Facebook Tips to Make Password Privacy Issue a Non-issue

Facebook is in the middle of another hubbub over companies asking prospective employees for their login information for the social networking site as part of the hiring process, but you can make the obvious privacy concern a non-issue by being careful. I cannot stress this point enough – even temp agencies require you to give them access to your account to see what kind of person you are before they hire you. (We would always recommend you show them your page, instead of giving them your login information, if possible.)

Here are a few tips to help you enjoy the service and not worry about interfering with your ability to land that perfect job.

The bottom line: A little Facebook savvy goes a long way.

First, understand that Facebook isn’t private. Yes, you can choose your friends and to some degree limit what people see about your posts, but plenty of interested parties actually have a window into what you’re sharing. For one thing, the social network keeps track of everything you do on its territory so as to push hyper-targeted ads to you.

Timeline, for example, has been widely criticized for communicating too much about users because it visually aggregates everything you’ve ever done on the site — the information you’ve included on your profile, your photos, everything you’ve ever “liked,” any Facebook apps you’re using, a map showing where you’ve been (according to geo-tagged posts and photos), as well as a timeline of everything you’ve ever posted.

And by encouraging people to create an online scrapbook and add to Timeline extra information about their lives — all the way back to birth if they want — Facebook gleans even more personal data about its users. The point is to deliver ads that users are more likely to click on.

Speaking of ads, PCWorld recently reported that “liking” something on Facebook can make you an unwitting and unpaid endorser of an advertiser’s products or services. Once you “like” a company page, check in at a merchant location, post an update mentioning a product, service, or company, your activity can be used as an ad. That’s because your friends may receive an update informing them of your activity — whether you want Facebook to share it or not.

You can’t opt out of these Sponsored Stories.

Second, use online etiquette so there’s less dirt on you to find. A couple of online behaviors are not only annoying to other users, they can be telling to potential employers investigating your online profile. Take political spewing, for example. You know that Facebook friend who constantly posts commentary about political issues? How often are you completely in agreement with his perspective? That’s because political opinions are divisive. Polite Facebook users don’t push their political agendas onto their friends.

Online complaining is another common practice that makes people look bad. If your girlfriend just dumped you or you lost your house or job, it’s best to keep it to yourself — at least digitally. The people who want to hear your sad story have a relationship with you in the real world; Facebook isn’t the place to air your troubles.

I know I shouldn’t have to say this – don’t post negative items about your current or former employer, gossip about your work place or complain about your work environment, past or present. It is a big red flag for prospective employers.

Third, use Facebook to your advantage rather than disadvantage. Instead of worrying about what people will find when they vet you online, how about being proactive about everything you share?

Like it or not, your digital identity is what defines you to potential employers and recruiters seeking you out online. And if you’re interested in pushing your career forward, experts suggest that you take your digital identity seriously. The right words, photos, and social media banter online can impress a prospective employer or recruiter, while the wrong ones may turn them off.

All of this isn’t to say that the practice of asking someone to hand over their social media login credentials is OK — far from it. For one thing, your friends haven’t necessarily given permission for non-friends to see their posts.

At the same time, over-sharing online can cause you problems because people you don’t expect may be watching; avoid doing so and you’ll be better off.

 

Windows 8 rumored to complete this summer for October launch

We all know that Windows 8 is coming, and many computer makers have big plans for using the operating system in a new generation of tablets to challenge the iPad. People claiming to have knowledge of Microsoft’s schedule are saying that Windows 8 will be finished this summer and will go on sale around October. The October window for launch would be no surprise with the holiday shopping season coming shortly thereafter.

So far, it has been reported that the Windows 8 rollout will include devices using Intel processors and ARM processors. Many people are hoping that Windows 8 machines using ARM processors will be cheaper than those running Intel parts. However, the sources claim there will be under five ARM devices available when Windows 8 launches while there are over 40 set to be available with Intel parts inside.

Analysts are saying if Microsoft misses the September to October launch window, Windows 8 tablets and computers won’t be able to ship in 2012. Rumors also state three of the available Windows 8 devices using ARM processors will be tablets. If fewer than five devices with ARM processors running Windows 8 will come at launch, that leaves room for only one notebook with ARM hardware.

Ten Ways to Dodge CyberBullets, Part 10

10. Don’t be a crackhead

This is the tenth and final in a series and is an update to our top 10 things that people can do to protect themselves against malicious activity we provided to our clients two years ago.

Don’t use cracked/pirated software. Such programs provide an easy avenue for introducing malware into (or exploiting weaknesses in a system. The illegal P2P (peer-to-peer) distribution of copyrighted audio and video files is dangerous. Some of these are counterfeited or modified so that they can be used directly in the malware distribution process.

