Winding Your Way Through Google's Latest Privacy Maze - UPDATE

***sorry wrong wrong link earlier - fixed now. Ha! ***

If you don't want to completely drop Google from your world, Naked Security will give you the step by step of what to look for.

How to navigate Google's privacy options

It's so tiring having to go back and redo privacy options all the time. Of course we all know the reason these places keep changing things is in hopes you'll eventually just say "the hell with it, I'm tired of messing with these things" and then they get their way and get to track you all over.

Posted by: Teresa in WebTech at 03:23 PM | Comments (3) | Add Comment
Post contains 108 words, total size 1 kb.

IPhone Battery Life : now with a tiny update

When Apple updated their stuff (all at the same time... what could POSSIBLY go wrong?).  There was a sudden battery life issue for many iphone users. 

It seemed to be random. Some people had issues others didn't.  Why? What could have caused it? 

I think I found the answer. (although only the few peeps who read my blog will ever know - you'll be cutting edge - ha!).

I did not do all the upgrades at once.  The first thing I did was upgrade my iphone 4 to iOS 5.  That's it.  No other changes.  No iCloud, no Lion on my Mac... just  iOS 5.  And my battery life went into a tailspin. 

I did all the little tricks that have been posted and I mostly got a better battery life, but it wasn't great.  I mean smartphones already have sucky battery life it doesn't help if one upgrades and it's suddenly worse. 

I waited around for a few months.  I let masses of Apple fans upgrade immediately and fail on all aspects.  They moaned and complained and lost stuff.  I waited longer still.  I had Mobile Me and I had until June. 

In another post I talked about the next upgrade. Lion went smoothly but iCloud was a huge annoyance.  I finally got the account straight. Thank heaven!  But my iphone battery life went straight down the toilet... again. 

This time I knew it had to be something to do with iCloud or there was a slim possibility it had to do with my gmail account being on my iphone. 

First of all I deleted my gmail account and added it back.  It's all imap and no mail actually sits on my phone thus it was simple.  No change though.  One down. On to the next.

Then I went into the iCloud settings.  I turned off everything except Mail... the others are (contacts, calendars, reminders, bookmarks, notes, photostream, documents and find my iphone).  Rebooted.  Battery life - phenominal!

Next I started turning things back on one at a time.  I never have Notes or documents to sync, so those remain off. If I want to sync a note I use Evernote. Since I wouldn't even be able to see a document on my iphone, there's no point in bringing those in.

First I turned on contacts, then calendars.  No problems. Then I turned on Reminders. Still no problems. Then Find my iphone.  Still okay.

Then Bookmark sync... OMG battery life started draining at a rate of about 10% (on further though I should make this 10-20%) per hour!!!  Holy crap!!!  Bookmarks? I vaguely remember getting a periodic message on my Mac telling me that Bookmarks were not syncing properly... I should have paid more attention. I always ignored it because I don't  use Safari. There is no reason for me to sync bookmarks  I just wanted to test it. I was absolutely blown away.  Bookmark sync must run continuously in the background.  If I had the battery charged to 100% it was dead by morning.  Completely dead. No life at all.

So Bookmark sync is off.  I even have photostream back on and the battery life continues in the phenomenal range.  How weird is that.  I have not heard a thing from anyone else anywhere with similar findings. 

If you know someone with an iphone and they are having battery issues... they might want to check for bookmark sync on either Mobile Me or iCloud. 

Geeze.  I'm still stunned.

*****

Tiny update: I do have a couple of apps like Omnifocus and a couple of calendar apps that tend to make my battery drain too fast for my liking.  If I turn those off in the background I'm much happier.  Thought I should throw that out there.

I should also be clear - I had the notes feature off on Mobile Me  (documents was not available and was not on by default) so neither of these could have been draining battery life.

Posted by: Teresa in WebTech at 11:01 PM | Comments (4) | Add Comment
Post contains 672 words, total size 4 kb.

Patch It Up

Yesterday was patch Tuesday for Windows machines.  If this is your OS, get the patches done please.

Also, you may remember my post from December about the Zero Day exploits for Adobe.  If you must use Adobe Reader and/or Acrobat, they now have the patches available. 

That is all.

