Secure browsing with Chrome and Firefox

Google is leading the push to an encrypted and more secure internet. The Chrome browser’s security team is changing the way Google Chrome handles web pages, with Firefox playing catchup.

Have you noticed that little padlock icon that often appears on your browser’s address bar? Look at the left end of the navigation bar. What do you see?

On Chrome: 

On Firefox: 

On Internet Explorer (to the right): 

 

With the default HTTP protocol (the S stands for ‘secure’) all information is sent in plain text (unencrypted); any computer in between the sender and receiver can read the traffic. The padlock with the HTTPS means that the connection between your computer and the computer at the other end is secure, i.e. the traffic is encrypted and information cannot be snooped by a third party in transit. This is why people who build websites in a responsible fashion have at least ensured that their login pages and sensitive information (such as credit card information) is served over HTTPS instead of HTTP.

If you click on the padlock, you might see some more information that helps verify that the site is indeed owned by those who claim to own it. Like so:

Nevertheless, few people actually watch out for the padlock to see whether the sites that they login to are secure. We need something simpler. This is what Chrome and Firefox have done: when a user goes to a page that requires sensitive information to be put in, it checks whether the connection is over HTTPS. If it is not, they warn the user that the page is not secure.

See what happens when I click the ‘login’ box for Qantas’ site.

Chrome:

Firefox:

What if a technically-informed user tries to force the website to use HTTPS, but the site tries to ‘downgrade’ to HTTP? See the example when I navigate to https://www.trivago.hk

On Chrome:

On Firefox:

Also notice how different these warnings are from equivalent warnings in Internet Explorer:

While it does look ugly and slightly menacing, we have come across them enough times, especially at our workplaces, that we have learned to click through the warning to reach the sites that we wish to reach. Chrome and Firefox makes the clicking a little bit more difficult in order to secure their users.

The major browsers, including Safari and IE/Edge have gone further for sites that they consider to be actually malicious. They block them to prevent the user from unintentionally accessing them.

The long-term goal from Google is to make all sites use HTTPS so that our browsing is generally more secure. Google will give HTTPS-using sites an advantage over sites that do not use it in their search results. The plan was announced in advance so that website owners would have the time to make the required changes. It has also given Mozilla time to catch up and join the plan.

 

What can you do to improve your browsing security?

  1. Use a modern browser such as Chrome or Firefox (stop using Internet Explorer) that puts in the effort to protect you.
  2. Use the ‘HTTPS Everywhere’ add-on from EFF (Electronic Frontier Foundation) to force sites to use HTTPS if there is an HTTPS version.
  3. Use an ad-blocker to prevent malicious advertisements from showing up.

Also see:

https://www.essaysonsecurity.com/2016/12/21/securing-yourself-online/

https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html

https://blog.mozilla.org/security/2017/01/20/communicating-the-dangers-of-non-secure-http/

https://support.mozilla.org/t5/Protect-your-privacy/How-to-stay-safe-on-the-web/ta-p/26286

 

Online rental scam

I recently moved to Hong Kong and was the mark of a scammer who tried to cheat me of rental deposit. I lost no money, just a bit of time that I could have used to view other properties and get settled in earlier.

The scam is simple. The scammer shows the victim a rental unit that looks very attractive and good for the price. The victim is interested. The scammer explains that he/she wants someone of the right character to stay in the house. The victim has to write about himself/herself and gets more committed to getting the unit on the way. Once the “landlady” decides to go with this tenant, he asks for money to be wire-transferred because for some reason he is not on location and will fly over to meet the tenant and pass him the keys or mail the keys over. If the victim pays the money, the scam is successful. He finds out that the house is occupied.

I have often wondered how stupid a person has to be to lose money in this manner. I got my answer. The money is not brought up at the start. A number of messages are initially exchanged between scammer and mark making the mark more and more committed to the place. By the time the mark realises that the “landlady” is not in town and will not be able to open the door for him to view the place, he has already spent some effort to prove himself “worthy” of the unit and is committed to it. In the email exchanges, the scammer identifies minor problems with the house making the house seem all the more real. And the scammer sends a scan of his photo ID – that of a real person. It is all very convincing.

Being an information security professional helped me to not lose money in this case. I knew that a scan of the ID did not prove that the sender was the owner of that ID. My telephone company, bank and various other organisations probably have scans of my ID. I asked for a video chat over Whatsapp. This is harder to fake and I received no effective reply.

Edit (added 31 Jan 2017): The scam works for three reasons. It works because:
1) humans are inherently trustful,
2) the scammers are clever enough to make us commit our efforts to make us want it to be real &
3) we rationalise our suspicions with reasonable-sounding explanations and allow ourselves to be victimised.

