Moscow to Start Tracking Mobile Users in Metro System

This past Monday, Russian newspaper Izvestia reported that Moscow’s metro system will be implementing an elaborate mobile device tracking system that they say will help authorities recover stolen phones. Nope, not suspicious at all.

Image courtesy of whatleydude through Creative Commons

The system experts believe will be implemented is called a “stingray” or “IMSI catcher” and basically tricks phones into using a fake cell tower. The systems have a range of about five meters and will track SIM cards rather than actual devices. As mobile users pass the devices, the system will track SIM card’s mobile subscriber numbers (MSIs), figure out the target’s route, and then relay the data to the station manager.

In an interview with Ars Technica, Privacy International’s Eric King said:

Many surveillance technologies are created and deployed with legitimate aims in mind, however the deploying of IMSI catchers sniffing mobile phones en masse is neither proportionate nor necessary for the stated aims of identifying stolen phones.

Likewise the legal loophole they claim to be using to legitimize the practice—distinguishing between tracking a person from a SIM card—is nonsensical and unjustifiable. It's surprising it's being discussed so openly, given in many countries like the United Kingdom, they refuse to even acknowledge the existence of IMSI catchers, and any government use of the technology is strictly national security exempted.

Apparently, such a tracking system shouldn’t even be legal in Russia, but authorities are saying that because the system tracks SIM cards, which are technically owned by the service provider and not the mobile phone operator, the system is legal.

Experts have pointed out that for the system to be effective, multiple IMSI catchers would need to be deployed in each station, making the system financially ridiculous if its purpose truly is to track stolen phones.

Apache gives middle finger to Microsoft. Auto-disables Do-Not-Track

Server software company Apache has decided to take matters into their own hands in the ongoing battle involving Microsoft’s Do-Not-Track setting on Internet Explorer 10.

A new patch will be added to all Apache server software that ignores browser Do-Not-Track requests if the requesting browser is Internet Explorer. Since Apache is the most popular software on servers hosting websites, this has pretty serious implications.

If you haven’t been keeping up, Microsoft announced several months ago that Internet Explorer 10 will have the “Do-Not-Track” setting checked by default. In most browsers, ad companies place cookies that allow them to track your habits and clicks as you bounce around the Internet. This tracking is great for advertising because it allows companies to sell very targeted ad space at a premium. The tracking is bad for people because it’s creepy.

This is Roy. He loves
tracking software.

Roy Fielding, the scientist who created the patch, wrote this on the topic: 

The only reason DNT exists is to express a non-default option. That's all it does. It does not protect anyone's privacy unless the recipients believe it was set by a real human being, with a real preference for privacy over personalization. 

Microsoft deliberately violates the standard. They made a big deal about announcing that very fact. Microsoft are members of the Tracking Protection working group and are fully informed of these facts. They are fully capable of requesting a change to the standard, but have chosen not to do so. The decision to set DNT by default in IE10 has nothing to do with the user's privacy. Microsoft knows full well that the false signal will be ignored, and thus prevent their own users from having an effective option for DNT even if their users want one. You can figure out why they want that. If you have a problem with it, choose a better browser.[github.com]

So, Fielding argues that for the DNT request to be valid, it must be implemented by a human being, not turned on by default in a browser. Ok, fine, weird perspective, but whatever. But the problem with this patch is that even if a user would very consciously like to turn on DNT, if that user is on Internet Explorer, his request will be ignored.

We suggest stopping all tracking software with a VPN like SumRando.

Five reasons you should be using a VPN like SumRando

So, yesterday, I got chatting with an acquaintance from Hong Kong about SumRando and VPNs. After a bit of talk about “The Great Firewall of China” and explaining how VPNs work and why SumRando’s so great, he blurted out, “Oh! I use a VPN to watch the BBC's streaming content!”

How cool is that?

In fairness, it's not unusual to hear conversations about online security these days. But somehow, a lot of people still say something along the lines of, “What do I care if companies know my information?” or “I don’t have any information worth stealing, so I don’t need tight security.”

Oh realllllly?

Do you have a bank account? Oh, you do?

Do you have private information in your email that you might not want the world to see? Yes?

I think you’re getting the picture.

The fact is everyone would be better off using the secure connection achieved with a VPN. But, in case you’re not convinced, here are several reasons you should be using a VPN like SumRando.

1.     Security: Not just “I turned on my virus program thing so I should be ok” security. We’re talking Fort Freaking Knox security. Working over that open Wi-Fi network at the coffee shop? No problem. VPNs like SumRando create a tunnel of encryption around all of your activity so anyone trying to monitor you gets absolutely nothing!

 2.     No more creepy/annoying ad tracking: Ever shop for something on Amazon and subsequently see ads for it popping up on every other site you go to? This isn’t just annoying (because you already bought the thing on Amazon), it’s a violation of your privacy. Stop tracking software in its tracks (literally) with a VPN. All the trackers will see is the IP address of your VPN service.  