Posted by: Teresa in WebTech at 11:56 AM | Comments (2) | Add Comment
Post contains 52 words, total size 1 kb.

And Now It's Adobe Flash

Ho-Hum... another day another Adobe Exploit.

This time it's Adobe Flash with a Zero Day

The most relevant bit... since there is no fix available and heaven knows when there will be.

The exploits should be addressed by Adobe sooner or later, but until then you might consider a tool like Click2Flash, NoScript, or Click2Plugin for blocking unwanted Flash content from running on your system.

UPDATE: found this vid at CNET that walks you through how to use noscript if you add it to Firefox.

Posted by: Teresa in WebTech at 11:59 AM | Comments (3) | Add Comment
Post contains 90 words, total size 1 kb.

Do You Use Adobe Reader?

There is currently a zero day exploit - a hole in the software that is known but has no patch available as yet - making the rounds.

Security Threat in Reader

I'm linking to a Mac site because it needs to be emphasized that this is a problem with Adobe Reader NOT just on Windows PC's but on Windows, Mac, and even UNIX machines (which I assume includes Linux).

Version 9.4.6 is the currently exploited software (there is malicious software in the wild).  On Windows machines, it will be patched next week. If you are on a Mac or on Unix using this version you are SOL because... hey dudes, it's the holidays! They'll get something out early next year...

Oh... Jolly good then.

If you have a new version of Adobe 10.1.1 there are some options available. The first paragraph refers to Mac (because it is a Mac site).

To enable protected view in Adobe's Reader X and Acrobat X products, go to the Edit menu and select Preferences. Then select "Security (Enhanced)" and check the option to "Enable Enhanced Security," ensure that either the "All Files" or "Files from potentially usafe locations" are checked if they are available.

On Windows PCs you can also go to the "General" section of the preferences and ensure that "Enable Protected Mode at Startup" is selected, but this option is not available for Reader on OS X.

Or better yet - get rid of Adobe if you can.  If you are only using it to read pdf's, then for heaven sake - on Mac use Preview. It's on your system and it's free.  If you need a pdf type thing that's allows you to edit, use PDF Pen.  It's great and it's cheap!

If you use Windows, do yourself a huge favor and grab Foxit Reader. It's free and about 1000% faster when opening PDF files than Adobe is.  They also have editing software that is not too expensive (although I have not used it). 

Really - get off Adobe Reader - get it off your system and you will be safer and be able to read documents far faster than you can with it.

Posted by: Teresa in WebTech at 02:02 PM | Comments (7) | Add Comment
Post contains 368 words, total size 2 kb.

Malware? Who Needs Malware? - Updated at bottom of post and another Update too.

Many people are tweeting the story in The Register today.  The app in question is on many Android devices including HTC units, also Blackberry and Nokia phones.

BUSTED! Secret app on millions of phones logs key taps

An Android app developer has published what he says is conclusive proof that millions of smartphones are secretly monitoring the key presses, geographic locations, and received messages of its users.

I went and found the youtube vid for those who are geekily inclined.



Many people will see this and say it's overly paranoid.  But the app is recording everything. Stop and think about that for just one minute. Ponder exactly what that means. Every keystroke, all your locations, everything all in one tidy log package. How convenient. 

Go now and read the whole thing, it's one page, I'll wait til you get back.

Carrier IQ is making the point that the data is being used for diagnostics.  Since phones crash using any of the included software as well as during calls, it would make sense to have a log of information including what happened prior to any type of crash be it browser based, messaging based, phone based, or app based.

BUT once information gathering starts, bad things can and do happen.

Let me repeat, in case I wasn't clear enough earlier... the problem is, they are recording everything, all keystrokes...  private data like usernames and passwords, banking information if you bank via your phone, emails you type out and send, sms messages you send, wifi information including SSIDs of other wifi's nearby, your location at any given time, etc, etc, etc.

This is wrong on so many levels it's enough to leave one gasping at the extent of the over reach in data gathering.

And then your private data can be included in the snippets sent back without your knowledge when carriers are trying to find a problem. That's a best case scenario.

If that's not enough to worry about how about these major items of concern:

1. This information is being stored in a log file that is not encrypted.  This log file can be accessed, copied, and transmitted by other malicious apps.