How to not be scammed that easily:

  1. Be on the alert if it looks too good to be true.
  2. If you get suspicious, ask the internet and people who may have done the same thing before (e.g. people who looked for units to rent in Hong Kong).
  3. Do not send over money by bank transfer to anyone whom you have not seen. Online selling sites such as eBay use Paypal which provides the buyer with some protection.
  4. Note that a scan of an ID card (or even the ID card itself) is useless unless you can verify the picture against a live (not recorded!) video or against the actual person. ID cards can be faked or stolen. Lots of people can have scans.
  5. The scammer may get indignant (my scammer did) if asked for proof, but this is a ploy to bring down your defences. It is the obligation of the person at the other end to verify that he/she is who he/she claims to be. This is essential to establishing the trust that you need to conduct your transaction.
  6. In the event that you have seen the person online or in person, you still need to authenticate their identity with an ID card or have some address to lock them down to if you need to dispute something with them in court. Anyone can chat with you using a fake name. You might also need to consider whether the police has jurisdiction over them to redress any claims that you have against them. The Hong Kong cops probably can do little to someone in London.
  7. Edit (31 Jan 2017): You can reverse-lookup photos on Google Images (images.google.com) to see if they appear in any other websites (that depict rooms in other countries, for instance).

This is the gist of my experience. I have put things down in greater detail below for those who are interested:

 

=============

 

Note: I am going to name names. The names will be of real, likely innocent people. I put in the names in so that others who are in a similar situation to me may get a clue and stay away from the scammer. Also, as far as I know, the people who own the names and the people who may have falsely used them have not been convicted of crimes in any court of law.

I started my house-hunt a few days prior to arriving in Hong Kong. Hong Kong is one of the most (if not the most) expensive housing markets in the world. Many contacts and friends advised me to budget HKD 15,000 per month (~USD 1,930 at time of writing) for a room in the city. After browsing through a bunch of rental websites I was confident of finding something under HKD 10,000. I set my primary requirements as: must have an attached bathroom, enough space for a small table in the bedroom and close to the city centre. There were many lacklustre options but one stood out: a post on easyroommate.com.hk that displayed gleaming clean rooms with a massive bedroom that housed two beds and a fireplace for just HKD 6,500/month. The description stated that it was built with luxury in mind and that the owner wanted someone with whom she would get along nicely more than anything else. It looked too good to be true. I contacted the owner, Bianca, who responded the next day.

Here is her actual introduction: This is just to let you know few things about myself and the apartment.My name is Hais Bianca, I am 26 years of age,easy going, tidy and non smoker female.I am glad that you are interested in renting my apartment and I will be looking forward to having a wonderful stay with you should you succeed in reserving it for yourself.

I love meeting new people and also a like having a time-out with relatives and friends whenever I am less busy.My father and mother used to live in the apartment before my father’s demise which has led to my mother’s relocation.

Since I am currently on an internship attached to my late father’s company in the United Kingdom,I will be resuming for my masters in Hong Kong soonest once the internship program has been concluded but I will be available at anytime for you to move into the apartment on the specified date as long as I am sure of your interest.

The most important thing is that,I am looking for someone to share daily life and common value with. so the ideal person i will like to share my apartment with must be a neat, trust worthy person and the person must be capable of paying the rent on a consistent basis as long as he/she continues to stay in the apartment.

There are Three bedrooms in the apartment, One is for me, the room in the picture is about to be reserved for 1 person(which has it’s toilet and bath en-suite and the last one which is reserved for guests is also for rent as well,since my parents are no longer occupying the apartment(that is why it is no longer available for guest because they used to be my parent’s guest)may be the other person can manage this room(but it will have it’s toilet and bath shared).So the only thing we will have to share together in the apartment is the kitchen and the living room.

The from portion of the email said ‘bianca hais’ (uncapitalised first letters). I obviously had to do a good job to win this one. I put on my best interview face and wrote up a nice piece about how awesome a flatmate I was. At the very end I asked:

If this is an interview… what languages do you speak? 🙂

Bianca said that she was OK to be my roommate. She spoke German and English and was also learning Mandarin. She provided me with all the photos of the unit that I asked for and welcomed me to check out the locality myself. She had wasted a lot of time and money the last time, so she wanted me to reserve it before she came over. “That’s why it is so cheap – because people do not want to accept an apartment that they can’t see for real,” I told myself. I told B that I would confirm once I checked out the area. We sent each other a few more emails. I sent her one saying:

Und Ich spreche ein bißchen Deutsch. (translation: And I speak a little German.)  You could help me practise. 🙂

She did not reply to that one, but sent over the information that she required before she could come up with the lease document. I sent her over a scanned copy of my passport and details such as full name, age, occupation, moving-in date, how many months I wanted to stay, etc. I arrived in Hong Kong and saw the locality, a vibrant place with lots going on. There was a guard at the gate and I did not go in. I emailed B that I was OK to go ahead. She sent me the rental agreement and a scanned copy of her Hong Kong ID (HKID) card. It was a very nice looking tenancy agreement including the below generous clause:

(e) The tenant is privileged to get a refund of his/her money if he/she is not satisfied with the apartment after viewing it or should there be any contradiction from what was being displayed in the picture compared to what is seen on viewing.