Let's all agree that this company
sucks.

3.     Access to the unabridged internet: Want to visit Hulu.com in Kenya? Too bad. Facebook in China? Tough cookies. But sure enough, a VPN will let me catch the latest episode of Jersey Shore while updating my news feed from anywhere in the world. This works because awesome VPNs like SumRando have servers all over the place, and you get to pick the one you connect to. So while I’m sitting at a café in Cairo, the sites I’m visiting think I’m from New York.

4.     Your ISP won’t stalk you: Did you know your internet service provider keeps logs of everything you do online? Seriously. Everything. As far as I’m concerned, the number of times I visit catsdoingsillythings.com per day is nobody’s business but mine.

 5.     It’s absurdly easy: Logging on and using a VPN is literally easier than locking the door when you leave your house, so there’s absolutely no reason everyone shouldn’t be using one. To log in, all you need to do is double-click that SumRando icon on your desktop and you’re ready to surf. Think of it as part of your daily routine.

So quit procrastinating! It’s time we all started taking our online security a little more seriously. Sign up for a VPN today!

The Top 7 Ways to Stay Safe Online

There’s no silver bullet for online privacy and security. In fact, no matter what you do, if someone wants your information badly enough, there’s likely a way for them to get at it. That said, there are several measures every web surfer should be using to employ a solid level of security.

Anti-Virus Software

This one’s been mentioned a number of times on this blog and should pretty much go without saying. Unfortunately – and I’m looking your way Mac users – there are still a lot of people out there who just don’t use this basic security measure.

Anti-virus software typically works with a two-pronged approach. First and foremost, the software monitors all programs opened on the operating system and compares them against a dictionary of known malware. Anything that matches up is snuffed out. The dictionary approach requires regular updates, so, for the love of God, don’t ignore that update prompt!

The second approach monitors programs for suspicious behavior. This part is key for picking up new malware that might not be part of a dictionary yet. So, if one program starts writing code on another program, your anti-virus software will let you know. The trouble with this bit, however, is that is tends to pick up a lot of false positives and users are often numb to the warnings by the time an actual piece of malware is detected.

And remember, even if you have a Mac or Linux system, malware is out there, so get that anti-virus program installed!

Manage Tracking Cookies

It’s like being on a reality show where viewers see everything you do, except the viewers are trying to sell you things and the cameras are little devices called tracking cookies.

Online advertising is a big business and top dollar is paid to sites that provide advertisers with your most intimate details. Tracking cookies are little files installed by advertisers through your favorite websites that tell companies what sites you go to and what links you click on. And while tracking cookies aren’t the only way advertisers learn about your habits, it’s a big step in the right direction to stop them from reporting your activity.

Currently, nothing’s available that flawlessly blocks tracking, however, most browsers offer plug-ins that do a pretty good job. Notably, Taco (Targeted Advertising Cookie Opt-Out) for Mozilla Firefox maintains a list of opt-out cookies and regularly updates to keep advertisers at bay.

VPN

Virtual Private Networks or VPNs are simply awesome and among the best ways to keep your information safe online. If you work in an office environment, you probably use a company VPN to connect to your work email and files. But the incredible level of security offered through a VPN should not be limited only to your work materials. Logging onto a VPN client should be as second nature as opening your laptop.

Imagine a VPN as a tunnel through which all your online activity runs. When you web surf – especially if you’re surfing over an unsecured wireless network – your information is floating out there, ripe for the taking by unscrupulous hackers. But if you have VPN software installed and you log onto the Internet through it, all your data is encoded and appears as only garbled gibberish to cybercriminals. Better yet, since VPN’s route your information through their own servers, companies that want to track your IP address’s activity will never know who you actually are – all they get is the VPN’s address.

SumRando is pretty much the best VPN ever and you can sign up for its beta here.

Check Certificates

This issue popped up recently, but deserves another mention. Whenever you are prompted to run a plug-in, program, or anything by a website, your operating system will tell you whether or not it trusts the program’s certificate.

Think of a certificate as a signature. These signatures are issued by established third party organizations that verify the content on the web site is legitimate and trusted. If a window pops up to tell you the certificate is not trusted, stop. Make sure you know what you're downloading or running.

Passwords

This should be pretty obvious, but a frightening number of people don’t take password security seriously. Remember the big Yahoo! password leak last week? The list below represents the 10 most popular passwords.

·       123456

·       password

·       welcome

·       ninja

·       abc123

·       123456789

·       12345678

·       sunshine

·       princess

·       qwerty

Admittedly, ninjas are pretty neat, but maybe not so great when it comes to online security.