2. It's not clear to me if you do a copy/paste from a password safe (such as Last Pass) whether the usernames/passwords would be recorded since they would not be actual keystrokes. Then again how many people actually use a password safe type of app?  Not many, sadly.

3. This certainly violates many laws such as HIPAA among others which means companies that fall under these regulations have to figure out fast how to deal with this.

So far we don't know that any data has been compromised because of this, but now that the information has been released, you know there will be many a data thief looking for ways to exploit this huge security flaw.

Why oh why is it so hard for people to get it through their thick skulls that collecting private data is NOT a good thing without careful thought as to how it's done and how it's protected.  How many times does this have to happen? 

Carrier IQ and any companies using this service, stop looking so dumbfounded. It's sheer idiocy to be using this type of logging and you should already know that.

Ah the joys of being connected in an internet world.

PS - it wasn't too long ago there was an utter meltdown in the world because Apple was collecting location data (only location data) on the phone itself.  If the response to this app is at all in proportion it should cause the world to stop revolving and then explode.

UPDATE: Sheri posted a link to a Naked Security Blog post about this issue in her comment.  I thought it should be added to the end of the main post.  Also, in that blog post they reference another post about Carrier IQ traces in Apple's iOS devices but it appears to be a true diagnostic feature in Apple

However, the good news is that it does not appear to actually send any information so long as a setting called DiagnosticsAllowed is set to off, which is the default. Finally, the local logs on iOS seem to store much less information than what has been seen on Android, limited to some call activity and location (if enabled), but not any text from the web browser, SMS, or anywhere else.

***
UPDATE 2: Dan Rosenberg, a security researcher who specializes on Android type devices, has written his own post to dispute some of the claims made by the original story. 

It appears to be HTC who is the culprit behind the major overkill of information being gathered in the video, not CarrierIQ.  I was never all that disturbed by the general information being gathered such as phone numbers dialed, location, that kind of thing.  First because the carrier already has access to that info and second, you can't debug a problem without information. 

The part I find disturbing is the very verbose collection of keystroke data that is kept in a log on the device.  If the device is lost or stolen, that log would be available to whoever ends up with the device in hand.  Or a malicious app could grab the log file and send it to a remote server over the airwaves without the user even know it.  So until HTC changes the type of data it is collecting in the background - I can't say they can be trusted to provide any devices I would want to use as my own phone.

Posted by: Teresa in WebTech at 02:44 PM | Comments (8) | Add Comment
Post contains 950 words, total size 7 kb.

Got An Android Based Phone?

Here's a chart showing a number of models and how out of date the software versions are on them. There doesn't seem to be much that can be done about the update problem since it's per vendor, but you may want to be very careful about what you do on your phone if you are using an out of date OS.

Like Windows of old, out of date OS installs are open to security problems. In other words you may want to rethink doing your banking on them among other things. heh.

the understatement: Android Orphans: Visualizing a Sad History of Support

If you want to hear the author of the post talk about how he developed the chart, he was interviewed by Patrick Gray of Risky Business and you can listen to the podcast here.

Posted by: Teresa in WebTech at 10:44 PM | Comments (7) | Add Comment
Post contains 141 words, total size 1 kb.

Patchy - Patchy

A big Java update was released today.  It's time to patch that Java on your pc's.  Why? Because the holes being patched can be exploited simply by surfing to a website with malware java script. It can even be a reputable website that is unknowingly hosting java malware ads. 

If you turned off auto updates because they are a PITA (yes I turned mine off), then go to Control Panel and type "Java" into the search box to find it.  Click the update tab and then the "update now" button to get started.  It's pretty quick and you don't have to do a restart which is nice.

On Mac you'll have to wait until Apple releases an update. 

Posted by: Teresa in WebTech at 11:31 AM | Comments (7) | Add Comment
Post contains 121 words, total size 1 kb.

Whoosh!

That whooshing noise you hear is the sound of all the people (aka fanboys) who use Apple devices trying to get the iOS5 update and iCloud going... all at the same time.  Bits and bytes are flowing at an unprecedented rate over the net.  Causing bliss for some and chaos for others.

While iOS5 sounds like a terrific update... yes, I want it on my iPhone... all I have to do is look at my twitter stream to see the results of the onslaught. 

