Internet Providers Lose Right to Sell Your Privacy (But Facebook & Google Still Can)

“There is a basic truth: It is the consumer’s information. It is not the information of the network the consumer hires to deliver that information.” 

These were the words of Tom Wheeler, the chairman of the F.C.C., when it was announced that Federal regulators have approved new broadband privacy rules that require internet service providers like Comcast and Verizon to ask for customers’ permission before using or sharing much of their data. He went on to say that the information used “should be the consumers’ choice, not the choice of some corporate algorithm.”

Privacy groups were, of course, thrilled with the new rules, which move the United States closer to the stricter policies in European nations.  The industries that depend on online user data were not quite as happy, with the Association of National Advertisers labeling the regulations “unprecedented, misguided, counterproductive, and potentially extremely harmful.”

What does all of this really mean for consumers?

• A broadband provider has to ask a customer’s permission before it can tell an advertiser exactly where that customer is by tracking her phone and what interests she has gleaned from the websites she’s visited on it and the apps she’s used.

• Major broadband providers will have about one year to make the changes required by the new rules. After that, users will be notified of new privacy options through email or dialogue boxes on websites.

• The F.C.C. rules apply only to their broadband businesses.

• After the rules are in effect, broadband providers will immediately stop collecting sensitive data, including Social Security numbers and health data, unless a customer gives permission.

• For some less-private data, like names and addresses, there’s a more lenient approach. As with any online service, you should assume that broadband providers can use that information and you should “opt-out” of letting them do so.

• One “down side” to consider is that there is a chance that the removal of ads that allow for free and cheaper web services will result in those prices being passed on to consumers.

• Online ad giants, including Google, Facebook and other web companies, are not subject to the new regulations as the F.C.C. does not have jurisdiction over web companies. So Google does not have to explicitly ask people permission first to gather web-browsing habits, for example.

• AT&T, Verizon and Comcast will also still be able to gather consumers’ digital data, though not as easily as before. They will also still be able to purchase data from brokers.

Jay Stanley, senior policy analyst with the American Civil Liberties Union (ACLU) summed it up pretty clearly:  “Just as telephone companies are not allowed to listen in to our calls or sell information about who we talk to, our internet providers shouldn’t be allowed to monitor our internet usage for profit.”

John Sileo is an an award-winning author and keynote speaker on identity theft, internet privacy, fraud training & technology defense. John specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.

Some Simple Steps to Social Media Privacy

When was the last time you checked your privacy settings on your social media profiles? Being aware of the information you share is a critical step in securing your online identity. Below we’ve outlined some of the top social media sites and what you can do today to help keep your personal information safe.

FACEBOOK Social Media Privacy

Click the padlock icon in the upper right corner of Facebook, and run a Privacy
Checkup. This will walk you through three simple steps:

  • Who you share status updates with
  • A list of the apps that are connected to your Facebook page
  • How personal information from your profile is shared.

As a rule of thumb, we recommend your Facebook Privacy setting be set to “Friends Only” to avoid sharing your information with strangers. You can confirm that all of your future posts will be visible to “Friends Only” by reselecting the padlock and clicking “Who can see my stuff?” then select “What do other people see on my timeline” and review the differences between your public and friends only profile. Oh, and don’t post anything stupid!

TWITTER Social Media Privacy

Click on your profile picture. Select settings. From here you will see about 15 areas on the left-hand side. It’s worth it to take the time to go through each of them and select what works for you. We especially recommend spending time in the “Security and Privacy” section where you should:

  • Enable login verification. Yes, it’s an extra step to access your account, but it provides increased protection against unauthorized access of your account.
  • Require personal information whenever a password reset request is made. It’s not foolproof, but this setting will at least force a hacker to find out your associated email address or phone number if they attempt to reset your password.
  • Determine how private you want your tweets to be. You can limit who (if anybody) is allowed to tag you in photos and limit your posts to just those you follow.
  • Turn off the option called “Add a location to my Tweets”.
  • Uncheck the options that allow others to find you via email address or phone number.
  • Finally, go to the Apps section and check out which third-party apps you’ve allowed access to your Twitter account (and in some cases, post on your behalf) and revoke access to anything that seems unfamiliar or anything that you know you don’t use anymore.

