Archive for January, 2013

A good reason to stop using Internet Explorer …

Posted: January 22, 2013 by IntentionalPrivacy in Browser Vulnerabilities, Identity theft, Privacy, Uncategorized
Tags: , , , ,

A new vulnerability reported at bugtraq on December 11, 2012, has just come to my notice.  The compromise occurs if you visit a website displaying an ad containing the exploit, even so-called safe sites like YouTube or the New York Times. If you have any version of Internet Explorer open on a compromised website–even if the page is minimized or you’re not on the page–your mouse cursor movements can be tracked.

Microsoft’s position as stated in this article http://www.securityweek.com/microsoft-ie-mouse-tracking-exploit-poses-little-risk is that this vulnerability would be very difficult to exploit.

There is a demo of this issue in Internet Explorer at http://iedataleak.spider.io/demo. All I could see displayed was when the CTRL, SHIFT, or ALT keys were pressed; no other keys displayed. I could, however, tell when the browser window was dragged to my other screen. Note: Spider.io has a demo game set up. In order to play the game, they want you to log in with your Twitter account. I do not recommend signing into any site with credentials from Facebook, Twitter, LinkedIn, or any other social media site.

As stated in the article, the demo does not work if the URL is entered into a Firefox web browser.

My suggestion is to only use Internet Explorer if necessary, and to close any browser–IE, Firefox, Chrome, whatever–when you are done using it, especially if it has ads on it.

FTC Investigates Data Brokers … What’s a Data Broker?

Posted: January 16, 2013 by IntentionalPrivacy in Privacy, Security or Privacy Initiatives
Tags: ,

A data broker is someone who collects information on people. Exactly where does a data broker get that information and what do they with the information once they have it? The easy answer is they get this information from a variety of sources— both public and nonpublic—and resell it to other companies.

The FTC is requiring nine data brokerage companies to explain how they get this information and what they do with it. The nine companies that the FTC is requiring answers from are:

  1.  Acxiom,
  2.  Corelogic,
  3.  Datalogix,
  4.  eBureau,
  5.  ID Analytics,
  6.  Intelius,
  7.  Peekyou,
  8.  Rapleaf, and
  9.  Recorded Future

In the US, information that is collected and used for credit, employment, insurance, or housing is protected by the Fair Credit Reporting Act (also known as FCRA). Medical information is protected by  the Health Information Portability and accountability Act (HIPAA). There are no laws that govern the privacy of other types of data that can be gleaned from public records and purchased from other companies. The FTC states that the collected information is used to benefit consumers in many ways, such as fraud protection, and that this collected information also enables companies to better market their products and services.

But what about privacy?

The FTC wants data brokers to give consumers more transparency, in other words:

  1. What information do data brokers collect?
  2. Where do data brokers collect it from?
  3. Who has access to the information collected? Where is the information stored and how is it protected?
  4. How can consumers see what information has been collected on themselves?
  5. If the information the data broker has collected is incorrect, how does a consumer fix it?
  6. Can consumers opt out of having their personal information sold by a data broker?
  7. What tools exist to help consumers?

You can find more information about this topic at the FTC website: http://ftc.gov/opa/2012/12/databrokers.shtm

In March, 2012, the FTC published a guide for businesses and policymakers entitled “Protecting Consumer Privacy in an Era of Rapid Change.” To access this guide, click this link: http://ftc.gov/os/2012/03/120326privacyreport.pdf

Don’t let Java run rampant in your browser!

Posted: January 14, 2013 by IntentionalPrivacy in Browser Vulnerabilities, Identity theft, Privacy, Uncategorized
Tags: , , , , ,

Oracle, maker of Java, does not have a good track record for fixing holes in Java. A new Java security hole that apparently targets Java 7 (however, some researchers think it also apparently targets  some versions of Java 6) was discovered recently. What options do you have for fixing the problem?

  1. The safest thing to do is to uninstall Java from your computer. If that’s too extreme, then uninstall Java plugins. KrebsOnSecurity has an article listing how to disable Java in Firefox, Internet Explorer, and Google Chrome, which you can access here https://krebsonsecurity.com/how-to-unplug-java-from-the-browser/
  2. If you need to use Java for some sites, then the safest thing to do is to use two browsers and disable the Java plugin for the browser you use most often. For example, disable Java in Firefox and use Internet Explorer for the sites that absolutely must use Java. If you decide on this solution, make sure you keep Java up to date.
  3. Another viable option is to use Firefox with the NoScript plugin, available at http://noscript.net/getit. NoScript allows you to choose when to allow JavaScript to run. NoScript can also block Flash Player, which is another problematic plugin.
  4. If you have a PC, make sure you run Secunia’s Personal Software Inspector available here http://secunia.com/products/consumer/psi/ at least weekly to keep up with any updates available for all of your programs.

This vulnerability affects Macs as well as PCs. Only visiting “safe” sites will not help you avoid this issue.

Oracle released an update to fix this issue last night.

Don’t wait! Save your computer, save your information.