Just a few:

@switchermark
Is everyone having trouble moving to iCloud? Is it just system overload?

@beaker
iFail. Oh well. Don't call.

@foresmac
Why does the iOS update process, which keeps erroring when contacting Apple's servers, have to do a full backup EVERY. SINGLE. TIME?

This is what happens when there is a highly anticipated software release and everyone is waiting for the words "It's live!". 

At this point it's nearly impossible to figure out if the failures are due to server problems, network problems, device problems, or any combination of the above. 

Of course some out there downloaded and upgraded with no problem at all.  It's hit or miss which is not surprising.  The funny thing is, in about 24 hours all the hoopla will have died down and it will all go smoothly.

So, just like I missed all those opening nights at the theaters with billions of people trying to see the must see movie of the millennium. And all the years I didn't buy the must buy toy of the  season for my kids.  I will wait and do my upgrade in a more leisurely fashion.  There might be problems, but then there always are problems.  Why add to the headache by wading in with millions of others at exactly the same time? 

Oh and if you are going to be doing any Apple updating, please for the love of heaven back up your data first!!! 

Posted by: Teresa in WebTech at 03:52 PM | Comments (5) | Add Comment
Post contains 326 words, total size 2 kb.

Patchy - Patchy

Update: Apple sent out a patch for this today. Whew.

I know most people who read here don't pay much attention (if any) to the computer security news stories going on in the great wide world. Can't blame you, there have been quite a number of data breaches and all kinds of headlines about leaks. It's mind bogglingly confusing.  Who can keep up with it all? And why should you?

Since it gets a bit lengthy, I'm putting the rest below the fold. If you are interested, read on.


more...

Posted by: Teresa in WebTech at 09:04 PM | Comments (2) | Add Comment
Post contains 1087 words, total size 7 kb.

Catch them young, Give them an interest, Chase the Boredom

This year at DefCon, the big news was DefCon Kids. A program for 8-16 year olds that sounds just fantastic. Here are some of the activities:

- wall of sheep
- solving ciphers
- meet the Feds

Details about these are in the article.

When this was first announced there was a major meltdown along the lines of "you're teaching babies to be criminals" or some such rot. Even in this article one of the lines was:

Are we introducing kids to computer security concepts too soon? Shouldn't we just let them be kids? Could these concepts be too much for them to handle?

Let me just smack my head against a wall here... sheesh. Don't we tell them to lock doors? Don't they get combination locks on school lockers? Aren't they admonished by teachers not to cheat on schoolwork?  You would think these kids are so simpleminded they can barely function and they should all be playing with Barbies and Transformers... BAH!

Now let me introduce you to CyFi... she's 10.

10-year-old hacker finds mobile game exploit

The California hacker - who revealed her discovery over the weekend at the DefCon conference - said she came across the vulnerability in January 2011 after she becoming "bored" with farm-style games.

There you have it - the bane of kidhood - boredom.  It causes more problems and leads to more crime than just about anything else. 

This girl is smart. She's figured out how to hack around a system all on her own.  Instead of wringing hands and wondering if she's "too young to understand" why not give her a peer group and people to mentor her and goals to reach.  She may one day be a totally awesome coder/cryptographer... you name it.  She's 10 with the entire world before her.  I can't tell you how happy I am to see DefCon reaching out to these kids and hopefully pointing them in directions that will help them and us as they grow up.

Posted by: Teresa in WebTech at 07:38 PM | Comments (2) | Add Comment
Post contains 342 words, total size 2 kb.

Got an iPhone or iPad?

There is an important security update out there.  I know my i devices are set to check for updates once a month and that's not for a few days yet. 

So I connected my iphone and checked for updates in itunes to get it installed.  Would be a good idea to do this. 

 

Posted by: Teresa in WebTech at 08:57 PM | Comments (2) | Add Comment
Post contains 58 words, total size 1 kb.

Let's Talk Email

The other day I was blogging about LulzSec and I mentioned a few things you need to look for before you click that link. But I need to add to what I was saying in that post. 

Posted by: Teresa in WebTech at 10:56 PM | Comments (8) | Add Comment
Post contains 643 words, total size 5 kb.

