Tag Archive | security

Public Service Announcement: How to Delete Online Accounts You No Longer Need

Wireless communications as predicted 113 years ago! (click to embiggen)

Wireless communications as predicted 113 years ago! (click to embiggen)

People are sharing this article that Consumer Reports printed last week, and I think it’s worth sharing. The upside is that of the services they list, the link does indeed take you right to the Delete Account page. The downside is if you don’t remember your old login credentials you may not be able to delete the account. Especially if you no longer have access to the email account (if any) associated with the social media account.

Old accounts like this are a long term security risk for a few reasons. If you’re like millions of others, there has been a time when you were using the same (or substantially similar) passwords for lots of services, so a data breach at a service like that gives hackers database with thousands of people’s username and password pairs that will work at other sites. The bigger issue as that these accounts often have information that can be used to confirm your identity somewhere.

Those “recover your password” security questions, like first car or mother’s maiden name or name of first elementary school teacher. I had one friend once dismiss a big data breach someone by saying, “I don’t give true answers to those question. I have a set of fake answers that I use everywhere instead.” It took me explaining to him a few minutes before he realized that having the same answers to those questions everywhere meant that learning the fake answers from one site gave other people access to his accounts elsewhere. It doesn’t matter if the answers to the personal security questions are true, just whether they match the answers you’ve give before.

In theory, deleting old accounts should remove all of that kinds of information at the service in question. So, this article may be useful to more than a few of you:

How to Delete Online Accounts You No Longer Need — Having too many digital accounts raises your risk of data being misused or stolen. Here’s how to clean house.

Advertisements

Time to say bye-bye to LiveJournal

I had gotten a couple of error messages informing me that the LiveJournal cross-posting wasn’t working the last couple of days, but hadn’t had time to look into it. Now I suddenly know why some people were making cryptic comments about not agreeing to new terms of service. This isn’t quite how I expected that service to start killing off the non-Russian content when I predicted that was the next logical move after they removed all of the mirrored servers outside of Russia and disabled secure socket login. The new Terms of Service include a lot of weird and concerning stuff but the real deal- breaker is this:

[The user must] Mark Content estimated by Russian legislation as inappropriate for children (0-18) as “adult material” by using Service functions.

And because of their various anti-gay laws, that means any mention of, oh, say that fact that I’m gay must be marked as inappropriate for children. And that’s B.S. It’s B.S. when YouTube is doing it, it’s B.S. anywhere. There are also clauses that say the journal will be deleted if you don’t sign in for several months, and it seems to say if your journal doesn’t generate a minimum number of hits in a period of time it will also be deleted and so on. There’s some analysis of the situation here and here and here.

The real kicker is that the English translation of the Terms of Service, which you have to click “Agree” to in order to sign in right now, says that only the Russian version is valid. Well, I can’t read Russian, so I have no clue what I’m really agreeing to if I can’t rely on the English translation they’re offering, right? A user who can read Russian has kindly posted a translation of the applicable laws here, if you’re curious.

I’m still weighing whether to log in, clicking “Agree” then delete all the entries except one that says the journal is closed? I mean, I’d be abiding by the terms as quickly as I could if I did that, right?

I migrated my journal to Dreamwidth a long time ago and downloaded back-ups. I do most of my blogging on my FontFolly.Net blog with cross-posting elsewhere. I didn’t delete the LiveJournal earlier because I still have some hold-outs on the friends’ list there who as far as I can tell have not moved to Dreamwidth or followed any other blogs.

Regardless of what anyone still using LiveJournal decides to do with their journals there, I hope that you will at least make a note of the ways to find me on the net: follow my WordPress-based blog on FontFolly.Net (you don’t have to have a WordPress account to do so); follow me on Twitter at @FontFolly, follow the cross-posting from FontFolly.Net to my Dreamwidth journal. If you don’t mind the dozens of reblogs of weird and fannish stuff, you can even follow me on Tumblr (where FontFolly.Net also cross-posts).

Why Livejournal isn’t the best way to follow me

Lisa Simpson reading her friends' posts in an image from The Simpsons © Gracie Films, © Fox Television, et al

Lisa Simpson reading her friends’ posts in an image from The Simpsons © Gracie Films, © Fox Television, et al

I’m going to post this on my blog at own domain as a placeholder, though this is primarily aimed at people who still follow me on LiveJournal.