At this point, the fact that she had mentioned that I had to reserve the room before she would come over had finally filtered into my consciousness. I had to pay this woman before I saw her? “But she has sent me a scan of her HKID, so I know that she is who she claims to be,” That’s when the security professional took over. The HKID scan only proved that she had a scan of Bianca Hais’ HKID; it did not prove that the person who sent it was indeed Bianca; it did not even prove that she had Bianca’s HKID card. I had not yet authenticated Bianca Hais.

I looked for the advertisement on easyroommate to see if I could find any more details. The ad had been removed. “She must have removed the ad when I expressed interest in it. There must be lots of people who want it at that price.” I looked through my emails. Why was the room that cheap? Bianca’s email mentioned no lift to the room. Could that be a reason? I shot her an email asking about it and about what happened that caused her to lose money the last time. I looked her up on social media. There was one LinkedIn profile that fitted. She looked slightly different from the HKID picture, but there was evidence of living in Germany, Hong Kong and China. That would explain the languages that she spoke. I could not send her a message, but I was able to send a connection invite with a short message about me being contacted by a Bianca Hais in Hong Kong, asking her to reply. Separately I asked her over email to connect with me over LinkedIn.

She had said nothing for two days and I wanted to be done with my househunt. I realised that asking to connect over LinkedIn was unnecessary: we could just do a video chat over Whatsapp and I could see her face. I sent a message suggesting that. Then I checked the building again and confirmed that there was indeed a lift. There was a lift, so I was not being given a cheap apartment on that account. There was no reply the next day, so I sent her the signed tenancy agreement. I could authenticate her later, before I sent the money, but I had to secure the room soon. When I scanned in the signed sheets, an error on my part had caused it to attempt to scan an extra page. The tenancy agreement that I sent had an extra blank page at the end, five pages instead of four. Also, it scanned the pages in sideways instead of straight.

Bianca finally replied, a bit annoyed that I had made it so confusing with all my requests. I apologised, but insisted that we have the Whatsapp video chat. I had sent her my phone numbers multiple times, but she had not yet used them. Her preferred mode of communication was email. Now I started to get suspicious. She sent me back the signed agreement on her part. This is where it got really funny. It still had the same number of pages that I scanned in – five pages. I would have expected one page less if she had printed it out, signed and scanned it. Most interesting, she had put her signature vertically. More likely, I realised, she had pasted in a digital copy of her signature over the existing document.

Last page of the rental agreement (signatures masked). Note the odd alignment.

I had a bad feeling in my gut all along about this place. Little pieces were falling together that suggested things were not as they appeared to be. I searched for “Hong Kong rental scams” and came across this site: https://xingledout.wordpress.com/2014/02/01/beware-the-rental-scams-in-hong-kong/

The writer had experienced something quite similar to what I was going through with Bianca. This was not good. Now I had to start looking at my backup options. I really wanted it to be real, but how do I get out of it? And what if B was indeed real?

The next day solved the problem for me. I had looked up other rooms in easyroommate. There was a fantastic looking studio right at Central going for just HKD 10,000. I had contacted the owner when my suspicions about B started growing. I got this message from her:

Thank you for taking the time to look at my property.

My name is Luzia and I am a civil engineer, originally from UK. I used to work in Hong Kong, but the problem is that I had to move with my job bak to London, UK, where I am now. During my stay in Hong Kong I bought this apartment but I don’t want to sell it, so that’s why I decided to rent it.

I am looking for a responsible person that can take a very good care of my apartment. I am not after the money for the rent but want it to be clean all the time and the possible tenant will see the apartment as his or her own and I hope that you can send me some personal information about yourself. The apartment is fully furnished with all necessary amenities (exactly like in the pictures). It has dishwasher, washing machine and clothes dryer. There is a storage unit where you can deposit my furniture (if you don’t like it and you want to use your furniture) and AC. Pets allowed. Cooking allowed. This is not a shared rental with the owner.

The monthly rent for the entire apartment is HKD$ 10,000 and also includes monthly utilities bill (electricity, water, heat, cable, gas, internet connection+wifi), so there is nothing else to be paid on top of that. I am looking for someone to rent anywhere from 1 month to 5 years or more. Also the apartment is available immediately!

Sadly I do not have anyone there, so the property is being managed by Airbnb (no agency fees) and they will handle the whole rental process. If you want to know more about the rental process please get back to me and I will send you the step by step procedure.

There was a pattern here. The name in her email said Leslie Andree, not Luzia. There were too many similarities with Bianca Hais. The London connection, the verbosity and the fact that all these people were willing to part with so much personal information about themselves, the fact that the place looked just too good to be true (HKD 10,000 for the kind of room Leslie/Luzia advertised was a steal) and that they would not be able to open the door for me themselves if I wanted to view the place. A normal person would use an agent.

I finally stopped wanting it to be real and went to the police. A nice gentleman named Toby listened to my story with interest, viewed the pictures and the emails and informed me that no crime had been committed. I had not lost any money to the scammers and while the places did look too good to be true (he was amazed at the fireplace in B’s master bedroom), I could not prove that they were indeed fake. I asked him if he could at least not check with the real Bianca whose HKID I had a scan of. She was probably a victim of identity theft. He said that he did not have the justification to look it up in his system. It was slightly disappointing but consistent with my experience with the police elsewhere in the world. At least he was very polite. Toby advised me to inform the website administrators. “They would know about the people who posted the rooms.” I laughed. Easyroommate.com.hk did not even secure their login page. They only require an email when registering as a client. It was then that I realised that easyroommate had done something. They had removed Bianca Hais’ post.

