Posts Tagged paranoia

Protect yourselves, stay vigilant

Posted by on Wednesday, 25 April, 2012

On Monday, I ran across a story on a local news station regarding a security breach of some DNS servers, how the FBI put a temporary safety net in place, and now how the servers will be shut down in July. This prompted a larger scale informational campaign to help computer users determine if their own systems were ‘infected’ and are using the DNS servers which are slated to go offline (when that happens, if your system isn’t using good DNS servers, you’re internet connection will be gone).

I posted this article to Facebook with the intent of spreading the word and helping people check their own systems to be sure we are all using good DNS servers. But as I went through my personal validation process to be sure that the information I am passing on is genuine, I realized there’s a lot stuff I just do and never really explain how/why. So in the spirit of knowledge sharing, here’s some tips to help you stay safe on the internet, avoid malware, and do more to protect your own privacy:

First and foremost: Lock down your privacy settings anywhere you may have an account so you can identify with whom you are sharing information. Take some time whenever you create new accounts to research and set privacy controls before doing anything else on a website.

Here’s a great write-up which explains some of the Facebook behaviours which may affect privacy, and what you can do to control it to some extent: http://www.hanselman.com/blog/FacebooksPrivacySettingsAreTooComplexForANYONEToUseChangeTheseSettingsToday.aspx

Think you’re safe if you only touch Facebook settings? Think again. Google tracks a plethora of information too. You can stop Google from tracking your history (which is tied to your Google account) and opt out of the Google ads with these three links:

  • https://www.google.com/history
    “Pause” will stop the tracking of your Google web history (searches and which links you followed from the results), while “Remove” will clear out the selected history.
  • https://www.google.com/settings/ads/
    After opting out, you’ll still see ads, but Google won’t use your personal information to target those ads specifically to you. Be sure to opt out for both Search/Gmail and ads on the web.

 

Now that I’ve touched on the two ‘biggies’, let’s focus in a bit more generally with some catch-all solutions:

I’ve personally had success with all three of these, though your mileage may vary depending on your preferences and system setup.

 

But you know what? Tools and settings aren’t enough. Sometimes it all comes down to what I called “wetware” when I was working for a content filtering company: your brain. Tools and options just don’t protect us from ourselves, which is why we need to be able to think critically and be ever vigilant (bordering on paranoid) as we surf the web.

Did a Facebook friend just read a really provocative looking article? Are you sure they did? Is that the kind of article you think your friend would spend time reading and “Like” on Facebook? Do yourself a favour and don’t click the link, it’s likely a phishing attempt to get you to allow an application access to your Facebook profile and post on your behalf; your friend is likely the latest in a long line of victims.

Before clicking links, stop and hover over it. If it goes to a known server  and is relatively ‘clean’ of characters like ? or & and doesn’t end in an active file extension (like .pl, .js.exe, etcetera) it is most likely a good link. But you need to be careful of embedded links which point somewhere other than the link text, as well as shortened links which don’t expand to show the full URL.

Which gets me closer to  the point: don’t trust links. Unless you absolutely trust the source posting the link, and the server for the link itself, don’t click it, just run a quick search instead and find the info outside of Facebook (here’s a GREAT Oatmeal cartoon which explains this without raising the spectre of malware as the reason for searching).

 

Let’s take the above article about the FBI and DNS servers as an example:

I originally saw the story posted by KPTV News on Facebook. Since I trust this account, and the story/link was consistent with other news they post, I clicked the link into the story. From there, however, I stopped trusting. Specifically, the story describes an FBI business partner in this case, and links to their site to ‘check’ your system to see if you are using the wrong DNS servers.

At this point small alarm bells start ringing in my head, but I head over to http://www.dcwg.org/ to check it out. Alarm bells are ringing even more since this site asks you to click a button to run a check, something you should never do unless you trust the source completely. Plus, I am a bit more dubious as the site runs WordPress as the engine. I should note here that while I adore WordPress as a platform, the fact that dcwg.org uses it made me immediate skeptical about the authenticity since anyone can build a WordPress site like that. Heck, I run 5 of my own WP installations, including this one; I KNOW anyone can do it!That all said, I’ll give credit to dcwg.org for acknowledging the need for trust and helping people validate the authenticity as well by pointing to FBI.gov hosted materials.

Rather than using the automated link in the original article (which was down due to heavy traffic anyway, but also because you should never trust sites that ‘fix’ your computer without doing your research), I used the following PDF from FBI.gov which outlines exactly how to check your system for this issue: http://www.fbi.gov/news/stories/2011/november/malware_110911/DNS-changer-malware.pdf

Since I trust the fbi.gov servers and pdf files to not auto-run malware on my system, I knew I’d be able to validate the issue by virtue of understanding the solution through text. I can happily say that I was indeed able to validate the authenticity of the problem, solution, and third-party business partner as trustworthy, but only after doing a little research before hand. (Now, you should all review the PDF file as well to understand how to correct your system, or at the very least, what the dcwg.org “fix” button will do to your system to correct the problem.)

While the above turned out to be a perfectly safe example, it really is the perfect scenario to explain how and why you need to check before you click, as similar tactics are exactly what caused people to click buttons and modify their DNS server settings in the first place.

Want to take privacy and protection to an even greater level? Check out the fine folks over at https://priv.ly/

This is a new tool being designed and developed by Oregon State scientists working on changing the paradigm of content sharing. Priv.ly is intended to take control away from the content hosts like Facebook and Twitter and put that control right back to the user, where it belongs. This works to remove companies’ rights to control and sell your data, putting your data privacy in your hands. If you are concerned with privacy you need to check these people out.

Stay vigilant, my friends. Protect yourself. No one else will.