you to block any script running in an HTML page, allowing active content to run only from sites you trust, and protect yourself against XSS and Clickjacking attacks.

4. WOT – Safe Browsing Tool 20091028
Web of Trust(WOT) warns you about risky websites that cheat customers, they install malware or send spam. Million members of the WOT community sites  write about the sites, evaluating them for potential hazards / security flaws that could compromise a healthy browsing of the Internet.

5. Stealther 1.0.7
If there are times when you want to surf the web without leaving traces on the local computer, then this is the ideal extension for you. What it does is temporarily disable the following: Cookies, History, Downloads, Passwords, Forms and authenticated sessions.

6. Disable and prevent the installation of plugins in Firefox

      A. Open the Firefox browser on your computer.
      B. Type about: config in the address bar (where you type the URL of the websites).
      C. In the security warning screen click “I’ll be careful, I promise.”
      D. Scroll down and look for xpinstall.enabled. When you find it, right click and click on Toggle. Your status will change from True to False.
      E. Restart the Firefox browser (close and open again).

That’s it, now the browser will refuse to install add-ons and Plugins.
Another tip: If several people use the same computer, this procedure should be done to each one of the users.

Read more: http://www.quickonlinetips.com/archives/2009/08/secure-web-browsing/

                    http://www.tothepc.com/archives/disable-firefox-plugin-addon-software-installation/

So Microsoft has always been in bed with hackers?

“When it comes to security, even hackers admit we’re doing a better job making our products more secure than anyone elseBrandon LeBlanc of Microsoft.
I find the above quote both interesting and serious at the same time. The blog post linked to above is a Microsoft rebuttal of claims that Google is shifting from MS Windows to Mac and Linux given the insecurity of the Redmond cash cow. 
Brandon claims in the blog post that they are doing a lot in terms of security so much that even hackers attest to the fact. The hackers attestation in the blog post links to a long article on C-Net about “the quick rise of a teen hacker.” 
The entire blog post raises just three questions in my mind: 
1. So is Microsoft implicitly conceding that in the past hackers used to have a field day?
2. Why has it taken them so long to now be taking security related risks “seriously?”
3. Who are the “anyone else” Brandon refers to? Perhaps Apple or the Penguin?
Maybe you could help me answer?
Thanks to Mashable for the original story.

Photo Rec – Linux saving your deleted data


PhotoRec is a recovery software for data and files, designed to recover lost files including video, documents and files on hard disks, CD-ROMs, pictures and images (hence the name Photo Recovery) from digital camera’s memory.

PhotoRec ignores the filesystem and goes after the underlying data, so it keeps working even if the file system of the media is severely damaged or reformatted.

PhotoRec is free – this open source multi-platform application   is distributed under the GNU General Public License. PhotoRec is a companion program to TestDisk, an application to recover lost partitions in a wide variety of file systems and fix problems with disks with boot issues.

Operating Systems

PhotoRec runs under

  • DOS/Win9x
  • Windows NT 4/2000/XP/2003/Vista
  • Linux
  • FreeBSD, NetBSD, OpenBSD
  • Sun Solaris
  • Mac OS X

and can be compiled on almost all Unix systems.

File systems

PhotoRec ignores the file system and works even if the filesystem is severely damaged.
You can recover lost files from:

  • FAT,
  • NTFS
  • Ext2/ext3
  • HFS +

ReiserFS includes some special optimizations centered around tails, a name for files and end portions of files that are smaller than a filesystem block. In order to increase performance, ReiserFS is able to store files inside the b*tree leaf nodes themselves, rather than storing the data somewhere else on the disk and pointing to it. Unfortunately, PhotoRec isn’t able to deal with this – that’s why it doesn’t work well with ReiserFS.

Media

PhotoRec works with hard drives, CD-ROMs, memory cards (Compact Flash, Memory Stick, SecureDigital / SD, SmartMedia, Microdrive, MMC, etc.), USB memory drives, DD raw image, EnCase E01 image, etc..
PhotoRec was successfully tested with various portable media players, including iPod and several digital cameras.

Known file formats

If there is no data fragmentation, which is often the case, it can retrieve the entire file. PhotoRec recognizes many file formats, including ZIP, Office, PDF, HTML, JPEG and various graphics formats. The entire list of file formats recovered by PhotoRec contains more than 320 families file extensions (about 200 files).

Using Photo REC.

