OWL Blog
Exploding the urban myths about how to stay safe online…
Technology
24 April 2013 Last updated at 19:07 ET
Are we wising up to the dangers lurking online? Or are phishing, spam and hacking just words that we still do not understand and we hope will not happen to us.
Ofcom recently revealed that one in four British people still use the same password for all their activities online, suggesting we still have some way to go to fully understand computer security.
Here Prof Alan Woodward explores some of the misconceptions about how we stay safe online.
While there is still a long way to go in raising awareness of the risks inherent in surfing the net, word is spreading.
Unfortunately, some urban legends have arisen that are leading to a false sense of security.
Probably the most common of these myths is that your computer cannot be infected simply by visiting a website containing malicious code. The story goes, that you are only going to get malware on your machine if you actively agree to download software.
Secret downloads
As with many myths it contains a grain of truth. However, you may not recognise that you are giving your permission, and often hackers rely upon the fact that your computer is set to give permission by default to certain types of download. This has led to the phenomenon of “drive-by downloads”.These downloads can happen in several ways, with hackers developing new methods all the time.Possibly the most insidious technique relies upon what are known as inline frames or “IFrames”. The intention of IFrames was to allow webpages that have a mixture of variable and static content to be constructed so that they used computer resources more efficiently.First introduced in 1997, IFrames essentially allow you to embed “active” material that is brought in from elsewhere.
When misused, IFrames can secretly download another webpage – one you will not see because they can be as small as a single pixel – which redirects you to a page containing an exploit.
If your browser and system are vulnerable to this exploit then the malware is downloaded on to your computer. And, you did not agree to anything, did you?
A variant of this first great myth is that webpages cannot download to your computer without you clicking on an “OK” button.
You may have to click but that click might not be doing what you think. A typical trick is for a compromised site to pop up a box – usually an advert – which you simply have to close if not interested. The act of closing the advert can be the very click that initiates a download.
Things are not always what they seem online.
Targeting you
This leads to the second great myth: that only disreputable sites contain malware.Yes it is true that some less salubrious sites are affected in this way, but many well-known sites find themselves compromised too. A classic example is where a site allows comments to be posted and the web forms have not been secured in quite the right way. Someone can post a comment containing code and that code can contain an IFrame.With webpages often being an amalgamation of content drawn from various sources, it is very difficult for webmasters to close all the loopholes.The New York Times found this out in 2009 when they were tricked into running an advert which encouraged readers to download fake antivirus software. On the web you are trusting not just the webpage provider but their entire content supply chain.The third myth is more personal. Most of us believe we are too insignificant to be attacked because hackers are interested only in the big fish.Well, yes some hackers will invest a great deal of time trying to break into some high-value target. However, most criminals have long since realised that their return on investment is much higher by targeting many smaller value targets, like you and me.With automation and the global reach of the internet you need only have a tiny fraction of your targets respond in order to reap a very handsome reward.Research has shown that the reason scammers persist with age-old ploys such as the Nigerian scam emails is because, as extraordinary as it might seem, they still work. The criminal invests relatively little time and money but the numbers responding are still high enough to make it worth their while.
Digital identity
The delusion involved in the fourth myth may shock many – my computer contains nothing of value.Sorry to disappoint, but your computer is a treasure trove for criminals. What about something as simple as your address book? Criminals love contact lists as they give them valid email addresses and someone who they can pretend to be – you.And, of course, who does not log into some bank, shop, government site or similar with their computer?In doing so you leave your digital identity on your computer, and there is nothing criminals love more than a valid online identity.How many people clear the memory, delete cookies and temporary files when they close down their browser?Quite the opposite is true – for convenience many store their digital identities in their browsers so they do not have to log on every time they wish to use an online service.It is rather like leaving your car keys on the hall table in full view of the letterbox. A fishing rod is all the criminal needs to steal your car.The final myth is the one that leads to the most pronounced false sense of security – that my make of computer or operating system is not vulnerable to security problems.
