I want to create a “Security Virus” (a virus, in that it can’t easily be removed/disabled) that when the computer is turned on tries to ping a known locally-hosted IP and verify the MAC address of the target. If it can’t verify/ping the target, it disables any usage of the UI, sends location data through Google Chrome, Firefox, or IE9′s location sharing capability to the owner’s email, and then turns itself off.

It would be even better on laptops with a 3G/Mobile data plan that it could automatically connect to in order to send the location data.

The purpose would be to help recover stolen computers. I know there are location-aware services for mobile devices and creative people have been able to recover stolen computers that have stupidly been put on the network. I’m also sure there are some pitfalls to this idea…what do you think?

Technorati Tags: computer security, location announcing, location-awareness, modern browsers, security

According to the New York Times, AT&T is going to launch a text-message service to send SMS messages to customers in certain locations.

Um, hell no!

It’s called “ShopAlerts” and is designed to allow “brand-partners” (i.e. HP, Kmart, JetBlue, S.C. Johnson, etc.) to send advertisements and coupons to customers who happen to be in range of the “geo-fence” (a pre-defined geographic area around a particular place) for that brand.

The service is opt-in, which makes it a little less about. The troubling thing is it is just another way for people to give up their privacy.

If you allow a service to track when you are *in* a particular place, then by default it will also know when you are *not in* that place. Checking in on Foursquare should be enough of a trigger to send these kinds of advertisements – it shouldn’t be based on a passive location awareness.

In fairness, JetBlue does intend to use their JetBlue Go Places mobile app to offer their program’s points via check-in. According to the article, there is no mention of similar action-requirements. S.C. Johnson intends to put a geo-fence around Wal-Mart to [passively] offer their discounts.

It all sounds eerily similar to the Minority Report’s retina scanners in the shopping malls. Let’s hope the day never comes when you can walk past an adult novelty shop and the on-screen display asks how that sex toy you bought 2 weeks ago has worked out for you. This technology, if extrapolated to track purchases as a response to the ad, combined with the already-present knowledge of your receipt’s items would surely enable such a world.

Don’t opt-in. It’s already easy enough to track you, without making it constantly available.

Technorati Tags: advertisements, at&t, geo-fencing, hp, jetblue, kmart, location-based marketing, presence tracking, privacy, scjohnson, security, shopalerts, walmart

Configuring Facebook Application Security

One of the lures of Facebook that attracted people away from MySpace (aside from the lack of smiley ads and whoring out of everyone who ever picked up a musical instrument) is the applications. Whether you realize it or not, applications first appeared on Facebook around 2006, but didn’t take off until 2007. And if you didn’t realize it has been that long, then chances are you don’t realize you may have residual applications still sucking down your personal information. You may also be unaware that the application you just installed to “see how many people viewed your Facebook profile” or “see what my first status update was” or any of the “OMG you have to click this link to see [insert something outrageous]” were actually scams. Now it’s time to clean up all that crap you’ve installed on your Facebook profile.

Privacy Settings > Application Security Settings

Open up your Privacy Settings (as in the image above) and then locate the “Edit your settings” link in the Apps and Websites area…

Once you’re inside of the Applications Settings area, you should see something like the image below, which lists all the different application settings available to configure. We’ll start with the Red box, “Apps you use” > Edit Settings button…

Facebook Privacy > Apps and Websites > Apps you use

Click on the Edit Settings button for the “Apps you use” section (the red box in the image above) and you should see a list of all the apps you’ve ever given access to your information in the past, and haven’t yet removed. It should look something like this…

If you want to see what information each individual application has access to, you can click the Edit Settings link for that application, and take a look. The Ping.FM app looks like this…

There are a couple rules of thumb you could use to figure out which applications to remove, and which ones to keep.

1. Do I actively use this application, on a more-than-monthly basis? Basically, if you don’t constantly need this application in order for your Facebook experience to stay in tact (i.e. pulling your twitter updates, posting your RSS feed from your blog as notes, updating via Ping.FM, etc) then you probably don’t need to keep it installed. This will probably get rid of the majority of your applications that are just sitting there sucking up your personal information.
2. Did this application complete its purpose? Was the app used to collect your status updates for the year, find out your Aura’s Color, or some other thing that you had to install it once, and got one result, and never touched it again? If so, you don’t need this application to linger around – it has served its purpose.
3. Did this application fail to complete its purpose? Was the app originally for something like adding a Dislike button, or showing your profile views, or finding your biggest Facebook stalkers…but never actually gave you accurate information or came through with its end of the deal? Then the app was a phony, and was created for the sole purpose of collecting information about you, and you should have deleted it the day you installed it and it failed.
4. Do you remember even installing this application? If you don’t even remember installing it, remove it. Don’t convince yourself of the fallacy “I don’t know what it is, so I better keep it in case I need it.” This isn’t like Computer Software – if you end up needing the app sometime in the future, then the app will make you reinstall it again.