I started evaluating the damage to me. I lost a lot of time that I could have used to productively house-hunt. I had some suspicions and I did not want to put all my eggs in one basket, so I had viewed a few units. Worse was the fact that the scammer now had a copy of my passport and a nice little piece that I wrote myself about my character. They could try to use that to spoof my identity for the same purposes.

I sent B an email saying that her post for the rental unit was very similar to many rental scams taking place in Hong Kong and that I was not proceeding with it. “Good bye.” I then told an agent for another room I’d viewed that I was willing to take a room of his that I’d viewed. He asked me for one crucial detail that B had not asked for: my employment contract, to ensure that I could pay for the room.

I was thinking that this business was settled when I got some Whatsapp messages from a London number. It had Bianca’s picture, as seen in her LinkedIn profile. “What is your problem? I have not started living with you and you have been making everything complicated. Do you think everyone will think the way you think? Now it is a crime for me to rent out my apartment because I needed a flatmate. If you have trust issues you can as well buy your own house. Stop disrespecting people. My apartment is not a scam and I owe you no explanation.

I was in shock for a minute and almost sent a message of apology. Then I got over it. The picture was publicly available. In the extremely unlikely event that I had been communicating with the real Bianca, she would have to be quite stupid to not simply use an agent to hand over the keys. Who wants to fly all the way from London to Hong Kong just to hand someone their keys? I doubted that a real Bianca would want to live with me at this point or would give me her phone number after I had called her a scammer. I asked B for a video chat. There has been no more contact since.

I wrote to easyroommate. They got back to me stating that both posts (Bianca’s and Leslie’s) had already been taken down by their moderators. That had not helped the people whom the scammers had already contacted, had it? I advised them to make it a policy to inform all people who had been in touch with the scammers (or who had contacted the scammers) so that the users who had been reached before the posts were taken down would also benefit. Easyroommate said they would consider my suggestions. Hopefully they will implement them.

Edit (31 Jan 2017): I eventually learned that the pictures were from apartments in France by reverse-looking them in Google Images.

Securing yourself online

My blog has been slightly inactive on account of my travels. Here is a little Christmas gift. This article contains points that I have distilled from a presentation that I have made for the same purpose, i.e. educating people about what they can do to make their online lives more secure.

There are a number of things that we can do to keep our valuable data private and available to us when we need it. Here are a bunch of them that I apply in my personal life. They start from the simple and free and go towards the technically complex and paid. Note that I have avoided putting in details on how to do each item as the article is already long. Doing a search on Google (or DuckDuckGo) with the heading should provide you with more details on each item.

Caveat: none of the advice below guarantees your security. If the NSA wants to see what you’re doing, they probably will. Security requires ‘defence in depth’. If one measure is surmountable, it helps to have another measure to back you up. If a malicious entity somehow breaks the security of your VPN, they may be set back by your HTTPS connections; if they sniff/steal your password, they may be set back by your 2FA token. Those of us in the information security industry hope for (and work toward) a future where the layman does not need to have sophisticated IT knowledge in order to secure their lives. Read on!

Backups
Some stuff is too valuable to have only one copy of. In the event that a hard disk fails, you will want to have a backup in another hard disk or on the cloud. Every article that I write is initially typed up on my computer / online storage before it is copied into my website. Additional hard disks for storing large volumes of photos and videos is now cheap.

Password locking & password managers
If your computer connects to the internet, it can be easily accessed remotely and it needs a password. Make it at least 15 characters and do not reuse the same password anywhere else. Read this series of posts aboutpassword management and stop trying to memorise all your passwords. Get a password manager to remember passwords for you. Make your passwords totally random, long, distinct (do not use the same one in two places) and unmemorable. One password for your computer, one for your phone and one for the password manager should be all you need to remember. I have also come across recommendations (there is no consensus) to not use  security questions that allow you to recover your account if you should forget your password. They fill the security question field with gibberish. Security questions to help reset passwords are a weakness that allows people to access accounts without cracking their passwords.

Windows update (and other autoupdates)
This is a critical and fundamental security measure. Ensure that automatic updates are turned on by default for your Windows and other software on your computer. The browsers that you use and MS Office are critical. Java and Flash are notorious for their vulnerabilities and need frequent updates. Any time a vulnerability is found, there is a race between manufacturers trying to push updates to users and malicious actors attempting to exploit the vulnerability. Enabling auto updates keeps you on the safer side of the curve.

Windows firewall
The default firewall on your computer should be enabled. More precisely, do not disable it.

Antivirus
This is something fundamental. It should not give you a sense of security, but having antivirus or antimalware software is a minimum security requirement. Plenty of free and paid antivirus software are available. The fact that you pay for it does not necessarily make it better.

