Iain Stewart

Who is watching you?

/0 Comments/in /by

Who is watching you?

One thing we’ve been thinking about a lot lately is the way in which you’re never alone on the internet. Whatever you are doing, digitally (and yes, your loyalty card is digital), you’re being watched, tracked, and data-harvested. Various aspects of this pop up all the time: from cookie permissions that you have to tick to get to the page, to  the ubiquitous targeted ads, to the recent development of polite requests to turn off your ad-blocking plugin, we are constantly reminded that our job is to be consumers.

As Madhumita Venkataramanan wrote last year in Wired magazine:

Even as you’re reading this — you may be sedentary, but your smartphone can reveal your location and even your posture — your life is being converted into… a data package; once it has been compiled into lists (interested in technology, subscribes to magazines, probably male, professional, high earner) by intermediaries known as data brokers, it’s sold on to data aggregators and analysts and eventually any company. Ultimately, you are the product.

This is a common statement about social media. No less august a body than the EU itself recently issued a warning: ‘Leave Facebook if you don’t want to be spied on‘. They were talking not about shopping, but about the American NSA gathering data from citizens of other countries in the name of security. And America isn’t the only country that’s doing it. Web journalist Jacob Silverman coined a phrase – ‘open-source intelligence‘ – to describe how ‘secret services around the world’ are ‘mining social media and other public forums’ for data – data which we, all of us, rush to provide.

Janet Vertesi, an expectant mum, conducted an experiment: she would try to keep her pregnancy secret from all the online marketers. Her marker of success was never to have an ad for baby or pregnancy goods  targeted at her. She quickly found out that was going to be even harder than it sounded, ‘given how hungry marketing companies are to identify pregnant women‘. Suffice to say that when she bought gift vouchers with cash one time too many, for buying things anonymously online,  she ended up being threatened with the police.

For months I had joked to my family that I was probably on a watch list for my excessive use of Tor and cash withdrawals. But then my husband headed to our local corner store to buy enough gift cards to afford a stroller listed on Amazon. There, a warning sign behind the cashier informed him that the store “reserves the right to limit the daily amount of prepaid card purchases and has an obligation to report excessive transactions to the authorities.”

But what difference do your details make to anyone? There are millions of us – surely little old you can’t be that special. Vertesi’s link, above, is a chilling description of how minute the retailers’ interest in you is. John Naughton,  in the Guardian, explains how you can see it in action for yourself:

If you want to get a sense of what drives this, install theGhostery plug-in for your browser and then go and visit some of the sites you normally access. I’ve just looked up one at random – reed.co.uk, which describes itself as “the UK’s #1 job site”. It has 10 trackers at the landing-page level, but when you search for particular jobs in a particular location the number of trackers explodes. A search for “software architect” in Cambridge, for example, produces a page with 28 trackers.

There are various steps you can take to minimise your trackability.  You can tick the ‘surf anonymously’ box in your browser – but if your browser is run by a large search engine, you might wonder whether it’s really in their interests to make you truly anonymous. You can install AdBlocker or another ad-blocking browser plugin. But websites are catching onto this. We admit that we were charmed by the beautifully graphic haiku someone had thought to write for the Forbes website, but it also shows how very much they want you to let the ads in. In any case, blocking ads solves only one problem. Just because you can’t see it doesn’t mean they’re not doing it.

If you feel that simply logging out of Google isn’t quite a robust enough step, you can use a browser that doesn’t track any of your activities. Try Tor or DuckDuckGo.

And if none of this feels like enough, you can always just get rid of all your loyalty cards, pay only cash for goods, and stay completely off the web.

Good luck with that.

Iain Stewart

Web security: don’t be shellshocked

/0 Comments/in /by

For years, it’s been assumed that Windows-based PCs were at risk of security threats, and that Linux and Mac systems were safe, because not enough people used them to make aiming viruses at them worth the scammers’ time. But the new dangers are not viruses – they’re weaknesses in web systems that all computers use. It’s this that gives them such a potentially huge impact.

The three recent security flaws to hit the news are just little corners of systems left unsecured when they were developed. The web has changed so much, in terms of both how it’s coded and how we use it, that weak spots develop as new capability develops around them.

Heartbleed was the first of the new weak spots to be discovered. It attacks the SSL algorithms that make financial data secure on the internet. Basically, it meant that websites with the hyper-secure ‘https’ prefix – the ones we use for pushing our money around the place – had a small window open in the basement. Heartbleed compromised, potentially, the users of over half a million websites, including online banks and shopping outlets. The fixes began the instant the flaw was discovered, but they are still ongoing.

The best advice we can offer is to check with all the websites you send sensitive information through – all those with ‘https’ at the beginning – and see that they’ve patched their server. Then change your passwords. To find out more, read these articles in CNET, Business Insider and Vox.

Shellshock is a flaw in the Bash shell, which is essentially the Linux or Unix equivalent of the Windows command prompt. This is a pretty basic element of the operating system; Bash has been around for over 25 years and is extremely widely used in the Linux community. The good news is this one doesn’t impact on Windows computers, but the bad news is that many of the devices that provide security defences for networks, such as firewalls, are vulnerable – along with websites. Many of these have already been patched, but businesses should check with their providers.

There are informative articles on CNET, Business Insider, and Vox.

BadUSB is the most recent flaw to emerge in the news, and it gets us where it hurts – in our phones. It’s centred on code that underlies the ubiquitous USB protocol, which malware can search for and attach itself to, only to wreak havoc when the device is plugged into another computer – your laptop, say, or a colleague’s PC. Signs are that this is an open door that can be exploited easily, and would give attackers the ability to access data on a system that’s connected to a USB. At the moment nobody really knows how to fix it, and as we all know, USB devices are everywhere. Our best advice at this stage is to limit your USB use wherever possible, especially of devices with a memory component. And remember that most devices have memory these days.

To learn more, see Business Insider and Wired.

We work hard to provide all our clients with the best possible web security. If you’re not sure yours is up to the mark, get in touch.