A good password should avoid words or numbers that are obviously relevant to you. Baxter416 might seem like a good password since it mixes letters and numbers and has a change of case, but if your dog is named Baxter and you were born on April 16^th, it won’t take long to figure out.

Use a separate browser for online banking

Attacks through browser vulnerabilities are very common and typically work to gain access to users’ sensitive data. And, without a doubt, banking information is the holy grail of sensitive information we’d rather not see in the hands of cybercriminals.

One of the best ways to avoid any sort of security compromise is to keep your banking sessions on a separate browser. That way, even if a hacker reveals your passwords and other login information, your hard earned money will remain safe.

Don’t be stupid

Your brain should be your first line of defense. I’m sorry, that Nigerian prince didn’t actually leave you $8 million in his will and nobody is sending you anonymous love letters.

When you are given a link to a website, look at it. Does the domain match where you should be going? The fact is, if something sounds too good to be true, it probably is. None of the mentioned security measures will do much if you're going to voluntarily put yourself in harm’s way.

Online tracking and what you can do to stop advertisers

On Monday, CBS ran a morning segment about targeted online advertising and the growing trend to market to users based on their online activity. They talked about ads targeted to site visitors based on what kind of computer they’re using, what other sites they’ve visited, and what they’ve purchased. But this shouldn’t come as a surprise to anyone who has spent any amount of time shopping online. Companies like Google, Facebook, EBay, Amazon and others are making a mint selling targeted ad space.

This woman has no idea what she's talking about.

The reporter concludes the segment saying, “Is there a way to stop them? Right now there’s not.”

I don’t know what passes for research at CBS, but there are several things you can do to prevent websites from tracking your activity. But before we get into that, let's explore how exactly online advertising works and why these companies are tracking your every move.

How it works

Every time you surf through, let’s say a shopping website (but don’t think that it’s limited to these sites), a third party advertising company that has an agreement with that website is logging your IP address, which pages you visit, how long you stay at those pages, how much you spend, how fast your internet connection is, and about a hundred other things that are combined to build a profile of who they think you are. That profile is then stored in one of your browser’s folders as a “cookie”. Now, pretty much all websites place cookies, but not all are used for advertising – many are important – giving users full access to a site’s features. But, if you have a tracking cookie, as you web surf and go to different sites, that cookie will track your movements and record what you do on those sites.

Furthermore, many sites have agreements with outside companies to whom your click information is forwarded whenever you visit. Let’s say you go on Ford’s website because you’re in the market for a new car. After shopping around for a while, you head over to the New York Times to catch up on news. If both of those companies have a relationship with the same third party advertising company (and it’s often the case that they will) that company might show an advertisement for a brand new Mustang on the New York Times.

Now here’s where it gets even more personal. Think about a company like Google. Google manages my email, my web searches, the route I take in my car, and a lot more. How much does Google know about me? You can bet they’ve got my name, my age, my geographic location, what I search for online, and pretty much every other little detail. Companies like Google have enough information to paint an extremely detailed portrait of their users.

So, what can you do to prevent companies from tracking your online activity?

Part 1: Opt Out

Since there are a few ways to go under the advertising radar, this will be broken into a two-part series. This week, we'll explore "opting out".

1.    Opt Out Cookies

A few years ago, investigators at the U.S. Federal Trade Commission decided that some internet users might not be very excited about having all of their personal data recorded and logged by advertisers. Thus was born the opt-out cookie. For every tracking cookie used by a company there is a corresponding FTC-required opt-out cookie that tells the advertising company they can’t track you.

If you want to go with this approach, it’s important to remember that there is no single blanket cookie that prevents all tracking – you need to download an opt-out cookie for every advertising company. Fortunately, a plug-in is available for most browsers that will maintain a catalogue of these cookies and ensure that yours are up to date.

2.    Do Not Track

Remember the Do Not Call list for telemarketers? This is basically the same thing but for online advertisers.

When you go to a site, information is sent to the site’s servers and in bits called headers. When you use Do Not Track – which is available as a plugin and will soon be available on Internet Explorer – a header is sent to websites notifying them that you are on the Do Not Track list.

Unfortunately, Do Not Track does not apply to sites in closed networks like Facebook and since there is no legal requirement forcing advertisers to go by this list and, from what we’ve seen, most of them choose to ignore it. But hey, it can’t hurt right?

3.    Use browser settings to disallow cookies

Image courtesy of infocarnivore.com

This is the nuclear option. As mentioned briefly above, many websites – especially social networking sites – require cookies to function properly in your browser. To execute this correctly, you’ll have to maintain an ‘allowed’ list so the cookies you do want will come in without any of the bad ones.

Admittedly, this is probably one of the most effective ways to prevent tracking. Unfortunately, it also requires the most upkeep and may not be worth the compromise for most.

Next: Part 2 — Virtual Private Networks