Some people think that being behind a firewall makes them safe. I am afraid that this could not be more wrong.
You may find that you are using a less popular computer brand which has yet to attract the attention of criminals, and your firewall may keep out some intruders, but all computers, if connected to the internet, are vulnerable.
Alan Woodward is a visiting professor at the University of Surrey’s department of computing. He has worked for the UK government and currently advises several FTSE 100 companies about issues including cybersecurity, covert communications and forensic computing through the consultancy Charteris where he is chief technology officer.
Apps that Zap: How to figure our which Apps are draining your smartphone battery
Carat reveals cellphone energy hogs, energy bugs
By Ana Cabrera
DENVER – Smartphone apps inform, entertain, educate and make life a lot easier until your battery dies. So what can you do about this? 7NEWS went in search of solutions.
“I’ve always fought with battery life on my phones,” said 7NEWS Traffic Reporter Jayson Luber.
It’s so bad that Luber carries extra batteries for his Android phone with him in his pocket.
“I do, I carry extra smartphone batteries. I actually have four of these things and I keep them charged up all the time,” Luber said.
That might sound ridiculous, but a lot of us, like mom Jeri-Sue Dean, can relate.
“I’m a teacher and we’re getting into 21st century learning and you have to keep up,” said Dean.
Dean uses her iPhone for news, weather, music, games and more. She said she often has to recharge mid-day.
There are some obvious culprits, according to tech expert Rick McCloskey with One World Labs.
McCloskey said apps that use GPS, programs that constantly update and free games that have scrolling advertisements are battery drains.
One way to figure out what apps are zapping your phone is a free program called Carat, developed by researchers at University of California, Berkeley.
Carat identifies energy hogs and energy bugs on your individual device.
“An energy hog is an app that, across most devices, seems to use more energy than a typical app,” said Adam Oliner, one of Carat’s creators. “An energy bug is an instance of an app running on a particular device that uses far more energy on that device than on most other devices.”
Once Carat identifies these, it offers recommendations to help a user get more out of his or her battery life.
Luber, Dean and McCloskey put Carat to the test.
Carat identified Luber’s email, Facebook, and bible apps as energy hogs and recommended he “kill” these programs when not in use to save his battery.
McCloskey found out he had apps running in the background even when they weren’t in use, like Yahoo news and a music app.
Dean is still waiting on her results.
It normally takes about a week to generate your personal report, but it can take longer. Oliner said the key is to open the app daily in order for Carat to collect the data it needs.
How accurate is Carat? Oliner said Carat’s recommendations are given with a 95% confidence rate.
Once you identify what’s zapping your battery, the solution can be simple: If you don’t use it, lose it.
The same goes for GPS, Wi-Fi and Bluetooth. Turn these off when you don’t need them.
For things like Email, Facebook and Twitter, check out your settings.
“Email is probably the easiest example. You can go in there and it’ll say: ‘How often do you want me to check your email… every one minute, five minutes, 10 minutes, once and hour?’ So, setting those types of settings will cut down on battery usage,” said McCloskey.
McCloskey said a few changes can really help your battery-life. It’s a matter of prioritizing.
For more on this article, please go to: http://www.thedenverchannel.com/money/science-and-tech/how-to-figure-out-which-apps-are-draining-your-smartphone-battery
Everything We Know About What Data Brokers Know About You
March 10, 2013 By OWL_News No comments yet OWL News
By Lois Beckett
Data companies are scooping up enormous amounts of information about almost every American. They sell information about whether you’re pregnant or divorced or trying to lose weight, about how rich you are and what kinds of cars you have.
Regulators and some in Congress have been taking a closer look at these so-called data brokers — and are beginning to push the companies to give consumers more information and control over what happens to their data.
But many people still don’t even know that data brokers exist.
Here’s a look at what we know about the consumer data industry…..
How much do these companies know about individual people?
They start with the basics, like names, addresses and contact information, and add on demographics, like age, race, occupation and “education level,” according to consumer data firm Acxiom’s overview of its various categories.