Lulzsec - Careful there

You may or may not have heard of Lulzsec. In the online world they have been grabbing attention by grabbing info.

Massive Gmail phishing attack hits top U.S. officials

They've gotten gmail users, Sony, Citigroup, the IMF, the US Senate, the CIA, and oddly enough writerspace.com (an online website service for writers), probably a few more I'm not aware of or forgot after reading all this.   But I think this conveys the idea... they are prolific, proficient, and they have an agenda.

Today I received an email purporting to be from someone concerned because my email address was in the list of those that had been compromised.  I was sent several links where I supposedly could check for myself...

Ooookey dokey... I'll get right on that. 

While anything is possible. It's highly unlikely that the email was real.  First of all, I have to go through major contortions to get at my gmail password... I don't know it so I can't just type it out. I use 1Password and I never have to type my passwords once they are stored, the passwords are long and random.   I don't have them memorized and I have not gone to the trouble to find any password and pass it on.  Along with other safety features and 1Password, I am pretty sure I'm covered so far.

So, unless I missed something, I have not been "phished". 

It's always possible that someone broke into the gmail servers and managed to steal data.  Google claims this did not happen, but in the world of 1's and 0's anything is possible. 

What I did NOT do is respond in any way to the email I received.  I did not click any links, I did not write them back.  I trashed it.  I also changed my password as a precaution and I'm keeping an eye on my sent email box to make sure nothing is going out that I did not send.

If you happen to receive anything similar, I highly recommend you do the same. Unless you have a computer you feel like trashing along with an email address you'd like to abandon, it's not worth the problems to pursue trying to find out what's at the other end of the links. 

Consider this your email safety tip of the day.  Watch what you click!  Before you hit that link, think about what might be at the other end. 

Yes, you can receive emails from the email box (or return email address) of a person you know. This does NOT mean it comes from that person. Their email account may have been hijacked OR someone may be "spoofing" the return address so what you see looks like someone you know. 

Here are some things to look at when deciding whether or not to click a link or respond:

Does it look suspicious? 
So one of your friends sends you a link that ends in .ru - all it says is "Watch this".   Really? Are you going to click it? 

Does it even begin to sound like someone you know? 
You get an email from a friend but it's spelled strangely, it's not at all how they usually write, and the link looks strange (or is one of those compressed urls).  Are you going to click it?

Do you know the person?
A "good Samaritan" sends you an email telling you to "check here" to see if there is a problem. Are you going to click the link?

If you answered yes to any of the above - you are already or soon will be in trouble.  At the very least, if it's a friend, email them back and ask if they sent the link.  Better yet, just give it a miss. Trash the email.  There is very little out there that you will miss by doing this.  And you will keep yourself a little bit safer.  (No you won't see the latest naked celeb... what a shame)

There are more I could add here, but I hope this is a nice little sample to get you thinking. Even if I mentioned every type of phishing email I've seen, I'd still miss one. The real point is think before you click.

Oh yeah - never ever ever give your password out to anyone.  If you ever find that you have given out a password - even for what seems to be a good reason... change it as soon as possible.

If you use gmail - you may want to enable their new 2 factor authentication.  They explain it here.

That's just a few little things.  I didn't want to write a book so do not consider this to be complete.  Just something to jog your elbow and make you pay attention.

Stay safe!
 

Posted by: Teresa in WebTech at 11:20 PM | Comments (3) | Add Comment
Post contains 799 words, total size 5 kb.

IPv6 Day

Tomorrow many of the big internet players (including Facebook) will test the new IPv6 protocol.  You may or may not experience difficulties.  If you can't get a connection to a site you regularly visit this may be why. 

There is more at Ars Technica for the geekily inclined.  Otherwise it's a good idea to just wait things out rather than tinkering with network stuff and breaking something. 

I have no idea what will happen.  Might be nothing, might be a melt down or anything in between.  IP address space is about gone, so things will have to change, we may as well see what breaks and try to fix it. 

If I don't see you tomorrow - you know my internet died an unhappy death. 

Posted by: Teresa in WebTech at 07:45 PM | Comments (4) | Add Comment
Post contains 127 words, total size 1 kb.