Even if a utility seems to come from a trusted and trustworthy source rather than Mrs. Miggins’ Warez Emporium, it pays to verify as best you can that it’s genuine.

Win32/GetCodec.A, which is as common now as it was a year ago, is a type of malware that modifies media files. This Trojan converts all audio files found on a computer to the WMA format and adds a field to the header that includes a URL pointing the user to malicious content, claiming that the fake “codec” has to be downloaded so that the media file can be read.

WMA/TrojanDownloader.GetCodec.Gen is a downloader that facilitates infection by GetCodec variants like Win32/GetCodec.A.

Passing off a malicious file as a new video codec is a long-standing social engineering technique exploited by many malware authors and distributors. The victim is tricked into running malicious code he believes will do something useful or interesting. While there’s no simple, universal test to indicate whether what appears to be a new codec is a genuine enhancement or a Trojan horse of some sort, we would encourage you to be cautious and skeptical about any unsolicited invitation to download a new utility. Even if the utility seems to come from a trusted site, it pays to verify as best you can that it’s genuine.

 

Ten Ways to Dodge CyberBullets, Part 9

9. Be wireless, not careless

This is the ninth in a series and is an update to our top 10 things that people can do to protect themselves against malicious activity we provided to our clients two years ago.

Don’t connect to just any “free Wi-Fi” access point; it might alter your DNS queries or be the “evil twin” of a legitimate access point, set up to intercept your logins and online transactions. (When I have occasion to see what networks are being offered me in hotels, airports, even in the block where I live, I have to wonder how many of them are legitimate…)

Here’s a summary of some of the most important points to remember:

Be aware of some common security issues with hot spots:

1. “Evil twin” login interception, a scenario where a network is set up by hackers to resemble legitimate Wi-Fi hot spots, in order to intercept your login credentials for legitimate networks and sites
2. Previously unknown (zero-day) attacks exploiting operating system or application vulnerabilities.
3. Sniffing, or using computer software and/or hardware to intercept and monitor traffic passing over a network.
4. Other forms of data leakage using man-in-the-middle attacks.

Also be aware of ways to reduce your attack surface and protect your computer:

1. Ensure VPN pass-through ports are enabled, but don’t allow a high port free-for-all; professional system administrators open only necessary ports. This doesn’t stop all attacks, but it does reduce them.
2. Use HTTPS to access webmail.
3. Avoid protocols that don’t include encryption wherever possible.
4. Disable sharing of files, folders, services.
5. Avoid connecting to sites that transfer sensitive data, your banking information, for instance, when connected to an untrusted access point.
6. Ensure you’re using sound firewalling, antimalware, host intrusion prevention system and so on.

Ten Ways to Dodge CyberBullets, Part 8

8. Antivirus isn’t total security

This is the eighth in a series and is an update to our top 10 things that people can do to protect themselves against malicious activity we provided to our clients two years ago.

Don’t expect antivirus alone to protect you from everything.

Use additional measures such as a personal firewall, antispam and anti-phishing toolbars, but be aware that there is a lot
of fake security software out there. This means that you need to take care to invest in reputable security solutions, not
malware, which claims to fix nonexistent problems, or toolbars that are designed to divert you away from the sites you want to visit and toward the ones that generate revenue for adware providers.

Apart from that, even the best protection might not protect you as well as common sense and caution do. There is no silver bullet in protection in malware, which is why we always advocate multilayering or defense in depth. Specifically, don’t fall for the “I can do anything and click on anything because my antivirus will protect me” trap. There seems to be a temptation for people to cluster at one of two extremes.

• Some people have such touching faith in their AV that they assume it will catch everything malicious that’s thrown at their system, so they don’t run anything else and are convinced that they don’t need to think about their own security. When they eventually find that their system has been infected, whether it’s by something they’ve clicked on incautiously or something a little more subtle like a zero-day vulnerability or a drive-by download, they feel betrayed and angry. That’s understandable, but it comes from a misunderstanding of the limitations of all security software. For every technical solution (not just AV), there is at least one way of getting around it.
• Others take the view that antivirus is no use at all because it “only detects malware it already knows about.” That isn’t the case; only the most primitive modern antimalware relies purely on signatures of known malware variants. Good antimalware products incorporate tools like generic detection, advanced heuristics, sandboxing, whitelisting and so on into an integrated product that catches a high percentage of all malware, not just viruses.

The danger in both scenarios is that the individual is tempted to substitute one partially successful solution for another. (Some marketing departments may overstate the effectiveness of a product, but that isn’t a problem restricted to the antimalware industry, or even the security industry!)

The trick is not to rely solely on one solution at all. A diverse spread of partially successful solutions may be more successful… However, note that word diverse. For most people, half a dozen antivirus packages on a single desktop machine are likely to cause more problems than they solve… By multilayering, I mean using a diversity of product types. Using multiple antivirus products may catch more specific malicious programs, but the increased detection may not be worth the additional strain on resources and risk of program conflicts, false positives and so on.