The best way to use  PhotoRec is in a maintenance LiveCD distro . Currently, Photo REC is present in the repositories of major distributions, and  in the following maintenance distros: Ultimate Boot CD, System Rescue CD,  RIPLinux and Parted Magic.
Since PhotoRec works in a non-destructive way, that is, it only reads the media, not writing it in any way, it will need another media / disk to save the files that it identified during the reading. I advise you to boot the compromised system with a LiveCD maintenance distro, any of the distros mentioned above and use a PenDrive as auxiliary memory for storing the recovered files. Pendrives with 4, 8, 16 Gigabytes of ram or more are suitable here, depending on the extent of the damage on the analyzed hard drive .
PhotoRec, despite running at the command line, is an interactive program and very easy to use. Note: The disk to be analyzed should be unmounted. When you enter PhotoRec specify which disk is going to be analyzed, which file extensions  PhotoRec should look for and where the read files will be stored, and just let it work. Once retrieved, the files can be analyzed since  PhotoRec retrieves the files and places a generic name on them. In my experiences, I have a success rate of almost 100% with graphics files, audio and some video files. With document files in proprietary formats, results may vary, since proprietary file formats may not be fully recognized by PhotoRec.
PhotoRec is also very useful to do forensic analysis of hard drives. Along with TestDisk, it can recover files from formatted partitions and get proof and evidence that would otherwise be lost. The caveat to be made here is  about the process of Zero-Fill, which writes a pattern on the HD , making impossible to recover it later.
PhotoRec and TestDisk  are creations of Chistophe Grennier.

Site: http://www.cgsecurity.org/

Good Security Pratices On Linux


Some time ago, the open source world was caught by surprise by the announcement of a malware for Linux, hidden in a screensaver for Gnome in gnome.look.org.

There was an uproar, and the Microsoft fanboys  rushed to point the finger to Linux and say that Linux is as vulnerable as windows. Easy down folks, lets do not confuse things here. Just because the Porsche and the VW beetle share the same designer, Ferdinand Porsche, it doesn’t mean they can be equally called cars. One (the Porsche) is a car, the other (VW Beetle) is a mean of transportation.

But to help the folks who are migrating to Linux, and innocently have the naive hope that nothing will happen to their Linux machines, unfortunately we have to say: Curb your enthusiasm. But do keep excited, as Linux is not windows. And, in the security department, it will never be (thank God, Linus and all the folks: Programmers, testers and users)

Security in Linux (as with any operating system) is a matter of habit, then we will list some tips that will facilitate good security habits on Linux.

Of course, these tips here apply to desktop systems (home or office). For servers, we would have other much more restrictive rules.

  • Never work as root. Working with the root account is very risky. Use root only for maintenance tasks, with SU (or kdesu or Gksu), and never log into the system with this account. Browse the internet as root ? No way.
  • Do not enable auto login if your computer can be used by others. Auto login is a very interesting feature, but if you have information you want to keep private, it is not a good policy to enable auto login.
  • Be careful with Grub. It can easily be circumvented to allow privileged access to your machine. If you are afraid that someone access your machine in your absence, it is necessary to “shield” Grub (although, if there is physical access to the machine, it is 70 to 99% compromised).
     What happens? You can change the boot options in Grub boot easily.
     See how this occurs:
     “Press ESC to enter the menu …”
     Press the ESC and a list of boot options will appear. Then do the following:
     Select the line for Linux and press “e”;
     Next, the boot  command lines of the distro appear. Select the line that starts with kernel … and press the “e” button again;
     The line appears editable now;
     Delete the options “ro quiet splash locale=EN_US” and type “root=/dev/hda0 rw init=/bin/bash” over.  (without the quotes marks and assuming your hard drive is/hda0);
     Press enter to get back to the menu and press “b” to boot the system.
     And, voilá, you got root, and can do whatever you want on this system.
     How to prevent it ? Putting a password on Grub.
     Edit the file /boot/grub/menu.lst
     Uncomment the line “password ” where” password” is the password you want to place.
     But a so simple password would be seen easily. Let’s make things harder for the attacker. Open a terminal and type “grub-md5-crypt” (without quote marks) and  ENTER.
     then enter twice the password you want and write down the answer (which is quite strange)
    Now, edit the file /boot/grub/menu.lst and insert the line“password –md5 (the password)”, where password is the weird sequence of characters the previous command produced.
    Ex.: password –md5 $1$3/9xL/$Uv7mG37A77UBUnh/GkogN/
  • Update your system regularly, better, daily. While the flaws in the windows are slow to be resolved, in Linux, sometimes are resolved within hours. So, be with your system up to date is a good security policy.
  • Do not let sshd (SSH daemon) turned on in your machine. It will be always listening, and with this “backdoor” open to the outside world, it’s a lure for attackers (professional crackers or sunday crackers) to get to tinker with your system. Disable SSH instead. On servers, SSH has its reason to be. At home desktop PCs, not that much.
  • Do not allow the execution of scripts on the / tmp and / home . Yes, let’s say an attacker was able to access your machine and compromise the security, getting access to an user account. The next step is to upload a script that exploits a fault, or kernel hole, buffer overflow, etc … to gain root privileges. What to do??
    Two things:

    1. Limit the number of users on your machine. If it’s just you using, have only your account and root.
    2. Disable the execution of scripts in / home and / tmp. How?? In the Fstab.
      First, make a backup of your current fstab. Then, with a text editor of your choice (emacs, mcedit, joe) make the following changes:
      Find the line that references your /home partition Ex.: # /dev/sda7 UUID=413eee0c-61ff-4cb7-a299-89d12b075093  /home  ext3  nodev,nosuid,relatime  0  2
      And change it to # /dev/sda7 UUID=413eee0c-61ff-4cb7-a299-89d12b075093  /home  ext3 noexec,nodev,nosuid,relatime  0  2
      If /tmp is on a separate partition, the procedure is the same, noting that the 3 options should be added after the declaration of the  type of the file system (in the case above, would atfer ext3.)
      Exempla: LABEL=/tmp /tmp ext3 noexec,nosuid,nodev 0 0
  • Do not install packages from sites you do not know. Note that even a popular and “reliable” site  as Gnome.look.org was the target of malware infected software, so double your attention.
  • The following tip has to do with above: Never download anything in torrent (OTHER THAN ISOS OF DISTROS YOU WANT TO INSTALL) for your operating system. Today it is becoming  popular piracy of paid programs for Linux being distributed on torrent sites. As there is no way to verify the origin of those packages, they are potentially dangerous.
  • Disable the execution of compilers for any user in your machine. By doing this you will ensure that the compiler will not be used to install exploits on your machine.
    Ex: #chmod 000 /usr/bin/*cc*
          To reset: #chmod 700 /usr/bin/*cc*
  • Be Very careful about p2p sharing programs  (Frostwire and others). If you do not configure properly the location of the shared files, you could jeopardize all the files in your /home. The ideal is to set a specific partition to share, with no connection with your /home, to preserve your data.
  • Do not install Addons for Firefox from other sites than the site of the Mozilla Foundation. Here goes the same advice to do not download packages from unknown sites.
  • Use a firewall. Even if you have nothing “listening” to the external network, a firewall is very important, as your machine can be used to trigger a denial of service Smurf type attack  (The attacker sends a rapid sequence of requests of pings one address broadcast, but spoofs the return address, causing thousands of computers respond to the ping the address that the attacker wants to bring down.) With a firewall, requests for Ping (and various other TCP and UDP requests ) are easily blocked and controlled. Good Firewalls for beginners are  Guarddog and  Firestarter.

    So, with  simple security tips, your machine will be shielded against outside attacks. But, the most important part, it’s still the user. This one must learn what happens, and very important, learning is an useful advantage for the user to make a better internet, since we’re all now connected. And, what affects some, will affect others, by a cascading effect. So, protect your machine, and the internet, as a whole, will be improved.

Moderate Paranoia- A better way to keep yourself safe online.

There is always talk of the security of people on any service or platform. There equally has always been a good number of recommendations including the use of strong passwords, use of security suites among others. One thing though that I hardly hear mentioned is moderate paranoia.
That has been my simple way of avoiding any kind of security breach on my system or accounts, at least that I know of. It is not just a matter of giving people more security options like Facebook recently did, neither is it about using any powerful anti-nameit or even about running Linux.
You can give the most secure of secure systems to someone, and there would still be security problems once the person is naive and loses all sense of paranoia. I’m yet to know of any OS or security suite that can actually save a person who clicks on any link at all, installs almost anything that looks like a .exe file, signs up to every kind of garbage service on the net, gives out their social networking site passwords to any type of third party service and so on.
People must be taught to know that the virtual world is just like the brick and mortar one they are used to. You just cannot trust everyone 100%. Just as no one will let anyone at all into their homes, so too should they be wary of what programs they run on their boxes.
Just as people will not entrust the keys to their properties to anyone at all, so too should they not just doll out their passwords to anything at all that asks for them. People should learn to exercise some moderate paranoia whenever they are online.
In my opinion, that is a better way to keeping yourself safe online. Don’t go round thinking everyone and everything is a threat. But also don’t go round with the naivety of a 10 year old who is just visiting the virtual world for the first time.