Pirated software and jailbroken devices
Using pirated software is a good way to introduce malware into your computer yourself. The act of jailbreaking a device to give it features that the manufacturers did not intend it to have necessarily requires breaking the security of the device. Avoid doing these things. Get software that is free to use or buy commercial software.

Mobile phones
If your phone allows biometric authentication, enable it and use it. Your secondary authentication mechanism must be a long PIN / password (10+ characters minimum, 14+ optimal). The PIN might be slightly easier to use on account of the bigger size of the buttons. Drawing patterns and 6-digit PINs are easily observed by shoulder surfing and easily broken by technical means. Do not leave the phone where others can physically access it.

Laptops and other portables
These devices should not be left in places where other people can access them. It is possible for someone malicious to fry your computer by plugging something nasty into its USB drive in seconds (see USBKILL) and walk away. It is also possible for someone to gain control of a locked computer, again by sticking something into the USB port, in seconds. The cost of gaining access? A $5 device (see PoisonTap). The previously mentioned advice about HTTPS also helps with the last item.

Encrypt the hard disks of devices (including phones) to protect data from theft in the event that the device is physically taken. Encryption is not a panacea. It is effective if the device is switched off, but it might be possible for a skilled attacker to extract data from a powered – on device.

Connecting to WIFI
Never connect to free insecure WIFI is the general security advice. Some people go further, choosing to always carry their personal WIFI router with them when they travel. Having a VPN connection enabled by defaultmay be a mitigating measure to connect to insecure WIFI (see below).

Email
Avoid clicking on links on opening attachments sent to you by email. This is the easiest way people get hacked – not through fancy technical mumbo-jumbo, but though stuff sent to you by email. Avoid forwarding any email that asks you to forward it.

USB drives
USB is infamous for being fundamentally insecure. At a basic level, never plug in an unknown USB stick into your computer, especially if you find it in the car park or on your desk. This includes iPads and phones that need to be charged – i.e. anything that has a hard disk. Don’t do it as a favour to someone that you do not know (some of us would not do it as a favour to people whom we do know). Disable autorunning of USB devices. You can find a number of articles explaining how to do this for your operating system. Also recollect the two items (USBKill and PoisonTap) mentioned in the section about keeping portable devices physically secure.

Software and apps
In general, install software and apps only from trusted parties. Do not install mobile apps from outside the standard app stores. For mobile phones, be wary of apps that ask for many permissions to function. The newest versions of IOS and Android allow users to give the app permissions only when it actually needs them.

Browser & websites


Any site that you login to must use HTTPS. Do not enter credentials or personal information such as date of birth, credit card information or ID information into a site that has no HTTPS. Add on the HTTPS Everywhere free plugin to your browser to force all sites that have more secure encrypted versions to provide you with the encrypted version of the site. Using HTTPS does not ensure security (it requires a slightly technical and much longer article), but without it one can not expect web browsing security.

Automatically clear your cache when you close the browser. This may be hard to get used to, but it makes it significantly harder for third parties (and first party sites) to track you. This can prevent websites from showing you the inflated prices that they showed you the first time you visited – since they no longer know that you had already visited. Enable the do not track feature. Use an ad blocker to block advertisements. Advertisements are a way for malware to spread through web browsers and to slow down your browsing. The site owner usually has no control over what content is provided to you in advertisements. A year ago, Forbes spread malware to its readers through advertisements.

Use a different browser for stuff like your email and social media that require you to log in and another browser for all other browsing. This can prevent Facebook from knowing that you’re planning a vacation to Iceland and providing you with ads. It can also prevent a malicious site that you happen to be on from reading information that you provide another site.

Control what is on your social media
Periodically check privacy settings on social media to understand how the content that belongs to you is used by companies such as Facebook, LinkedIn and Twitter. Tagging your face on pictures makes it easy for software to identify your face resulting in consequences that may be positive or negative. In general, do not post things on social media that you may regret if someone reads it out of context. It is easy for someone to screenshot your post and paste it elsewhere, minus the context. Avoid giving out information such as your date of birth and family members as this information may be used by your bank or a government to authenticate you. (When was the last time you had to tell someone on the phone your birth date or your mother’s maiden name to convince them that you were you? It can’t have been very long ago.)

Home router
Critical: change the default username and password for the WIFI router. This is typically something like ‘admin’ for username and password. In many cases you can reach the settings page by typing in “192.168.0.1” or “192.168.1.1” into your browser. Change the SSID (i.e. the WIFI name) and if possible disable access point broadcasting. Default SSIDs make it trivial to find the kind of WIFI router and makes it that much easier to attack. I have known wireless printers to be unable to connect if you disable AP broadcasting, so it might not always be possible. Use WPA2-PSK security with a long password for connecting to the WIFI (note that this is different from the router admin password). Periodically update the router software (every half year is a good bet for the layman).

SMS and phone calls
Understand that the providers of your mobile connection have all information about the numbers that you dial and the contents of the SMSs that you send. They can also listen to your calls. If this concerns you, you might want to use encrypted messaging (see ‘different providers’ section) and encrypted calling services. They function in a foolproof manner only when both people use the service and the encryption is end to end, but encrypting content to the service provider gives some amount of privacy as well.

