Computer Internet Security, Privacy and Safety

The Basics of Internet Privacy and Security

Contact Us | 7 Simple Security Rules | Children's Privacy Policy | Accessibility | Security Services


Cybersecurity News And Alerts

Q: How do websites know what device I'm logged in with?

A: There are a million ways.

Internet Privacy

Do not use any Facebook game, IQ test, quiz or other third-party APP's (applications). Never give permission allowing a third party access to your personal information. Shame on you if you allow your friends information to be accessed! "In 2014, Facebook invited users to find out their personality type via a quiz developed by Cambridge University researcher Dr Kogan called This is Your Digital Life." The personality quiz was used to exploit users personal information, as well as, all your friends' personal information. Your (and your friends') information was then sold through Cambridge Analytica to the Trump campaign and used to exploit you.

The Danger in Email, Sytlesheets, Scripts and Session Replay

What happens when you open an email and allow it to display embedded images and pixels? You may expect the sender to learn that you’ve read the email, and which device you used to read it. But in a new paper we find that privacy risks of email tracking extend far beyond senders knowing when emails are viewed. Opening an email can trigger requests to tens of third parties, and many of these requests contain your email address. This allows those third parties to track you across the web and connect your online activities to your email address, rather than just to a pseudonymous cookie.

How it works. Email tracking is possible because modern graphical email clients allow rendering a subset of HTML. JavaScript is invariably stripped, but embedded images and stylesheets are allowed. These are downloaded and rendered by the email client when the user views the email.[2] Crucially, many email clients, and almost all web browsers, in the case of webmail, send third-party cookies with these requests. The email address is leaked by being encoded as a parameter into these third-party URLs.

You may know that most websites have third-party analytics scripts that record which pages you visit and the searches you make. But lately, more and more sites use “session replay” scripts. These scripts record your keystrokes, mouse movements, and scrolling behavior, along with the entire contents of the pages you visit, and send them to third-party servers. Unlike typical analytics services that provide aggregate statistics, these scripts are intended for the recording and playback of individual browsing sessions, as if someone is looking over your shoulder.

Prominent companies who use the scripts include men’s retailer Bonobos.com, Walgreens.com, and the financial investment firm Fidelity.com. It’s also worth noting that 482 might be a low estimate. It’s likely that the scripts don’t record every user that visits a site, the researchers told me. So when they were testing, they likely did not detect some scripts because they were not activated. You can see all the popular websites that utilize session replay scripts documented by the researchers here.

Russian Malicious Cyber Activity in US Presidential Election

Proof: Russian Cyberattack on US Election / Evidence Russia Hacked 2016 Presidential Election for Donald Trump: IPs, IP addresses, malware and other evidence that Russians tampered with the United States Presidential Election in 2016.

NSA Hack Set Loose on World

It appears that malware hacked from the NSA in April 2017 has been set loose on the world. The massive ransomware infection hit at least 99 countries.

Russia Hacked 500 Million Yahoo Accounts

The Department of Justice reports: The defendants used unauthorized access to Yahoo’s systems to steal information from about at least 500 million Yahoo accounts and then used some of that stolen information to obtain unauthorized access to the contents of accounts at Yahoo, Google and other webmail providers, including accounts of Russian journalists, U.S. and Russian government officials and private-sector employees of financial, transportation and other companies.

Trump Security Breach

For months, the security community has known that both the DNC and GOP were hacked. The DNC hack was used to undermine Hillary. The GOP / Trump hacks were meant for blackmailing Trump. U.S. security agencies were aware of Donald Trump’s security breaches since at least June of 2016.

Russia Attempts to Hack Electric Grid

Malware associated with a Russian hacking operation, Grizzly Steppe, was found on a Burlington Electric computer. It appears as though Russia was trying to access the power grid; however, the infected computer was not connected to the network. “Vermonters and all Americans should be both alarmed and outraged that one of […]

Russia And Cybersecurity

Cozy Bear and Fancy Bear are two hacking organizations from Russia. Cozy Bear (classified as advanced persistent threat APT29) are believed to be associated with Russian intelligence. Fancy Bear (also known as APT28, Pawn Storm, Sofacy Group, Sednit and STRONTIUM) is a cyber espionage group believed to be sponsored by the […]

"Russia is a full-scope cyber actor that poses a major threat to US government, military, diplomatic, commercial and critical infrastructure," the testimony said. It was written by James Clapper, the Director of National Intelligence, Marcel Lettre, Undersecretary of Defense for intelligence, and Admiral Michael Rogers, director of the National Security Agency.