To remove the applications:

• Just click the little X icon for each one.
• It will ask you if you really want to remove the app, and then click Remove.
• It will take a few seconds, and then come back with a confirmation. Click Okay.
• Then move on to the next one.

Once you’ve paired down all the applications to just the ones you want/need to keep, we can move on to the next Apps and Websites Setting, “Info accessible through your friends“.

Facebook Privacy > Apps and Websites > Info accessible through your friends

If you recall, in the Ping.FM application image above, there is a section called “Access my friends’ information“. This Settings page is where you limit the information that your friends’ applications can access about you. When you click Edit Settings for the “Info accessible through your friends” you will get a window full of check boxes where you can uncheck anything you don’t want your friends’ applications to be able to get. Personally, I only want them to know about my website – the more traffic it gets, the more people I can help with information like this. Here’s what I have set mine to…

In the early days of Facebook applications, some clever developers would take your friends profile photos, and then use some code to display their photo and claim they were using the app also, or that they scored X points on this game, or other false information to get you to continue using their application. Personally, I don’t want any of my information to be available to anyone other than my human friends, and only outside of applications.

Facebook Privacy > Apps and Websites > Game and App Activity

There really isn’t much to this section. Just set it to Friends Only to limit all your game playing and other activity (Youtube Favoriting, etc) to just your friends.

Facebook Privacy > Apps and Websites > Instant Personalization

This setting is directed at a particular set of websites. At the moment, according to Facebook’s Instant Personalization page, those websites include:

WARNING: Once you visit one of these websites, they will AUTOMATICALLY show up in your “Apps You Use” section.  You will have to go remove them if you do not want them to continue to have access to your information.

• Bing
• TripAdvisor
• Clicker
• Rotten Tomatoes
• Docs
• Pandora
• Yelp
• Scribd

The purpose of this feature is to display the public activity of your friends, with respect to the particular website you’re visiting from the list. For example, if you visit Rotten Tomatoes, any of your friends’ public activity relating to the Rotten Tomatoes website will be displayed in the designated section. In order for this to happen, the website must automatically install their application as soon as you visit the site, assuming you’re enabled “Instant Personalization“. Conversely, if you have this feature enabled, any of your public activity on this website will be visible to your friends when they visit the site as well. According to the description on the Instant Personalization page, this is limited to only the information you have set to be visible to “Everyone“.

If you followed the instructions in the previous “Privacy’s a Joke” post, “Configuring your Facebook Profile Privacy Settings” then there is a pretty good chance that you do not have anything set to “Everyone“. As this is an exercise in privacy, we’re going to disable this feature.

1. Click the “Edit Settings” button for Instant Personalization
2. Close the popup video window.
3. At the bottom of the page, uncheck the “Enable instant personalization on partner websites” checkbox.
4. Click the Confirm button in the popup window
5. Then click the Back to Apps button in the top left to go back.

Facebook Privacy > Apps and Websites > Public Search

The last setting to modify is the Public Search. If you followed the ”Configuring your Facebook Profile Privacy Settings” post, and didn’t leave anything set to “Everyone” then you’re set.

This feature tells search engines whether or not to show a preview of your profile in their search results. When you click the Edit Settings button, there is a See Preview link to see a preview of your information if the feature was enabled.

Generally, if you’re concerned about keeping your personal information private, then ensure that the checkbox is cleared for Enable Public Search and you’re all set.

Part 2 Conclusion

Hopefully you’ve gone through all the various sections described here, and prevented your personal information from leaking out behind the scenes and without your knowledge. Now that you’ve locked up your information from prying eyes on the outside, and from prying eyes behind the scenes, the next post will show you how to lock it up from prying eyes on the INSIDE.

