Tag: Web security

Articles

Be sure you stick with trusted news sites when you are after celebrity gossip

The most dangerous celebrities to look up on Google | BGR.com

Searching for celebrity news on Google can be dangerous for your computer | Panda Security

Malware parasites feed on PerezHilton.com gossip fans | BBC News

My Comments

An issue that has been raised is that searching for the latest news and gossip about a celebrity can be risky for your computer’s security. Panda Security even described it as being of risk to a business’s computer systems because office workers would do it during slow times in their workday. It is though this activity is still today’s equivalent of looking through the gossip magazines at the supermarket checkout or in the doctor’s waiting room.

This is because the Internet has made it easier to push up “fly-by-night” gossip Websites that are laden with malware and have these advertised.

Ads on sites like here need to be secure to obtain the same respect as magazine ads

It is also because there is a weakness that exists in the online advertising marketplace is that ad networks and publishers don’t subject the advertising that comes to these networks to thorough scrutiny on a safety perspective. This then allows online advertising to become a breeding ground for malware with such things as “malvertising” where scripted ads are used to “push” malware on to users’ systems. This is a topic I have raised because I am wanting to see the rise of a quality online ad marketplace that has the same level of respect as the advertising seen in traditional print media.

A similar situation happens whenever a new album or movie featuring a popular entertainer is released because sites and torrent files would pop up claiming to offer the material for free. To the same extent, this could include offers of “exclusive” photo, audio and video material relating to the content or its performers for free. The same thing also can happen with surveillance, personal-album or similar material that features celebrities in compromising situations and ends up being “leaked” to the public arena. Again these sites and the torrent “file-of-files” available to download would be a minefield of malware files if you aren’t careful.

The situation becomes worse during the time surrounding entertainment-industry awards events, the release of new headline content featuring the celebrities or whenever there are major personal events affecting these people such as new relationships or relationship breakups. The articles cited that people involved with the Hollywood entertainment scene are more likely to be targeted with fly-by-night malware sites, malvertising attempts and similar skulduggery. but I also would place at risk of this treatment the British Royal Family or past and present popular Presidents of the United States.

What can you do?

• Make sure your regular or mobile computing device is running the latest version of the operating system and you are using the latest version of the Web browser(s) and other software that you surf the Web with. It may also be a good practice to run an up-to-date version of a desktop / endpoint security program which can scan for flaky links and files.
• Most importantly, think before you click! When you are searching for information about a particular show, recording or star, get it “from the horse’s mouth” – go to the publisher’s or broadcaster’s site that relates to what you are after. Also visit the online presence of the mastheads that you know and trust when you are after the celebrity or entertainment-industry news. Examples of these would be those magazines available at the supermarket checkout
• But be careful about anyone offering links to resources that are too good to be true, especially where words like “free” and “exclusive” are bandied around. These sites are the ones that are the malware traps.
• You may find that using tools like search engines or browser plugins that verify Websites’ reputation may be of assistance when it comes to staying away from flaky Websites.
• As for online advertising with sites that are suddenly popular, be careful about following through on these links or make sure you are using desktop security software to protect your computer against malware.

Conclusion

You can engage in the digital equivalent of browsing the gossip mags safely as long as you are sure of the resources that you are heading towards and don’t fall for the bait.

Log out properly of GMail by clicking “Sign Out”

A common situation that affects most home users is the existence of a desktop, laptop or tablet computer used by many people of the household. This computer may not just be used by members of the household but also by the household’s guests. I was infact talking about this with someone who had come in from overseas and was using a commonly-used iPad to work a few Web-based services like his GMail and Facebook accounts. Here, he and I were underscoring the need to properly log out of these services when done with them as well as clearing Web-browser history on these devices.

Log out properly of Facebook by clicking “Log Out” in Settings

But as one operates their Web-based email, social-networking and other services using these computers, it can be easy to leave a session of these services going especially if you are called away for some reason. This could lead to other members of the household snooping around your account or doing something on that account in your name like playing a practical joke.

A wise practice with these computers is to make sure you log off your Web-based services as soon as you have finished with these services and before you leave the computer. To do this properly, you have to click or tap the “logout” or “sign out” button on the Web-based service’s user interface, which causes the service to log you out as far as it is concerned while cleaning up any cookies and other data held on your machine relating to that session.

Familiarise yourself with the option to remove your Web-browsing history on your browser

Similarly, clearing your Web browser’s history especially when finished using these commonly-used computers is also a wise practice. This avoids other users “tracking back” in to previous sessions for Web-based services or having people snoop on what previous users been browsing the Web for. The latter situation could either cause some nasty gossip to float around or, at worst, put the user in danger.

Use of multiple logins

Some operating systems like Windows and Android 4.2+ tablet implementations allow for the creation of separate accounts on that system so that each user can have their own operating environment. This can be beneficial because you can avoid the situation where someone can “snoop” around your Web history or someone’s Web email or social-network session that hasn’t been logged off properly.

Here, you could use one login as a “common-user” login while creating separate logins for the computer’s regular users. The regular users then use their own logins when they use the computer so they don’t have to worry about this kind of issue. Similarly, the separate logins can be personalised with wallpapers, “favourite Website lists”, customised colour schemes and the like as well as supporting application-level links to various social-network and other sites.

Windows 8 and 8.1 also implement a login setup which can be ported and synced across multiple computers thus allowing you to carry your computing environment between, say, a desktop and a laptop or to operate your computing environment on both your personally-used machine and a commonly-used machine.

Here, it is still a good practice to log off these accounts or enforce a lockout on them when you have finished at the computer so you can keep them private and less at risk of being meddled with.

Once you get in to the habit of logging off Web-service or user accounts on commonly-used computers and clearing Web history lists on these computers, you can avoid placing yourselves in a vulnerable position with your Internet use.

As I was reviewing the Fujitsu Lifebook SH771 business ultraportable computer lately, I had a chance to use the Fujitsu-supplied Softex Omnipass password vault that came with this computer. It worked with the Fujitsu laptop’s fingerprint reader to permit a “login-with-fingerprint” experience for the sites I regularly visit. For example, I was simply logging in to Facebook, this site’s admin panel, LinkedIn, ProBlogger forum and the like simply by swiping my finger acrss that laptop’s fingerprint sensor.

What is a password-vault program

A password-vault program stores the passwords you need for various applications and online services in an encrypted local file which I would describe as a “keyring file” and inserts the correct usernames and passwords in to the login forms for the applications and Web sites. You can only get to this password list if you log in using a master password or similar credentials.

This works well with a security-preferred arrangement where you create separate passwords for each online service that you use and avoid using single-sign-on options of the kind that Facebook and Google offer with other sites. Some of these programs work with varying authentication setups such as a fingerprint reader or a smart card. They can even support two-factor authentication arrangements like using your fingerprint or a Trusted Platform Module token as well as you keying in your master password  for a high-security operating environment.

Some of these programs also have a password-generation module so that you can insert a random high-security password string in to the “New Password” and “Confirm New Password” fields of a password-change form.

The login experience with these programs

When a password-vault program is running, it works with the browser or some applications to detect login screens. Then, you can set them to capture your user credentials from the login screen, typically by invoking a “Remember Password” function.

Then, when you subsequently log in to the Website, you authenticate yourself to the password vault with your Master Password, fingerprint or whatever you set up and the program logs you in to that site with the correct username and password for that site. Some programs may require you to authenticate when you log in to the computer or start the Web browser and persist the authentication while you are browsing the Web.

You can have a situation where the behaviour of these programs can be very inconsistent with capturing or supplying passwords. For example, it can happen with single-sign-on user experiences, admin-level / user-level setups or some newspaper paywalls that show the extra information after you log in. The same situation can occur with applications that the password-vault program doesn’t understand like some content-creation tools that allow uploading of content to a Website.

When can they be handy

The password-vault program can be handy if you maintain many different passwords for many different applications and Web sites; and you want to log in to them without trying to recall different passwords for different sites.

They also come in to their own if you are using a computer setup that uses advanced authentication setups like like most business laptops and you want to exploit these features.

What needs to be done

An improved user experience for these programs could be provided in a few ways. For example, there could be a standard “hook” interface that allows a password vault to link with the login experience without it looking for “username-password” forms when catching or supplying user credentials. This can deal with the way paywall setups expose the full article on the same screen after you log in; or other difficult login environments. Similarly, the standard API could also work with desktop applications that require the user credentials.

Similarly, there could be support for a standard file format and public-key / public-key encryption setup to allow a “keyring” file to be used with different password-vault programs. This could also cater for transporting authentication parameters between the two different programs; and could allow the “keyring” to be used on different computers. It is more so if you offload the “keyring” file to a USB memory key that is on the same physical keyring as your house keys for example.

Conclusion

I would like to see further innovation occurring with “password-vault” programs, whether as third-party software or as part of an operating system, browser or desktop-security program. This is to encourage us to keep our computing and online experience very secure as it should be.