But that’s just the beginning: The companies collect lists of people experiencing “life-event triggers” like getting married, buying a home, sending a kid to college — or even getting divorced.
Credit reporting giant Experian has a separate marketing services division, which sells lists of “names of expectant parents and families with newborns” that are “updated weekly.”
The companies also collect data about your hobbies and many of the purchases you make. Want to buy a list of people who read romance novels? Epsilon can sell you that, as well as a list of people who donate to international aid charities.
A subsidiary of credit reporting company Equifax even collects detailed salary and paystub information for roughly 38 percent of employed Americans, as NBC news reported. As part of handling employee verification requests, the company gets the information directly from employers.
Equifax said in a statement that the information is only sold to customers “who have been verified through a detailed credentialing process.” It added that if a mortgage company or other lender wants to access information about your salary, they must obtain your permission to do so.
Of course, data companies typically don’t have all of this information on any one person. As Acxiom notes in its overview, “No individual record ever contains all the possible data.” And some of the data these companies sell is really just a guess about your background or preferences, based on the characteristics of your neighborhood, or other people in a similar age or demographic group.
Where are they getting all this info?
The stores where you shop sell it to them.
Datalogix, for instance, which collects information from store loyalty cards, says it has information on more than $1 trillion in consumer spending “across 1400+ leading brands.” It doesn’t say which ones. (Datalogix did not respond to our requests for comment.)
Data companies usually refuse to say exactly what companies sell them information, citing competitive reasons. And retailers also don’t make it easy for you to find out whether they’re selling your information.
But thanks to California’s “Shine the Light” law, researchers at U.C. Berkeley were able to get a small glimpse of how companies sell or share your data. The study recruited volunteers to ask more than 80 companies how the volunteers’ information was being shared.
Only two companies actually responded with details about how volunteers’ information had been shared. Upscale furniture store Restoration Hardware said that it had sent “your name, address and what you purchased” to seven other companies, including a data “cooperative” that allows retailers to pool data about customer transactions, and another company that later became part of Datalogix. (Restoration Hardware hasn’t responded to our request for comment.)
Walt Disney also responded and described sharing even more information: not just a person’s name and address and what they purchased, but their age, occupation, and the number, age and gender of their children. It listed companies that received data, among them companies owned by Disney, like ABC and ESPN, as well as others, including Honda, HarperCollins Publishing, Almay cosmetics, and yogurt company Dannon.
But Disney spokeswoman Zenia Mucha said that Disney’s letter, sent in 2007, “wasn’t clear” about how the data was actually shared with different companies on the list. Outside companies like Honda only received personal information as part of a contest, sweepstakes, or other joint promotion that they had done with Disney, Mucha said. The data was shared “for the fulfillment of that contest prize, not for their own marketing purposes.”
Where else do data brokers get information about me?
Government records and other publicly available information, including some sources that may surprise you. Your state Department of Motor Vehicles, for instance, may sell personal information — like your name, address, and the type of vehicles you own — to data companies, although only for certain permitted purposes, including identify verification.
Public voting records, which include information about your party registration and how often you vote, can also be bought and sold for commercial purposes in some states.
Are there limits to the kinds of data these companies can buy and sell?
Yes, certain kinds of sensitive data are protected — but much of your information can be bought and sold without any input from you.
Federal law protects the confidentiality of your medical records and your conversations with your doctor. There are also strict rules regarding the sale of information used to determine your credit-worthiness, or your eligibility for employment, insurance and housing. For instance, consumers have the right to view and correct their own credit reports, and potential employers have to ask for your consent before they buy a credit report about you.
Other than certain kinds of protected data — including medical records and data used for credit reports — consumers have no legal right to control or even monitor how information about them is bought and sold. As the FTC notes, “There are no current laws requiring data brokers to maintain the privacy of consumer data unless they use that data for credit, employment, insurance, housing, or other similar purposes.”
So they don’t sell information about my health?
Actually, they do.