Not everyone on your friends list is the friend you think they are. Do you really keep 200, 300, 500, 1000 different people at the forefront of your thoughts every day? Probably not. There’s a good chance that some people are just lurking around benignly watching what you’re doing. Other people you may have to work with every day, but can’t post updates on the internet because they’ll read it and you might offend them. Still others may comment on your photos, or updates, or notes and say stupid stuff all the time, and you just wish they couldn’t even see them in the first place. Grouping up these sets of people, and using these groups for more granular control of your information is what I’ll cover in the next post: Friends Lists.

Technorati Tags: cyber safety, facebook, facebook applicaiton privacy, facebook application privacy settings, facebook application security, facebook application security settings, facebook privacy, facebook privacy settings, facebook safety, facebook security, facebook security settings, online privacy, online saftey, online security, privacy, security

Source: swcenter.fortlewis.edu

I’m sure at one point or another, everyone has done the “ego search.” You go to Google, type in your name, and see what comes up about you. From what I’m told, there’s even a fun ranking system based on the number of pages that show up about you.

My real name has about a 6. My online alias is somewhere around 3300. Why?

For reasons simple enough: I started my online life under an alias so that one of my sets of parents (the estranged ones) would not be able to find me, but I could still write and do whatever I wanted with my friends over the internet. Fortunately, this worked out in my favor years later when it came down to internet privacy.

Unfortunately my real name did make it to the internet, and it came down to two reasons, one of which was my fault, the other was an uninformed elementary-school friend I had just found. I will discuss those reasons later on.

Moving on.

If for some reason you haven’t bothered to take a look at just what shows up for your name in a Google search, you should go do that right now. I’ll wait.

No, really…go do it.

What did you find? Were there any recognizable pages that were obviously about you? Did you put them there? Were they compiled by someone else? Was there any information on those pages that allowed for John Q. Stalker to help himself? If so, you probably need to either figure out how to protect the information on that page from prying eyes, or do what you can to take that page down.

What about those of you who didn’t find anything…Why do you think that is? Do you do all your online business via an alias? Even if you don’t go by an alias most of the time, try searching for that alias and others that you use. Then, try searching for that alias and your first name….then add your last name to it. What did you find? You probably found some pages where your “semi-anonymous” alias is linked to your real name. All it takes is one for the privacy to be broken.

I’m sure there are a handful of you reading this thinking “Nope, I didn’t find anything under my name, and I don’t really have an online alias that I use everywhere, and the ones I do have are so common and/or scarcely used that it would be difficult to pinpoint it to my real name.” Bravo to you for making it difficult to be found on the web. But there’s still one more thing…people searches.

Lately, there has been a boom of People Search Engines. Sure, they’ve always been around in one form or another, starting with the White Pages in the phone book, which got online, and then grew from there. But these days, the technology behind them is much more sophisticated. These days, they crawl the internet for publicly available information, and store it up, keeping an associative record of what they found, and who it’s related to.

So, if you think you’re safe from a Google Search, why don’t you give this a try…visit here and here, and just type in your first+last name, nothing else. Then scroll through the page until you find the entry that describes you. There’s about a 95% chance that it’s there. It may not be the most current, but the fact that the information they have is there is pretty unsettling in itself.

Unfortunately, I’m not sure if there is any way to remove the information from those sites – however, there are ways to stop them from getting more information.

This was just a glimpse at what’s out there. With some creative searching, all it takes is two pieces of information to find someone. With those pieces of information, the vault doors are blown off and all kinds of information is available about anyone who hasn’t taken the steps necessary to protect it: birthdays, family members, employers, addresses, home values, home floor plans, photos, license plates, drivers licenses, daily/weekly schedules & routines, favorite hangouts, alerts to the world about where they are (and aren’t), credit info, security questions for credit card applications, etc. Everything you could possibly want is potentially available online, if you know where to look.

Hopefully by the end of this series, you’ll have prevented a majority of this information from making it into the hands of stalkers, identity thieves, and serial cyber-bullies, while still being able to have an online life. Meanwhile, you should probably go check the privacy settings on every site that you update information to, and make sure that it’s either “not public” or “friends only.” If you use location-updating services (Foursquare, Gowalla, Twitter, Facebook, etc) make sure that you never check in at home, of all places, and that your updates are available to only friends, and that you only have ACTUAL friends in your list – not just whomever wants to follow you. I’ll cover each of these types of services in future posts.

The next post will talk about self-inflicted information leaks.