Use a VPN
Virtual private networks (VPNs) are commonly used to create an encrypted remote connection between a person and his office environment when he is not on site. This technology can be used to protect your internet browsing data as well. VPNs can be used to protect your browsing if you need to connect to weakly protected WIFI networks and to mask your location from thisa  parties. VPN software typically require payment, but can be cheap.

Edit 2 (31 Jan 2017): I have removed this recommendation altogether because using the wrong VPN provider can cause greater risk to the user than not using a VPN at all. Too high a proportion of VPNs are implemented insecurely / have a shady business model for this recommendation to stand [research paper].
Edit: VPN caveats: Not all VPNs are created equal. Understand their business model and whether they do actually value your privacy. Obviously, the VPN provider has the ability to read data when it enters and leaves the tunnel (prior to any VPN encryption) unless the traffic is encrypted even before it goes into the VPN (e.g. all your Facebook and Gmail traffic). If the VPN is available for free, ask why. Does their business model depend upon selling user information?

 

Use different providers altogether
Use providers of services who respect your privacy and do not use your information for their own benefit. Try DuckDuckGo for search instead of Google; secure email services instead of Gmail (which reads your mail) or Live mail / Outlook (which can read your mail). If you are still using Yahoo!, please stop now! (right now!) The same goes for messaging tools and VOIP. See the Electronic Frontier Foundation’s (EFF) secure messaging scorecard regarding security and privacy. You may be pleased to know that the most common messaging application, Whatsapp, is quite good at the moment.

Feeling secure vs being secure

When talking security with individuals one often observes a distinction in language that completely changes the meaning of the topic: people talk about wanting to feel secure, which is a very different matter from actually being secure.

Humans are poor at understanding security and risk: they overestimate the danger from scary and infrequent events (such as terrorist attacks) and underestimate the dangers of common events (such as road accidents and nutrition-related illnesses).

Humans are also prone to live by the falsehood that “something needs to be done” to remedy real and perceived problems, when it might actually be more pragmatic to not do anything at the time. Security expert Bruce Schneier has written extensively about this, on how the TSA is a multi-billion dollar harm inflicted upon people travelling within the United States after the very successful terrorist attacks on September 11, 2001. The fact that they put travellers through a lot of misery gives people the impression that travel in the United States is safe, when in fact it is not proven to be any safer than it was before 9/11.

This false sense of security is a problem. It causes organisations to spend billions of dollars on security products that do not solve their problems. It causes people to go through unnecessary suffering at airports because they are trained to believe that it is “for their own safety”. At the same time, the companies and people remain vulnerable to the same problems that they believed they were protected from.

A false sense of security can make someone perform a riskier action than they would under normal circumstances – think of the American rules football players, heavily padded and helmeted, who would strike in a more dangerous fashion under the impression that their artificial paddings would protect them against injury. This is the biggest problem with feeling secure: it can actually cause you to be less secure.

How do we guard against responding poorly to perceived risks in these fashions? A measured and thoughtful approach to security that avoids knee-jerk measures helps. Education is key, as is the recognition that there is no silver bullet that rapidly provides security. Security requires a combination of people, processes and technology to function in harmony. All three must come in place and people must recognise that no system is perfectly secure. This is fine. It is not worth the trouble to make something perfectly secure. Live your lives.

What about that Whatsapp privacy policy change?

You may have heard recently that Whatsapp’s privacy policy has changed ‘for the worse’ and that it is now sharing user account information with Facebook. What’s that all about and what should you do about it?

Whatsapp is a mobile phone app that provides messaging services between users of the app. Whatsapp accounts are linked to phone numbers. Facebook is an online social media platform with 1.7 billion monthly users (as of June 2016). Facebook bought Whatsapp for US $19 billion in 2014 and now Whatsapp has over 1 billion users. Prior to its acquisition, Whatsapp charged a fee to its users – a nominal $1. After the acquisition, the fee was eliminated, leaving the company’s business model unclear to users. Whatsapp announced earlier this year that they would introduce tools to let businesses connect to users.

One of the founders of Whatsapp, Jan Koum, was born in Soviet-era Ukraine and the matter of privacy is said to be personal to him. Whatsapp now encrypts all messages that are sent between users using updated versions of the app, meaning not even the company can read messages that are sent through the app.

Why then are we so concerned? The information that Whatsapp does have is metadata – data about data. Whatsapp has the contacts on your mobile phone (required to provide its service), the time you last checked the app, the person whom you messaged, when you messaged them, how many times, etc. Go back three years and you might recall that this is the kind of data collection by the NSA that caused a huge uproar when Edward Snowden blew the lid on it.

A record of phone calls or messages between you and a specialist doctor may reveal medical concerns of yours. Phone records between two parties may allow for inferences where nothing may be relevant – or they may give away something about one’s life that one prefers to keep private. The choice of whether these matters are made known to others belong to the people whom they concern – not to an internet / communications company, the government or advertising firms. You will lose that choice if your Whatsapp account data is transferred to Facebook. Facebook is an advertising company and the metadata is going to be used to serve you with advertisements from businesses.

