It’s only an option if you know you have a choice

I have backlogs everywhere and am probably the worst person in the world at keeping up with my social networking updates. If people only knew about my life through my sporadic social updates, they’d think I was still “Having a good time at Steak and Ale, about to go see this new Gladiator movie.”

In one of my few and far between surfacings for air, I saw some important offerings in the blogging world addressing privacy and security issues of our currently beloved social tools, Twitter and Linkedin.

Graham Cluley put out a blog this morning about Twitter’s efforts to begin default HTTPS usage, starting with a small percentage of users. The option to choose an HTTPS connection, however, is available to all Twitter users, and can be enabled through the settings page (at the bottom).

HTTPS encrypts your normal HTTP traffic across the network, protecting the data being exchanged and the identification of the exchanging parties. This was publicly popularized for banking and purchasing transactions but is making its way into other facets of the internet.

It’s always a smart move to choose HTTPS for your connections into social networking sites. No matter who you are or what sort of details you share with others, every user should be concerned about their privacy and protection of the ownership over their own accounts. For those who like to connect to public wi-fi spots, this is especially important, as open wi-fi leaves you vulnerable to eavesdropping by others.

Facebook offers HTTPS as well, so search out this setting and enable it if it isn’t already enabled. HTTPS is of course important to your security, but there are plenty more settings on Facebook and elsewhere that may be of concern to you regarding usage of your private data.

Rik Ferguson recently blogged about Linkedin settings dealing with social advertising, which would use your own personal information in some of the ads put out across the Linkedin site. This would include your name and profile photo integrated right into the advertisement, giving the appearance that you personally endorse a product or service. I already have a big enough issue with buying shirts smeared with the name of the department store. Where’s my discount for free advertising? They should pay ME to wear these shirts.

To disable these advertising options on Linkedin, go to your settings page and click on “account” in the bottom left. Rik walks you through it on his blog here.

Spend some time today, and periodically (new defaults pop up all the time), digging through your social networking settings and opt out of what you don’t want. Pay attention to what you’re agreeing to when you sign up for a new service. Your safety and privacy could be at risk. And stop buying T-shirts with the store name on them. That’s just wrong.

Matt Sully

Defcon 19 Cell Hack

Hackers from around the globe recently met in Vegas for the 19th Defcon hacking conference. This is a huge event for those interested in security and more importantly, the holes in current security products and tactics, as well as next generation vulnerabilities. So naturally, one might be wary of freely using their laptop or smart phone around so many hacking enthusiasts. Throwing caution to the digital wind however, perhaps through arrogance, confidence, or disregard, people still actively connected, but mostly through their cell phones instead of their laptops.

Though little is confirmed about a legitimate hack, while at the conference people were expressing concern over strange occurrences on their phones, including degraded signal and well timed multiple suggested software updates. Degraded service where thousands of 4G users are bombarding towers all at the same time may be reasonably expected. According to a post on seclists.org, however, a “weapon” may have been used to gain access to thousands of what should have been suspecting cell phone users’ phones and computers at Defcon.

In the seclists.org post by coderman, he says the attack was designed for mass exploitation, reconnaissance, [data] exfiltration, and eavesdropping, using a variety of exploits and techniques across CDMA and 4G connections.

He offers in the same post symptoms or actions that may indicate a victim of the Defcon cell attack. Some of the symptoms are vague and include an Android crash or charging troubles, which could be caused by normal issues. Other symptoms, which may still be benign, include full signal but poor bandwidth, or slow download speeds but fast upload speeds. Most concerning, though possibly excluding phones, he mentions the presence of an ssh process that can’t be killed.

Fake charging stations, believed to be a delivery method for the malware mentioned here, were sprinkled throughout the area. Many were wise enough to spot and avoid them, but plugging in anywhere while at Defcon was a generally recognized bad idea, but apparently not recognized enough.

I am disappointed by the lack of paranoia/caution displayed by the people who attended this event. They should know better than to trust leaving anything open to compromise when going to a conference like this, from their wallets to their cell phones. Attendees were even advised by staff not to use the available wifi. Even hackers are victims from time to time.