Data companies can capture information about your “interests” in certain health conditions based on what you buy — or what you search for online. Datalogix has lists of people classified as “allergy sufferers” and “dieters.” Acxiom sells data on whether an individual has an “online search propensity” for a certain “ailment or prescription.”
Consumer data is also beginning to be used to evaluate whether you’re making healthy choices.
One health insurance company recently bought data on more than three million people’s consumer purchases in order to flag health-related actions, like purchasing plus-sized clothing, the Wall Street Journal reported. (The company bought purchasing information for current plan members, not as part of screening people for potential coverage.)
Spokeswoman Michelle Douglas said that Blue Cross and Blue Shield of North Carolina would use the data to target free programming offers to their customers.
Douglas suggested that it might be more valuable for companies to use consumer data “to determine ways to help me improve my health” rather than “to buy my data to send me pre-paid credit card applications or catalogs full of stuff they want me to buy.”
Do companies collect information about my social media profiles and what I do online?
Yes.
As we highlighted last year, some data companies record — and then resell — all kinds of information you post online, including your screen names, website addresses, interests, hometown and professional history, and how many friends or followers you have.
Acxiom said it collects information about which social media sites individual people use, and “whether they are a heavy or a light user,” but that they do not collect information about “individual postings” or your “lists of friends.”
More traditional consumer data can also be connected with information about what you do online. Datalogix, the company that collects loyalty card data, has partnered with Facebook to track whether Facebook users who see ads for certain products actually end up buying them at local stores, as the Financial Times reported last year.
Is there a way to find out exactly what these data companies know about me?
Not really.
You have the right to review and correct your credit report. But with marketing data, there’s often no way to know exactly what information is attached to your name — or whether it’s accurate.
Most companies offer, at best, a partial picture.
While Acxiom lets consumers review some of the information the company sells about them, New York Times reporter Natasha Singer discovered this summer that only a sliver of information is shared, including whether you have a prison record or bankruptcy filings.
When Singer finally received her report, all it included was a record of her residential addresses.
Some companies do offer more access. A spokeswoman for Epsilon said it allows consumers to review “high level information” about their data — like whether or not you’re listed as making a purchase in the “home furnishings” category. (Requests to review this information cost $5 and can only be made by postal mail.)
RapLeaf, a company that advertises that it has “real-time data” on 80 percent of U.S. email addresses, says that it gives customers “total control over the data we have on you,” and allows them to review and edit the categories (like “estimated household income” and “Likely Political Contributor to Republicans”) that RapLeaf has connected with their email addresses.
How do I know when someone has purchased data about me?
Most of the time, you don’t.
When you’re checking out at a store and a cashier asks you for your Zip code, the store isn’t just getting that single piece of information. Acxiom and other data companies offer services that allow stores to use your Zip code and the name on your credit card to pinpoint your home address — without asking you for it directly.
Is there any way to stop the companies from collecting and sharing information about me?
Yes, but it would require a whole lot of work.
Many data brokers offer consumers the chance to “opt out” of being included in their databases, or at least from receiving advertising enabled by that company.
Rapleaf, for instance, has a “Permanent opt-out” that “deletes information associated with your email address from the Rapleaf database.”
But to actually opt-out effectively, you need to know about all the different data brokers and where to find their opt-outs. Most consumers, of course, don’t have that information.
In their privacy report last year, the FTC suggested that data brokers should create a centralized website that would make it easier for consumers to learn about the existence of these companies and their rights regarding the data they collect.
How many people do these companies have information on?
Basically everyone in the U.S. and many beyond it. Acxiom, recently profiled by the New York Times, says it has information on 500 million people worldwide, including “nearly every U.S. consumer.”
After the 9/11 attacks, CNN reported, Acxiom was able to locate 11 of the 19 hijackers in its database.
How is all of this data actually used?
Mostly to sell you stuff. Companies want to buy lists of people who might be interested in what they’re selling — and also want to learn more about their current customers.
They also sell their information for other purposes, including identity verification, fraud prevention and background checks.