Also, please bear in mind that malware gangs spend a lot of development time tweaking binaries so that they will evade specific scanners. The more effective a scanner is, the likelier it becomes that it will be targeted in this way.

This is why we recommend supplimenting your antivirus program with two scanners for malware – Malwarebytes and Spybot Search & Destroy. These last two programs have a free license to use them, however they do require manual updates and manual scanning. Only the paid versions will offer automatic updates and scanning.

Ten Ways to Dodge CyberBullets, Part 7

This is the seventh in a series and is an update to our top 10 things that people can do to protect themselves against malicious activity we provided to our clients two years ago.

7. Call for backup

If sensitive information is stored on your hard drive (and if you don’t have something worth protecting on your system, you’re probably not reading this paper), protect it with encryption.

Furthermore, when you copy or move data elsewhere, it’s usually at least as important to protect/encrypt it when it’s on removable media, or transferred electronically. Even if the target storage device is secure from malware or hacking, you also need to be aware of other dangers such as physical risks, transit risks, business-related risks.

Consider (seriously) regularly backing up your data to a separate disk (as a minimum) and, where possible, a remote site or facility. Sounds extreme? Think about it.

You can’t rely on backing up to another partition on the same disk as the original; if the disk dies, the chances are that all partitions will be lost.

You can’t rely on backing up to another disk on the same system. If the system is stolen, or there’s a fire, for instance, then in the immortal words of Tom Lehrer, they’ll “all go together.” In the latter instance, the chances are that you’ll lose your thumb drives, CD-RWs and so on as well.

And if you’re working in a corporate environment, you might want to avoid doing what some of the accounts we took over have done in the past – back up data to a server, but forget to back up the server itself.

Ten Ways to Dodge CyberBullets, Part 6

This is the sixth in a series and is an update to our top 10 things that people can do to protect themselves against malicious activity we provided to our clients two years ago.

6. Social networks can be very anti-social

Don’t disclose sensitive information on web sites like Facebook or LinkedIn if you can’t be sure that you can limit access to those data. Even information that in itself is innocuous can be combined with other harmless information and used in social engineering attacks.

In 2012, it’s more than likely that we’ll see increased targeting of social networks, such as Facebook, LinkedIn, Twitter in the U.S., and Orkut and Hi5 in South America. Attackers will be looking for data they can exploit from a social engineering standpoint, but they’ll also be looking for cross-site scripting and replicable malware attacks on the web sites as well as their APIs (Application Programming Interfaces).

Data mining (both legitimate and criminal) will have a wider range of effects on individuals, and some of those effects will be far from beneficial. A notable example is Facebook’s lack of commitment to a realistic security model, which would be a very significant supplement to its rather generic security center advice. It seems to me that Facebook is encouraging its users to share as much information as possible, while essentially making them responsible for the security of their own data. This isn’t unique to Facebook, of course, or even to Web 2.0 providers in general. But some such services are grooming us to accept that it’s legitimate for an ever-wider pool of data to be used to monitor our behavior. It’s becoming harder to distinguish between appropriate and illicit use of personal data, in terms of targeting both advertised content and services, and of monitoring for security purposes by financial and governmental institutions, for instance. Lines are sometimes very blurred between legitimate and criminal data mining in some of these areas, and there are questions to be asked about validation.

Privacy tends to diminish where it’s in the way of commercial rather than political interests. So, ironically enough, there will be particular and ongoing interest in data leakage where it affects public bodies, but selling of information at the backdoor by more or less legal means will continue as it always has, though it’s starting to attract some attention. This may be less true in Europe, where data protection and other directives already give some formal weight to the principle that organizations should only hold as much personal data as they need, rather than what they want. On the other hand the U.S. may eventually take more notice of this issue and the potention for change is considerable.

Windows 8: a Tablet Contender

On Wednesday, Microsoft debuted its Windows 8 Consumer Preview at the Mobile World Congress event in Barcelona. The software, already available for download, may be the most important Windows release to date, as such mobile operating systems as iOS and Android have gained a foothold in tablets. Although people often think “desktop” when they think of Windows, several mobile features found in the new OS will get Microsoft back in the tablet game. Here are some reasons we think this may drive the push to tablets:

1. The Metro UI. First seen in the 2010 launch of Windows Phone, the Metro UI is a relatively unique interface that takes center stage in Windows 8. Widget-like tiles that offer information at a glance are the main draw here, and tapping a tile opens up the underlying app. If you see today’s local weather on a tile, for example, with a quick tap or click you have access to more details, such as a five-day forecast or the weather in other locations. The constantly updating tiles serve as both an information provider and a simple entry point into full applications. At the same time, Microsoft is also providing a consistent interface among smartphones, tablets, and personal computers, something that may help boost Windows Phone sales.
2. A touch-friendly keyboard. It certainly helps that Windows is no longer constrained to use the resistive touch screens of yesteryear. Capacitive displays are far easier to use, provided the underlying software is optimized to take advantage of them. To this end, Microsoft completely redid its touch keyboard for Windows 8, again emulating what we have seen from Windows Phone.
   That’s a good thing, as the WP keyboard is arguably one of the best, and the excellent auto-correct features will greatly help text input on a Windows 8 mobile device. The new keyboard can also split into two halves to help with thumb typing while holding a device in landscape mode.
3. Along with not needing a physical keyboard on a Windows 8 mobile device, the mouse may be extinct too. That’s not surprising, given the use of a touch screen, but the operating system includes smart system gestures to keep navigation effective. Sure, there is pinch-and-zoom functionality as well as the ability to rotate objects with two fingers. Swipe a screen from the bottom and you will see specific application commands, while a swipe from the top can dock or close an app. Drag your finger off the left edge of the display for the most recently used apps, and a swipe from the opposite side shows system commands, the “Start” button, and sharing options.
4. Given how mobile broadband plans are often capped, it’s nice to see Microsoft take an intelligent approach to connectivity on mobile devices. I noticed at least two ways the platform does this. First, if you are on what Windows calls a “metered data” plan, there’s a setting that limits Windows Update downloads to only take place when on Wi-Fi. Second, the network management function can automatically switch a device’s connection from 3G or 4G to Wi-Fi if it finds an available wireless network.
5. Improved power efficiency. Part of the reason Windows has been considered less of a mobility solution is how much power it requires to run. That’s a simplified explanation, but the point holds true: Windows has long been a platform for plugged-in desktops and laptops with large batteries. So how will it work on tablets that are smaller, lighter, and thinner? Quite well, apparently, for a number of reasons. For starters, Windows will now run on ARM-based silicon: the chips that power today’s smartphones and tablets for hours on end. Microsoft is also optimizing the platform so it won’t drain batteries as quickly. You can still run multiple apps, for example, but—again, taking a cue from mobile device advancements—background apps are suspended so they’re not using up a device’s resources.
6. SkyDrive saves your data. No device that’s truly mobile relies solely on local storage: It also offers cloud connectivity and remote storage. That’s where Microsoft’s SkyDrive comes in, although you can always use Windows 8 with Dropbox, Amazon’s Cloud Drive, or any other cloud-storage system. The advantage of SkyDrive is its integration into Windows 8 and Windows Phone, similar to Apple’s iCloud in OS X and iOS.

 

Ten Ways to Dodge CyberBullets, Part 5

This is the fifth in a series and is an update to our top 10 things that people can do to protect themselves against malicious activity we provided to our clients two years ago.

5. Trust people, not addresses

Don’t trust unsolicited files or embedded links, even from friends.

It’s easy to spoof email addresses, for instance, so that email appears to come from someone other than the real sender (who/which may in any case be a spam tool rather than a human being). Basic SMTP (Simple Mail Transfer Protocol) doesn’t validate the sender’s address in the “From” field, though well-secured mail services do often include such functionality.

On some older systems, it is possible sent email using someone else’s address, a trick that’s easily performed using telnet and an unsecured mail server, especially when you’re on the same network. Sometimes, you are able to identify the real sender immediately by his IP address but the nature of the 21st century Internet means that there are many ways of concealing such information, if you really want to stay hidden.

It’s also possible for mail to be sent from your account, without your knowledge, by malware, though malware that works in this way is far rarer than it used to be. It’s far more effective for a spammer to hire the services of a bot herder nowadays, and malware that manages to infect your system doesn’t have to use your mail account or client software to send spam, scams and malware on to other victims.

Bot herders are hackers who use automated techniques to scan specific network ranges and find vulnerable systems, such as machines without current security patches, on which to install their bot program. The infected machine then has become one of many zombies in a botnet and responds to commands given by the bot herder, usually via an Internet Relay Chat channel.One of the new bot herders includes Conficker.

There are also many ways to disguise a harmful link so that it looks like something quite different, whether it’s in email, chat or whatever. The disguising of malicious links in phishing emails so that they appear to go to a legitimate site has obliged developers to reengineer browsers to make it easier to spot such spoofing.

However, too many people forget to make use of elementary precautions such as passing the mouse cursor over the link so that the real link shows up. In any case, it’s not always easy to tell a genuine or fake site just from the URL, even if the URL is rendered correctly. (Early phishing emails tended to rely on exploiting bugs in popular browsers to hide the real target link.) DNS cache poisoning, for instance, allows an attacker to redirect a web query to an IP address under his control.