What causes more worry is the manner in which this has been implemented. We have the option to opt out of the sharing of account data. The opt out is designed to be easy to miss. You still have 30 days to go back and update your settings, but after that the choice to opt out is removed entirely.

But does it really matter? Many of us do share a lot of information about ourselves publicly on our social media profiles. Even the content that is restricted to ‘friends’ can be copied, screenshotted and shared by our contacts. A certain level of sagacity is called for when sharing matters that one may think are not public and that is upto your own judgement.

Take the following steps now to take control of your Whatsapp account data: https://www.whatsapp.com/faq/general/26000016

The password-reuse attack

There was news very recently about an online storage provider named Carbonite being “breached” through a password reuse attack. What might that be?

It is just as it sounds like: an attacker reusing a password that they already have. This obviously requires no technical skills. One doesn’t have to “hack” in order to do a password reuse attack.

Is this even an attack? How did the attacker gain the password in the first place? There was an actual attack by people who may have had technical skills at one point. They would have tried hacking a popular site or application (a recently publicised example: LinkedIn). They may have gotten the usernames and passwords of a large number of users if they were successful. It appears that Mark Zuckerberg’s Twitter and Pinterest accounts were accessed this way.

Given that they already had this list of credentials, they could proceed to use the username – password combination on other sites. How many people can tell that they do not use the same credentials in at least a few sites?

What can you do to prevent this?

Simple and obvious: use different passwords for different sites. Do not reuse them.

But I can’t remember so many different passwords! 

Of course you can’t. And you shouldn’t try! Use a password manager. I have written a whole bunch of articles about them. Once you start, you can safely give up on remembering a whole bunch of long and complex passwords.

Lessons from Target on password complexity
Choosing your password manager
Passwords ain’t nothing but trouble

The Ransomware Social Contract

I had been anticipating this for a while: there has finally been a publicly known case where the social contact between ransomware extortionists and their victims had been broken. The contract? That after paying the ransom, the victims would be given access to their files.

What is ransomware? Extortionist criminals are now using this tactic to make money. They break into their victims computer systems and encrypt their data. The victims are then told to pay a ransom in order to get the key to decrypt the data. Imagine the situation where all your photos and work in your computer are inaccessible, despite still being in your computer. If you could pay a small amount to make this problem go away, odds are that you would.

Now multiply the volume of data a million-fold. A business is hit. Their daily operations requires this data to be accessible. Every second that they do not have it is money lost. If it is a hospital? Hospitals have been hit and left unable to provide effective care to their most vulnerable patients for short periods. Most would be willing to just pay the small amount in ransom than put their work in jeopardy.

Low ransoms and the fact that the extortionists have kept their promise of providing the decryption key have made ransomware a viable business model. This may be finally over. One hospital paid the ransom only to have the extortionists ask for more. The ‘social contact’ is broken. It was always a possibility that the attackers would go back on their word. It has happened.

Ransomware is not a new phenomenon. It has been around almost since three decades ago. For some reason, it just took off as something big in the last three years. Perhaps the existence of commercial software such as exploit kits that package various methods of attack without requiring much technical skill on the part of the attacker helped its rise.

What now? Ransomware is not about to go away. We should practise some IT security 101 to protect the data that is precious to us (yes, really). Backing up data is the old-fashioned and effective method that protects against the loss of data (ransomware or otherwise). Knowing not to click on unknown links or open dubious email attachments helps too. Keeping your operating system and software updated and having an anti-virus enabled is another. These things are all IT security 101 and knowing and practicing them will protect you against more than ransomware.

What if you have been hit and do not have a backup? You could pay, but be aware that you are depending upon the mercy of criminals.

Also read:
http://www.essaysonsecurity.com/blog/shit-just-got-real
https://nakedsecurity.sophos.com/2015/10/28/did-the-fbi-really-say-pay-up-for-ransomware-heres-what-to-do/

On weakening encryption

It’s history time! While we are discussing Apple vs FBI and the ongoing legal battles over encryption, let’s consider how American politics have already prevented technology from being as good as it could be. Just a few decades ago, the internet came along and started improving the lives of a lot of people – mostly rich people in developed countries at first. Smart people were developing the technologies serving the internet as they went along. Encryption was among them. How could a person ensure that a communication over the internet would be accessible only to the intended recipient? Encryption was the answer. How could a person ensure that his credit card details transferred over the internet for a payment would not be stolen by someone? Encryption!

This is all very nice, but both the internet and encryption have strong links to the military. The precursor to the internet was ARPANET, a project by the US department of defense. Encryption was big during World War 2. Mathematicians worked in the United States and UK to break the code used in the German Enigma machines. This gave the Allies the ability to intercept German communications and it was essential in their establishment of military superiority leading to their victory in the war.

Perhaps due to its background, encryption was treated as a “munition” and the export of strong encryption from the US was severely restricted until the 1990s. This made it difficult for companies to provide secure services over the internet and – let us have no doubts about it – ordinary consumers failed to get the benefits of these protections until these restrictions were slowly eased during the nineties.