Yahoo Hacked

Yahoo disclosed that 500 million user accounts had been hacked. In December 2016, Yahoo announced that an additional one billion accounts had been hacked. “What’s most troubling is that this occurred so long ago, in August 2013, and no one saw any indication of a breach occurring until law […]

U.S. Security-clearances Hacked

There were two major breaches of U.S. government databases holding personnel records and security-clearance files of at least 22.1 million people, including Social Security numbers and some fingerprints, of not only federal employees and contractors but their families and friends. U.S. officials have privately said the hacks were traced to the […]

More Cybersecurity Insights

FAQ

Q: Is it true that flashlight apps for your smartphone may contain malware?
A: It’s not just flashlight apps. Over 90% of freeware (free computer software for photos, converting Youtube videos, etc.) and free app downloads contain malware that is secretly added to your device. Besides stealing your data, they can corrupt files or worse. Quite often they use your connection and device to attack other people making it look like you are the bad guy. Attacks on the Whitehouse, FBI, CIA and military bases (such as Andrews Air Force Base) have happened this way. As far as smartphone apps go, there are not that many legit apps. Apple is of particular concern because their developer's "tool kit" has been compromised. The result was many legit app developers used the official Apple tool kit, but ended up incorporating malware. This is what happened with most of the flashlight apps. (1)

By the way, the apps developed for Facebook are often used to compromise your Facebook account and steal your identity, as well as, attack all your friends. If Facebook doesn’t make the app, don’t use it. Examples of bogus apps include “What song was a hit on your birthday?”, “How loyal are you?”, “Who is stalking you?”, “Which season of the year are you?”, “3 reasons to love yourself!”, “Let’s make a drawing of you” and “Yourself as an oil painting”.

Q: How do I know if Facebook makes the app?
A: If Facebook makes the app, it is usually automatically integrated into the interface. Examples include when Facebook added more choices to the "like" button and the app they put in your feed about "1 year ago today". Those are Facebook apps. The ones that tell you about your loyalty, stalkers, hit record on your birthday, compare you to your friends, etc. are clickbait and should be avoided. Almost all of these apps abuse your friends. Some of them allow your account to do criminal activity, such as, post sunglasses or shoes for sale tagging your friends without your knowledge. Some of them do even worse stuff, such as, compromise your account and use your account to surreptitiously to do a host of bad activities.

Q: Are Android apps safer than Apple apps?
A: Most apps are not developed by Google, Microsoft or Apple. If someone is giving an app away, it is probably for ill purposes. Nevertheless, the advantage of Android — it is built on Linux (open source code.) This means anyone can see the source and/or fix the computer code. That is not the case with Apple or Microsoft. We suggest Android on your phones and Linux on your computers.

Q: My tech-savvy son says it is safe to download apps from Google. Is the Google app store safe?
A: it’s not Google… it is the open source community. Google doesn't own Android. Android is based on Linux (free open source software) the Linux community is serious about security. We’ve been involved with Linux development since the 1990's. Apple and Microsoft are based on proprietary software which is the opposite of the open source philosophy. In any event, none of us like Google for other reasons; however, their exploitation of Linux is better for mankind than Apple and Microsoft. Google Android apps are a better bet than other OS’s (operating systems) because they use Linux. That doesn't mean you should trust Google. Do not trust Google.

Q: What about GPS apps?
A: GPS apps are the most exploited function/app of a smartphone. Not only do private companies exploit the data but bad guys and our government do, too. So my advice is what I did for my Dad. He suffers from dementia and tends to wonder off. We got a Metro PCS smartphone and the sole use is for tracking my Dad with a GPS app. If you want a GPS, use a separate device.

An example of a GPS smartphone app scam recently happened in Chester County, PA. Bad guys hacked GPS apps and sent fraudulent email traffic tickets to unsuspecting motorists. (2)

References:
1) Apple's App Store infected with XcodeGhost malware in China after major security breach. China;s "Great Firewall" may have been partly to blame for the first major attack on Apple Inc’s (AAPL.O) App Store, but experts also point the finger at lax security procedures of some big-name Chinese tech firms and how Apple itself supports developers in its second biggest market. A malicious program, dubbed XcodeGhost, hit hundreds – possibly thousands – of Apple iOS apps, including products from some of China’s most successful tech companies used by hundreds of millions of people. (Reuters)

2) Beware of This Crazy Speeding Ticket Scam; Philadelphia-area residents have been targeted, and the level of information the perpetrator has is downright scary. The Tredyffrin Police Department in Chester County announced the speeding ticket scam this week, explaining that three local residents reported receiving emails notifying them of speeding infractions. Tredyffrin doesn't have speed cameras, and the police say that they have nothing to do with these citation notices, but here's the thing: The residents were, in fact, speeding at the locations cited in the citations. How is this possible? Well, investigators suspect that a hacker has exploited a security flaw in some GPS-enabled smartphone apps. (Philly Magazine)

We spoke earlier of defense against spies. Then we looked at private email. We looked at Endpoint Security. Just for fun, we look at Bitcoin theft. Then cookies and the threats therefrom. Then we looked at more secure ways to talk. Now look at secure email.

Archives
10 Basic Internet Security Rules (1997) | Does Anti-virus Software Work? Do Spam Filters Work? (2001) | What Is Wrong With Java (1998) | 2017

The Membrane Domain

©The Philadelphia Spirit Experiment Publishing Company
These graphics, images, text copy, sights or sounds may not be used without expressed written consent.

Unsolicited commercial email may be a privacy and/or security violation under the Federal Trade Commission of the United States of America. SPAM should be forwarded to uce@ftc.gov.