LiveJournal is almost certainly going away. By which I don’t mean that I’m deleting my LiveJournal. What I mean is that the owners of LiveJournal in Russia continue to make it clear that customers outside of Russia are operating on borrowed time. This week for a while they blacklisted Dreamwidth’s servers, meaning that crossposting, importing, and so-forth between the two services stopped working for a while. I exported and moved my entire LiveJournal archive to Dreamwidth years ago for reasons explained before. And then have subsequently purchased my own domains (FontFolly.Net) and maintain my journal there. I still cross-post to Dreamwidth from FontFolly.Net which triggers a cross-post to LiveJournal, but how long that works is entirely up to the owners of LiveJournal.

And if you still aren’t aware of why this is an issue: LiveJournal is laying off it’s U.S. staff, and has moved their servers to Russia, which means your data and so forth is no longer protected by U.S. laws. The owners have also removed HTTPS security on everything but the payment page which should concern you, because ack of secure socket technology means hackers, spies, governments, and yes, even your nosy next-door neighbor may be able to spy on you while you’re on LJ.

I’m not accusing the owners of anything nefarious, here, I just think it’s very clear that the majority of their business and interest is in Russia, and all journals originating outside Russia are not a priority. Service for those of us outside the U.S. is almost certainly going to continue to degrade. Our journals may simple vanish altogether.

A lot of people are archiving their LiveJournals so as not to lose those years of journaling (instructions to do so HERE). I did that some time ago when I imported everything to Dreamwidth. Dreamwidth uses a fork of the original open source LJ code, so if you’ve stuck with LiveJournal because it’s easy and familiar, you’ll find using Dreamwidth is a very similar experience. You’ll also find that a lot of people who used to be on LiveJournal are over there. Some still crossposting like I do, so you may not be aware that some people you’re following here have actually decamped.

I have two selfish reasons I’m posting about this again. The first is that I would hate to lose the readers who still follow me here (regularly clicking over to my journal at FontFolly.Net, and occasionally leaving comments here). The other is that for a few of you, the only way I get any news about what’s happening in your life is by checking your Livejournal on my Friends’ feed, and I would hate to lose contact with you that way.

Regardless of what anyone still using LiveJournal decides to do with their journals there, I hope that you will at least make a note of the ways to find me on the net: follow my WordPress-based blog on FontFolly.Net (you don’t have to have a WordPress account to do so); follow me on Twitter at @FontFolly, follow the cross-posting from FontFolly.Net to my Dreamwidth journal.

To repeat: I’m not doing this to tell anyone you must stop using LiveJournal (though the current lack of secure socket support is extremely worrying). I’m seriously considering disabling comments on LiveJournal because I have to log in to their now NOT-secure site to reply, and that just doesn’t seem wise.

Hacking and phishing and spying, oh my!

thesecurityawarenesscompany.com/

thesecurityawarenesscompany.com/

I’ve got a slightly different weekend update than usual, today. Neither of these are related to specific stories I posted yesterday, they’re all stories that I came across later in the day Friday that should be shared fairly quickly. The first one is not just your typical phishing attack story, though:

Wide Impact: Highly Effective Gmail Phishing Technique Being Exploited The tl;dr version: this particular hack involves the hackers sending emails from a hacked account, to people in that account’s contact list. So it starts with you getting an email from someone you already know. But it’s much more clever than that! They take text from previous messages that person has sent, and it isn’t random. They find messages where the person has sent attachments, and they construct the new message from it. So if it’s someone you know, the phrasing of the subject and the text sound like something that person would write. The attachment in the new message is merely a screen capture, and it hides a link to their fake Google login in page. So you click on the attachment from a friend, and you’re told to view the attachment you need to log in to Google, and they get your username and password. And within seconds, they’re going through your account and sending more hacked messages to your friends.

They’ve even constructed the login page so that if you take the precaution of looking at the address bar in your browser before you start to sign in, you see “https:accounts.google.com” so you think you’re at the real Google. You’re not.

Once they’ve got your password, they can read all your email and do other things to your account.

The linked article has screenshots and advice for how to recognize this kind of attack, as well as steps for what you can do to see if you’ve already been hacked. Check it out!

And this one is less about hackers: Security backdoor found in end-to-end encryption system used in WhatsApp. The Guardian reports that security experts have found that since buying WhatsApp, Facebook has added a back door. In updates, Facebook denies that his is a backdoor to government agencies and claim they will fight any attempts from governments to access accounts.