Lessons learned? Not yet. Politicians in the United States and UK, among others, continue to ask to make encryption and similar consumer protections weaker in order to carry out “law enforcement” and “anti-terrorism” activities. How far are they willing to harm their constituents in order to achieve the aim of law enforcement?

Here is one answer: A vulnerability called “DROWN” was discovered last week that makes it possible to intercept supposedly secure communications between your computer and 25% of servers (25% of HTTPS servers, to be precise.). That’s your credit card information, your personal details, your income tax information and your children’s birthdays that are being made available to criminals to exploit. As I type this, millions of IT departments will be working on patching and otherwise changing their systems to protect their companies and clients from the risk posed by this vulnerability. That will be millions of man-hours of work lost fixing a problem that should never have existed. Why did this happen? The researchers who discovered this vulnerability explicitly blame US government policies of the nineties for allowing this to happen.

“In the most general variant of DROWN, the attack exploits a fundamental weakness in the SSLv2 protocol that relates to export-grade cryptography that was introduced to comply with 1990s-era U.S. government restrictions.”

XKCD comic on encryption

Better cryptography was available at the time SSLv2 was invented. The US just refused to let people outside their country have it. Major US tech companies made unsecure products and distributed them everywhere (including in the USA). It is bizarre that this is putting people’s information at risk even today, in 2016. Now you know why (among other reasons) people in technology and security are backing Apple in the Apple vs. FBI case.

Choosing your password manager

I have advocated password managers in a few previous posts. Here are a few considerations when you go about picking one for your own use:

How are your passwords stored?
The technical implementation may be hard for most users to figure out, so you may need to rely on reviews by others. The passwords need to be stored with an encryption algorithm that can only be retrieved using your master password (password to the password manager). Read their documentation explaining how they store passwords to understand. The company / people who own the password manager (if such a group exists) should not be able to retrieve your passwords even if they wanted to. This is Security 101. Convince yourself that this is how it is done before you proceed further with any password manager. Also – do not store passwords in your browser unless you secure them with a master password.

Cloud-based or local software
Are your passwords going to be stored in the cloud (the internet) or will they be stored only in your computer? There are advantages and disadvantages for both. Cloud-based password managers may have the advantage that you can use them on multiple devices: your personal laptop, perhaps your work computer, maybe even your mobile. A password manager installed locally on just one computer allows users access to their passwords only on that computer.

Conversely, a cloud-based password manager is a target for attack from the internet. Criminals will go after it given how valuable the contents are. There is less of that risk if your passwords are only stored on your computer.

2-factor authentication
Pick a software that allows 2-factor authentication. Enable it. Use it. Know what to do in the event that something happens that makes it difficult for you to access your 2nd factor (e.g. loss of a security token or your mobile phone to receive 2FA messages). Each password manager will have different methods of handling this.

Open-source or proprietary
Open-source software is software for which the code is publicly available. Proprietary software code is not. Prevailing security wisdom recommends open-source software. Proprietary software has less eyes looking at it and the odds are higher that someone who does detect vulnerabilities in the software does not wish to reveal it for fear of backlash from the company. Keeping code hidden is not great security practice, but it may be justifiable as a business practice. Some people may be willing to sacrifice some features if that is what it takes to use open-source software. Some will find the features to be worth the risk of ‘trusting’ a business. All other things being equal, choose an open-source password manager.

Which password manager does the author use?
I will keep that out of this essay in order to keep this article unbiased. Spend some time doing your own research before you ask.

Related posts
Passwords ain’t nothing but trouble
Lessons from Target on password complexity
When is 2FA not 2FA?

TSA keys – less than worthless

Do you use a lock with the red and white icon as the one in the picture? If so, I hope that you do not think your luggage to be secure. And not because the Washington Post published a picture of the keys.

The United States’ Transportation Security Administration (TSA) has authority to security-check humans and luggage moving through airports in the USA. This includes a right to inspect your bag in your absence. Not being particularly good at this security thing, they have deemed that if you want your baggage to arrive undamaged at the destination, you had better use TSA-approved locks to which they have master keys. The ones that you see in the big picture.

Consider the implications. Thousands of TSA agents all over the United States possess these keys. In order for this system to be secure, every one of these keys must be kept hidden, used only for the intended purpose, and the certainty must exist that no one other than the agent/TSA team must ever come into contact with their set. If someone criminally-minded were to get hands on those keys, and had access to baggage… AHA! But who could be so evil? The TSA has fired at least 513 officers for theft since 2002. Even if the TSA officers could be trusted with the bags, no one else could be, on account of the fact that the master keys are out in the open. And what does it take for someone to make a copy of these locks? A photo of the keys, no more.

What the TSA have done then, with their invasive searches that threaten to destroy bags, is to reduce security for everyone. Being required to use TSA locks means that nothing of value can be placed in check-in luggage on a flight to/from/in the United States. The Washington Journal article only brought out the fact into the open; it did not cause it.