If new privacy laws are passed, will they include the right to see what data these companies have collected about me?
Unlikely.
In a report on privacy last year, the Federal Trade Commission recommended that Congress pass legislation “that would provide consumers with access to information about them held by a data broker.” President Barack Obama has also proposed a Consumer Privacy Bill of Rights that would give consumers the right to access and correct certain information about them.
Cyber Threats cause government, businesses to Open Up Communication
By Kristen Leigh Painter
In a nondescript industrial park, on a dead-end road, tucked in an obscure corner of Denver, a group of “ethical hackers” made a startling discovery. Electronic data, stored by the defense- and-security branch of the Douglas County-based information company IHS, had been breached.
An Iranian hacker group had downloaded 16 terabytes of information about U.S. chemical, biological, radiological and nuclear materials.
IHS confirmed that its system had been compromised, but company spokesman Ed Mattix insists that all of the downloaded information was already available publicly in other places.
While this breach was apparently not harmful, the incident highlights a growing concern among government and corporate leaders as sensitive data increasingly go online and become the target of cyber-espionage.
As the threat of cyber-attacks — from perpetrators ranging from domestic hackers to international rivals — has become more widely understood, government leaders are beginning to make an effort to facilitate the exchange of information and best practices to help companies better protect themselves against such attacks.
In recent years, the White House, the U.S. Chamber of Commerce, Google, The Wall Street Journal, ThyssenKrupp, the Department of Energy, Twitter and Facebook have reportedly been hacked. Recent high-profile cases, such as one involving The New York Times, have brought attention specifically to hacking efforts originating from China.
The “ethical hackers” who made the IHS discovery are a Denver-based cybersecurity company called One World Labs. The company intentionally hacks its clients in an effort to scope out weaknesses.
Last month’s incident was not the first time it came across sensitive content in a suspicious place. But until recently, companies such as One World had few options when it came to notifying the government about such breaches.
Similarly, the government rarely communicated its knowledge about such risks to businesses.
“We all care about the common good, but we have no way of sharing it,” said Jay Weber, chief executive of One World Labs. “I think they are starting to talk in D.C. about opening up those conduits.”
Signs that the channels are clearing appeared Feb. 13 when President Barack Obama issued an executive order and policy directive demanding a concerted effort aimed at improving cybersecurity for critical infrastructure. He also addressed the topic in his State of the Union speech.
“Of all the things that the federal government gets a poke in the eye
(Click on image to enlarge)
about not doing well, this is one of the ways that they are leading us,” said Rick Dakin, CEO and founder of Coalfire, a Broomfield-based cyber-security audit-and-compliance company. “The work that the DHS is doing right now will convert the scary bedtime story into an actionable business step.”
The recent efforts by the Obama administration and the Department of Homeland Security focus primarily on opening a one-way path for government agencies to share cybersecurity information with private companies.
“We’ve seen more movement in D.C. in the last 30 days than in the last five years,” Weber said.
Many of the efforts are focusing on what seem to be Armageddonlike scenarios, such as hijacked nuclear power plants, disruptions to the electrical grid or interference with water-supply systems, all conducted by exploiting weaknesses in the computer systems of companies that manage such facilities.
The private sector, often leery of public oversight and red tape, is cautiously optimistic about the heightened engagement with Washington’s leadership. It says the government can take a lead on such efforts provided it moves quickly to establish the standards.
“The government side has the money to innovate. If they can funnel that to help the private sector, great. We just have to move faster,” said Chris Roberts, co-founder and chief information-security officer at One World Labs. “The mind-set is that the public sector puts down a series of regulations on paper but conversations take three to five years. So what started as a good idea gets watered down.”
Roberts feared that the information his company found regarding the Iranian hackers would never reach the desk of important officials.
This time, however, was different. Roberts recently made a serendipitous connection with Colorado resident Michael Locatis, who specifically focuses on such issues.
Locatis is the former assistant secretary of cybersecurity at the Department of Homeland Security, having just stepped down last month. Prior to the DHS, Locatis was the U.S. Department of Energy’s chief information officer and cybersecurity adviser to the secretary of energy.
When One World Labs discovered the Iran hacking data, Locatis connected the company directly with Homeland Security, which said it would look into the information.
“Folks in the DHS have really rolled up their sleeves and are working with these private companies,” Locatis said.
When it comes to cybersecurity fears, a great deal of attention has recently focused on critical infrastructure. Among the 16 sectors identified as “critical” are energy, dams, health care, water, nuclear reactors, food, communications and the defense industry.
“We have offensive cyber (weaponry) being developed in the U.S. We have to expect that is happening in other countries as well,” Dakin said. “China has been actively attacking U.S. companies for years. We are talking about things that control our critical infrastructure.”
As risk increases, the revenues of cybersecurity companies and the budgets of the U.S. government’s cybersecurity efforts have grown.
One World Labs was founded in 2010 and has doubled its revenues each year. Coalfire entered the cybersecurity business in 2003, has increased revenues by at least 40 percent each year and now has seven offices around the country.
The DHS’s National Cybersecurity Division was given a $442 million budget in 2012. Despite the budget crisis Washington is facing, the DHS is asking for nearly twice as much money in 2013: $769 million.
Obama’s executive order mandates federal agencies holding valuable cybersecurity intelligence and methodology to specifically assist private companies that are responsible for servicing these vital functions of society.
“Military-grade defense parameters are being commercialized to help industries and companies that are in the critical-infrastructure categories,” Locatis said.
Marvin McDaniel, senior vice president and chief administrative officer for Xcel Energy, said the company supports the administration’s efforts and hopes it succeeds.
“The greatest threat for us is a focused, coordinated attack on either us as a company or an entire industry,” McDaniel said. “The (government has) so much information on attacks on U.S. industry … and we are interested in seeing the depth of this information.”
The government’s troves of information could help private energy companies such as Xcel prevent a cyberdisaster by knowing where the attacks are coming from, when they are being planned and the nature of the attacks.
In the meantime, McDaniel said his company is protecting itself in all of the usual ways — firewalls, network security and other strong measures — while also trying to develop a better framework for incident response.
“We obviously have procedures to handle disasters, but the great question is: What if it affects more than one company? That was one of the great lessons of superstorm Sandy — to better coordinate our responses,” McDaniel said.
And while companies that carry a huge civic responsibility through their products — such as Xcel, IHS and Lockheed Martin — take their cyberprotection seriously, other businesses and corporations do not.
To many companies, the threats don’t feel real enough to warrant the time and money needed to keep up with adequate cyberprotection, experts said.
“For businesses, they have the perspective of ‘Just give me what is good enough.’ What is really insidious about this is that they don’t think they are big enough to be a target,” said Bud Michael, CEO of eSoft, a Broomfield-based company focusing on firewall, e-mail and network security.
Part of the problem is that these companies do not know what resources they have and where to turn for help.
Locatis is aiming to help bridge that gap. He helped catalyze the change in attitude at the DHS before leaving his position, and he is now working on the private side of the equation. He started Nexusist, a Colorado company that aims to make sense of the cyber-ecosystem to company and government players.
“This is information that was trapped in government,” Locatis said. “Not only was there not information- sharing between private and public sectors, the government wasn’t sharing with itself.”
And while these signs of improved public-private partnerships are beginning to address information-sharing issues from government to commerce, it is still difficult for the private companies to share with government.
Roberts was able to shuttle the IHS breach information to the government because he knew the right people, but that was the exception that he hopes will soon become the rule.
“We have tons of big data we want to hand off, but we don’t know where,” Roberts said.
Time will tell whether the federal government’s executive branch and these private stakeholders forge a path that others will follow.
For the rest of this article, please go to http://www.denverpost.com/business/ci_22757268/cyber-threats-cause-government-businesses-open-up-communication. Thanks for reading! How can OWL help your company protect itself?