Which is meaningless.

The existence of the backdoor means that when Facebook loses that fight (because of court orders, for instance) that the backdoor will be used to read the supposedly secure communications. The original design of WhatsApp and similar end-to-end services didn’t have a backdoor because if one exists, it will be exploited eventually. Also, Facebook’s description of the service currently lies and says that they can never read the messages. With the backdoor there, yes they can.

Joy.

While we’re on the subject of cyber security: Cellebrite, a Major Dealer of Hacking Tools, Has Itself Been Hacked. This is one of the companies that makes tools that allow people to hack your phone. After indulging in a moment of schadenfreude that these hackers have been hacked, we then have to worry about what is in that 900GB of data that was stolen from them. Since the dump “contains what appears to be evidence files from seized mobile phones” among other things, who knows whose personal information has been stolen. Supposedly Cellebrite only sells their tools to law enforcement agencies and the like, but it has been previously shown that those agencies include some very shady regimes. And in the case of their mobile hacking devices, those things could be resold or stolen from those agencies and be in anyone’s hands.

And let’s do one more: E-Sports Entertainment Association hacked; profiles of 1.5 million customers exposed. The leaked data includes real names, phone numbers, and birthdates. Very useful for identity theft. Not much you can do about it once the information has been stolen.


ETA: Several people are questioning the Guardian story about Whatsapp: The backdoor that never was, and how to improve your security with WhatsApp. The argument seems to be that while there is a security problem, it isn’t technically a backdoor. The article I linked has information on things you can do to avoid your Whatsapp messages being compromised. I’m going to leave it to the security experts to argue this out.

Patching and praying isn’t enough

A few weeks back I received a message from a website (where I have ordered a few things in the past) alerting me that someone had tried to reset my password, and if it wasn’t me, I should notify them and take various steps to secure my account.

It was not me, so I reported it, then I double-checked that my old password still worked, confirmed that since the attempt no one had ordered more stuff from them on my account, and I changed my password and set up two-factor authentication. Two-factor authentication is a step beyond the simple user name and password combination, usually involving using your cellphone. In order to make changes to your account, a person needs to log in with the user name and password, and then enter a confirmation code which the site sends you in the form of a text message to the phone at the time you make the request. This makes it very difficult for someone who has stolen your password to do nefarious things with your account, because they don’t have access to your phone.

A week or so later I received another such message from yet another internet web service that I almost never use. Again, I hadn’t requested a reset, so presumably someone was trying to hack me. This service didn’t offer two-factor authentication, and it wasn’t a place where one could spend money, so I just changed my password.

And then it happened again, this time at a big service owned by Microsoft, and this time the warning included additional information: the person who had tried to change my password had done so, according to Microsoft, from an IP address in Russia. Well, there are a lot of hackers in Russia, so that probably shouldn’t be a surprise.

This site offered two-factor authentication, so I set it up, changed passwords again, et cetera.

Then this week it all became clear: Russian Hackers Amass Over a Billion Internet Passwords

Lots of web services require you to use an email address in order to set up an account. The reason for this is that if you forget your password to the service, you can make a reset request, and they’ll send a link to the address you used so you can get back in. Most people use one email address for all of these sign-ins, and they use the same password everywhere, because remembering dozens of different passwords is difficult.

I use a program called 1Password, which has the ability to generate a separate password for me for every place I need one, stores the passwords in an encrypted database, and lets me access those passwords from either of my Macs, my iPhone, my iPad, or my Windows laptop (and if I owned an Android device, they’ve got that covered, too). Since 1Password has plug-ins for all of the major browsers, it’s really easy to use.

Anyway, this is my plug to say that if you don’t have something like 1Password, you really, really should. Mac OS X has similar functionality built into the operating system, now. Pretty much every browser in the world will store passwords for you, and some of them have a secure password generation feature built in. And you do need more than just storage. Having the computer generate a different password for each site is a bit more secure that you trying to generate a new password, because 99% of the time when humans are told to think up a new password they do something like take the old password and add numbers, such as 1 2 3 or something easy to remember (and really easy for someone to guess or a hacking script to generate).

I highly, highly recommend 1Password, myself, but there are other options: Lifehacker: Five Best Password Managers or Top Ten Reviews: 2014 Password Management Software Product Comparisons.

But again, I can personally vouch for 1Password.

%d bloggers like this: