Right, after months of inactivity and struggle with Blogger, I have moved myself to Wordpress:
http://stephanfreeman.wordpress.com
I've had all sorts of problems here and have decided that I'll be more able to update my blog from there.
Hope to see you soon!
Friday 9 July 2010
Wednesday 13 January 2010
Webamil insecurity
There are reports today that Google is considering quitting China after many Gmail accounts were hacked, belonging to human rights activists, both inside and outside China, apparently by the Chinese government. This poses an interesting question: how many people using Gmail or any other free, web-based mail system, are sending and receiving information that they consider confidential, with little or no idea about whether their accounts are secure.
You get what you pay for
It’s true: if you don’t pay for a service, why should you have any expectation that the provider is under any obligation to you? If you look at Microsoft’s “Terms of Service” for Hotmail, it clearly states that it provides no warranties for the service. In addition, the content may be stored pretty much anywhere in the world. So, how can people assess the risk of storing confidential information in these systems?
Auto forwarding mail
I have also come across people who automatically forward all of their work emails to an external Gmail or Hotmail account as they find it easier to use than the company-provided mail system. It might have more features; have a prettier user interface; whatever... However, this could potentially create a serious headache for the company or organisation concerned. Authentication to web-based mail systems is usually weaker, employing simple password-reset routines, where people can set their own questions (I saw one who had written, as his secret question “What is Captain Kirk’s middle name”. Not exactly the hardest thing to find out).
People routinely using webmail for very sensitive information, where the implications of disclosure include risks to people’s lives, should really reconsider whether using something like Gmail, Yahoo mail or Hotmail is a good idea in the first place.
There are a few solutions. Stick to your company’s mail system and consider using encryption, or try to use encrypted mail with webmail accounts. Encryption brings a whole new raft of issues I won’t go into here, but some companies already provide an integrated, but paid for, service to do this, like Hushmail.
But never forward email out of a company automatically to an external source without checking with your IT department first – there may be many more serious implications than you might realise.
You get what you pay for
It’s true: if you don’t pay for a service, why should you have any expectation that the provider is under any obligation to you? If you look at Microsoft’s “Terms of Service” for Hotmail, it clearly states that it provides no warranties for the service. In addition, the content may be stored pretty much anywhere in the world. So, how can people assess the risk of storing confidential information in these systems?
Auto forwarding mail
I have also come across people who automatically forward all of their work emails to an external Gmail or Hotmail account as they find it easier to use than the company-provided mail system. It might have more features; have a prettier user interface; whatever... However, this could potentially create a serious headache for the company or organisation concerned. Authentication to web-based mail systems is usually weaker, employing simple password-reset routines, where people can set their own questions (I saw one who had written, as his secret question “What is Captain Kirk’s middle name”. Not exactly the hardest thing to find out).
People routinely using webmail for very sensitive information, where the implications of disclosure include risks to people’s lives, should really reconsider whether using something like Gmail, Yahoo mail or Hotmail is a good idea in the first place.
There are a few solutions. Stick to your company’s mail system and consider using encryption, or try to use encrypted mail with webmail accounts. Encryption brings a whole new raft of issues I won’t go into here, but some companies already provide an integrated, but paid for, service to do this, like Hushmail.
But never forward email out of a company automatically to an external source without checking with your IT department first – there may be many more serious implications than you might realise.
Tuesday 12 January 2010
Why patching is so important (even for Mac users)
All software has bugs. Some are never found. Some aren’t important. A few are dangerous. It is estimated that Windows XP had 40 million lines of code and Mac OS X 10.4 had about 80 million. It is sadly inevitable that some of these bugs will be exploitable by people who want to hijack your machine for their own reasons.
You might ask yourself “why?”. It’s a perfectly reasonable question. Most of us have far better things to do with their time than to try to get into other people’s computers. You might also suggest that you haven’t got anything worth stealing on your PC anyway, so even if someone did take the time to create an exploit, why bother?
There are a number of reasons for all of this, but it all boils down to one thing: money. The criminal economy on the Internet is huge. And increasing. These criminals don’t care who they target as they operate, mainly, on scale. They ensnare vast numbers of machines, unknown to their owners, to do their bidding through the use of bot nets. Essentially, they use these huge networks of computers to attack company websites and to extort protection money from them. They are also used to send spam, break encryption codes and hide child pornography. As a sideline, they also harvest personal information from the machines they infect and often steal passwords to bank accounts.
So, what can you do about it?
Patch! In Windows, make sure automatic updates are enabled. In Mac OS X, check the Software Update link from the Apple menu (more information).But not just the operating system... If you’re using a PC, download the Secunia Personal Software Inspector. It’s free and shows you all of the programs installed on your PC and whether it’s insecure.
Macs are vulnerable. Even Apple themselves recommend using anti-virus products on OS X. I personally have seen a number of Macs infected with bot nets and Apple have been slow, in the past, to update software that has known bugs in it.
Patching is no substitute for running an anti-virus scanner, but is equally as important. AV scanners will often stop an exploit from working, so it’s best to remove the vulnerable code. It’s worth bearing in mind that AV scanners will also stop things from being installed intentionally by a user of a machine if it’s infected with something.
LSE provides free anti-virus for home use to students and staff here. Other free and paid-for anti-virus products exist.
I’d be interested to know your experiences. Do you patch? Have you had problems in the past with malicious software? Send in your comments...
Subscribe to:
Posts (Atom)
Posts