Technorati Tags: finding personal information, how do I find myself online, how to find yourslef online, online bullying, online harassment, online privacy, online safety, online security, people searches, privacy, privacy's a joke, security, what information is available about me online

Source: endlessorigami.blogspot.com

About 10 years ago, having an email address and/or an instant messenger screen name meant you were riding the cutting edge of the internet. A couple of years after that, the hot trend was having a MySpace profile. Today, it’s generally assumed that everyone has at least a Twitter account or a Facebook page.

Over time, and as online services gain more and more capabilities, a couple of things happen:

1. We forget about all the old stuff we signed up for, and that information stays out there.
2. We offer up even more of our personal information simply because the boxes are there for us.
3. We open ourselves up to being tracked online and become subjects of data-mining projects because the boxes are not there to opt-out.

Why is this a problem?

If you don’t know the answer to this question, you probably shouldn’t join any social networking sites.

Nothing done online is 100% anonymous. Not only can the source of the effort to put it online be tracked, but also the person’s online persona (the account and global online identity of the person), as well as the physical place of the person. Once the information exists on the internet, it is available for search in one way or another, then compiled and categorized. The more information that’s out there, the more to gather.

Why is this bad? Simple: cyber-stalkers or cyber-bullies. These acts are cyber-stalking or online harassment.

Cyber-stalking is the use of the Internet or other electronic means to stalk or harass an individual, a group of people, or an organization. It may include false accusations, monitoring, making threats, identity theft, damage to data or equipment, soliciting minors for sex, or gathering information to harass.  ”Harassment” must meet the criterion that a reasonable person, with the same information, would regard it as enough to cause another reasonable person distress.

Source: wikipedia

The rest of this blog series will discuss how to protect your information from this kind of stalking effort, but the rest of this post will tell you what to do if you become a victim of these acts.

1.) Do NOT react. Period.

The very most important thing to remember is that you must not react. Don’t respond, don’t reply, don’t acknowledge the person at all. The people who get involved in this type of activity do it only to get a reaction out of the person, as shown by this SI.com writer when he got angry tweets about one of his columns and contacted the  person. Often times they’ll do it under a fake online alias (whether it’s a fake human’s name, or a fake screen name) so that you can’t tell who it actually is.

As upsetting and stressful as the messages like this will be, this is the most important thing to remember.

2.) It’s not personal, it’s serial.

It is most likely that the person behind the act doesn’t even know you. Instead they have a preset collection of messages and responses and look for people online that have posted something related to the subject they have created responses for.

In my most recent case, I had someone come after me because my fiancée and I went to dinner at Uno’s Pizza. Later I found out he sent the same message to someone who’s girlfriend had a party for him at TGI Fridays. In the real world, we had no connection. Online, we fit the individual’s serial criteria.

3.) Take action on the site.

Chances are, this is all taking place on a public website that you don’t have control over. If you do have control over it, then you are probably aware of how to block the person. If you’re not, contact your web host’s customer service to ask about your options.

Most people who get targeted aren’t their own web host, I’ll focus on them: block the person.

My instance described above happened on YouTube. YouTube can block users from sending you messages, posting on your channel, and making comments on your videos. More extreme measures might also include blocking your Subscriber list, Friends list, or even Channel from public view altogether.

The main thing to remember, no matter what the social site is: make sure you have taken proper measures to prevent this person from contacting you…and don’t urge the person by responding or indicating that you even received a message from them.

4.) If needed, report it to the web service.

If the person continues to find ways around the privacy measures available from the web service, then visit the help pages to find out what their policies are on harassment and other unwanted acts.

For me, it took 3 separate reports, and a nasty message via Twitter to finally get results. Among the other things I did in preparation for the last day, I don’t know if it was the person, or YouTube themselves, but at the end of the day the individual’s account disappeared (after being active for several months with several thousand views to it).

5.) If it continues, report it to the police or FBI.

If the web service is not taking the proper actions, or if the person is threatening your physical safety by disclosing personal information, making physical threats, or other types of harassment, contact the Police. According to the US-CERT webpage on dealing with cyber-bullies the local police department or FBI branch are good places to start when reporting online harassment. If you are unsure where your local FBI office is, here is a directory of all their US locations that you can search by providing your state or zip.