It's the Web Web West

So where was I? Ah yes, I had just told you that the internet continues to be the new Wild Wild West - which anyone with any sense already knew. Yeah, it’s dangerous out there. And naturally everyone then says, okay, where do we go from here?

There are some things you can do to keep yourself a tad bit safer while cruising the cloudy pages. The real problem as always is… The bad guys only have to find one hole. The good guys have to guard everything. It’s a very lopsided war and very hard for the good guys to remain alive, no matter how hard they work. You can do everything right and still get bit.

The only saving grace in this scenario is that people tend to be lazy - they’re gonna go for the easiest thing they can get unless it’s a vendetta. Soooooo….

Your goal is not to be one of the "low hanging fruit”. Let’s begin.

more...

Posted by: Teresa in WebTech at 08:06 PM | Comments (2) | Add Comment
Post contains 861 words, total size 5 kb.

Scareware - The Bane of Web Browsing

I can hear the collective groan now from all three of the readers who persevere and click through to see if I got around to posting something. Yes, we must periodically talk tech. After all, if you are reading this, you are on the internet, using tech, and you should occasionally give some consideration to your safety online. However, I shall place the majority below the fold if you'd like to skip it... cause I'm nice that way. BTW - I am starting with a Mac story, but I do have a couple of things to say about Windows and Linux too.

Or just look at the pretty picture instead...


more...

Posted by: Teresa in WebTech at 05:26 PM | Comments (5) | Add Comment
Post contains 772 words, total size 5 kb.

Testing

Testing. You can ignore this. Just wanted to check & see if basic posting will work from my iPad. So far yes.

Posted by: Teresa in WebTech at 12:00 AM | No Comments | Add Comment
Post contains 23 words, total size 1 kb.

Lions and Tigers and Trojans Oh My

Saw this story today at Cnet and thought it might be time to once again remind people... beware of trojans - no matter what type of computer you use.

New MACDefender malware discovered for OS X

Naturally we have the people who hate Apple all saying with that lovely little sneer... "I thought Apple people said there is no malware for Mac."   

Ho-hum.  I have never said that.  However, this is not a virus.  It is a trojan malware that is using phishing techniques to get onto systems.  Anyone with any computer is susceptible to phishing scams. 

This is a multistep process that you have to allow and even enter your system password and give it permission to install itself.  So it's not like you open a website or an email and "bam" you have something.

While this threat is a new attack attempt on OS X users, its threat level is relatively low because it does require a fair amount of user interaction to install the malware. You have to first provide the correct search terms to the search engine, and then proceed with the installation by manually clicking the buttons in the installer window. As long as you avoid doing this for software you have not purposefully downloaded, then you should be good to go.

If you use a Mac and you browse with Safari - please please please - go to the Safari menu --> Preferences --> General tab and UNCHECK the box at the bottom that says "open Safe files after downloading". 

You should never allow something to download and open itself.  Ever.  Even if you downloaded it because you wanted it.  Your computer does NOT know the difference between what you downloaded because you wanted it and what got downloaded because a hacker put it on a web page to auto download.

It's easy enough to find the file you downloaded either on your desktop or in your download folder then click it to open.  This will save you much grief. Auto open of anything is much like the stupid settings in Windows and Mac that don't show you file extensions.  Yet another idiot method to get crap on your system before you have a chance to stop it.

Anyhow - that's my public service announcement for the day.

If I can find the time I am working on some posts about how to protect your computer online so you don't get bitten when it can be avoided.  Maybe one day I will get the chance to post it.  All I need is some time.  Ha - right.

Posted by: Teresa in WebTech at 11:26 PM | No Comments | Add Comment
Post contains 440 words, total size 3 kb.

Want to Know About Hard Drives?

Want to know how they die? Want to know what the pros do to try and recover data? Want to know about flash drives and how good they are? Want to know what you would need to do to be sure your data is not recoverable from an old hard drive?

Then you need to check out this fantastic podcast TMUP 233: Hard Drive Master Class with George Starcher and Scott Moulton. No, it's not all about Macs - it is all about great information. So grab a cup of coffee and a snack and check it out.

Posted by: Teresa in WebTech at 07:40 PM | No Comments | Add Comment
Post contains 104 words, total size 1 kb.