Recap…

The most important things to remember when someone picks you as a target for their online harassment are:

1. Do not react: They feed off the target’s reactions.
2. It’s not personal: Don’t take anything they say personal. It’s just stuff they found online, or made up completely.
3. Block the person: Take any measures necessary to block the person from further contact.
4. Contact the Website: If the person is making extra effort to get around the blocks you’ve put in place, contact the website
5. Contact the Police/FBI: If the threats are becoming more real, or the harassment does not stop, alert the local authorities before it’s too late.

Next up, finding out what information is out there about yourself.

Technorati Tags: bullying, cyber harassment, cyber-bully, cyberstalking, harassing, how to contact police for online harassment, online predators, privacy, report cyber harassment, report cyberbullies, report cyberstalking, report online bullying, report online harassment, security, stalking

Source: blog.joeandrieu.com

Privacy’s a joke. Security is not.

After dealing with online harassment for the first time on a third-party site, and with a person whose IP and other information I didn’t readily have available as the Administrator of the site, I learned a lot from how they operate to how one should respond.

At the end of 2 months the ordeal was finally resolved. The person never confessed to the actions, and instead denied it to his family when I presented them with it, and cooperated in removing any mention of it on his social network sites. Whether the person I tracked down was the actual offender or a highly coincidental bystander, it makes little difference. The real issue, however, was the wealth of information I ended up finding about this individual combined with how easy it was to get it all.

I decided I would start a blog post series to help others less privacy-savvy internet users make sure they aren’t broadcasting tons of personal information out to the world at large, and also how to deal with online harassment – the correct way (not the vigilante methods I used).

The first post will be how to deal with online harassment, and what courses of action are available. After that, I’ll show you what information is available about you on the internet, and just how easy it is to mess up an otherwise clean online identity through something as simple as Favorite-ing a Youtube video, posting an update to Twitter, or even running a website under a pseudonym. There will be a new post every Monday, starting January 3rd, 2011 @ 10:00am CST, and the series will continue as long as I have content to write about.

The series is called “Privacy’s a Joke” because when it come to online actions, everything is traceable. And unless you jump through some major technical hoops (as most users don’t) then everything you do provides a little more information about who you are. However, there are things you can do to minimize what information gets put online, and who has access to it.

Technorati Tags: anti-stalking, cyber bullying, cyber harassment, identity theft, online bullying, online harassment, online privacy, online safety, online security, privacy, privacy's a joke, security

• Their passwords are going to have to change at some point, due to security policy.
• When they change it on their desktop, it’s not automatically done on their laptop.
• After changing the desktop password, they need to connect the laptop to the network and then login with that new password for it to be cached.

Now, it’s easy to write out, and easy for a tech to understand the scenario – but it’s not that easy for a 45yr old Hispanic guy who hates his laptop anyway to grasp. But what if they didn’t have to grasp anything? What if no matter where you were, the login process and the features available were as seamless in Wisconsin as if you were sitting at your desk in Texas?

What I’m proposing is this:

• Internet is gained through the use of a mobile AirCard, that is set to automatically connect once plugged in. If no AirCard, some other form of high-speed internet would suffice, and possibly be preferred.
• Use OpenVPN as a system service that runs when Windows boots. It makes its connection to the Main Network with a PSK (pre-shared key), authenticates, and then routes all internet and network traffic through that connection.
• A Windows or Linux client that has been previously joined to the Active Directory Domain on campus.

Upon boot, the computer connects to the internet, and then sets up the VPN connection to the main campus. This is done as a Windows or Linux service. When the login prompt appears, the user enters their most recent credentials for the main campus, and logs in. These credentials are then passed through the secured VPN to the main campus, authenticated against LDAP or AD, and their group policies, logon scripts, and other drive mappings are passed back down to the client. After the personal settings have loaded, their laptop experience is just as it would be if they were on the main campus LAN – but all their traffic is secured, and over a WAN.

Can it be done? Has it been done? Is there a step I’m missing – or some important brick preventing it?

Blogged with Flock

Tags: openvpn, network, windows, linux, authentication, active directory, PSK, WAN, LAN, mobile, laptop, connection, internet, security, group policy

Technorati Tags: active directory, aircard, client, computer, desktop password, directory domain, Domain, drive mappings, group, group policies, high speed internet, laptop, ldap, Linux, network, network traffic, openvpn, passwords, personal settings, PSK, scripts, security, security policy, technology, University, user, vpn connection, WAN, Windows