Oh, and don’t post anything stupid!

INSTAGRAM Social Media Privacy

The default setting on Instagram is public, which means that anyone can see the pictures you post. If you don’t want to share your private photos with everyone, you can easily make your Instagram account private by following the steps below. NOTE: you must use your smartphone to change your profile settings; it does not work from the website.

  • Tap on your profile icon (picture of person), then the gear icon* to the right of your name.
  • Select Private Account. Now only people you approve can see your photos and videos.
  • Spend some time considering which linked accounts you want to keep and who can push notifications to you.

*Icons differ slightly depending on your smartphone. Visit the Instagram site for specifics and for more in depth controls.

Oh, and don’t post anything stupid!

SNAPCHAT Social Media Privacy

Snapchat’s settings are really basic, but there’s one setting that can help a lot: If you don’t want just anybody sending you photos or videos, make sure you’re using the default setting to only accept incoming pictures from “My Friends.”  By default, only users you add to your friends list can send you Snaps. If a Snapchatter you haven’t added as a friend tries to send you a Snap, you’ll receive a notification that they added you, but you will not receive the Snap they sent unless you add them to your friends list.  Here are some other easy tips for this site:

  • If you want to change who can send you snaps or view your story, click the snapchat icon and then the gear (settings) icon in the top right hand corner. Scroll down to the “Who can…” section and make your selections.
  • Like all services, make sure you have a strong and unique password.
  • Remember, there are ways to do a screen capture to save and recover images, so no one should develop a false sense of “security” about that.

In other words, (all together now) don’t post anything stupid!

A Final Tip: The privacy settings for social media sites change frequently. Check in at least once a month to ensure your privacy settings are still as secure as possible and no changes have been made.

John Sileo is an an award-winning author and keynote speaker on identity theft, internet privacy, fraud training & technology defense. John specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.

The Ashley Madison Hack: An Affair to Remember FOREVER

, ,

Come on, admit it. Don’t you feel just a little satisfaction watching 37 million adulterers exposed in the Ashley Madison hack? “They do kind of deserve to be cheated just a bit for being cheaters,” someone in one of my keynote speeches commented.

In this case, the hackers weren’t seeking money, they were seeking revenge. Their goal was to get Ashley Madison to shut down the site because they said it wasn’t living up to it’s own privacy policy (they weren’t). But to side with the hackers is a bit like saying it’s okay to pepper spray customers to keep them from going into a store you’re morally opposed to. In other words,  be careful when you condone the use of customers as pawns to fuel change. You just might be the next customer to become a victim, and your data could be just as sensitive (your medical records, divorce proceedings, kids’ geographical location or your online video viewing habits).

I, like many others, have a hard time feeling sorry for the consequences of the stupid and poor choices some have made. It’s not like the victims of the Ashley Madison hack are in the same category as the innocent mom who shopped for holiday presents at Target, or the senior citizen who had their Social Security number breached due to Anthem’s careless cyber security.

However, as someone committed to protecting moms and senior citizens and everyone else from experiencing the blowback from thieves, exploiters and liars, I just can’t stay away from this one. Because even non-users are ultimately effected by the Ashley Madison hack. 

How the Ashley Madison Hack Affects Non-Users Like You

  1. This hack has continued with the precedent set by the Sony hackers because they not only stole the information, but they are blackmailing the company by threatening to make the data public unless the company accedes to their demands (stopping the release of “The Interview” or shutting Ashley Madison down). And the blackmail often works, meaning that this trend will continue!
  2. Besides the effect of having divorce lawyers calling their Maserati dealer to order a new car, this has allegedly led to suicides and to the resignation of Noel Biderman, the chief executive officer of Avid Life Media Inc., the company behind Ashley Madison. After major breaches (Sony, Target, OPM, Ashley Madison), the highest executive becomes the sacrificial lamb.
  3. In addition to the database of users’ names, addresses and the type of extramarital arrangement they were looking for, hackers have also gotten information on 9,693,860 credit and debit card transactions conducted on the site since 2008, opening the doors wide for identity theftI can almost guarantee that this will affect someone in your life.
  4. Cyber extortion has erupted because Ashley Madison has gone on the offensive and offered a bounty for the “capture” of the enemy. The site is offering a reward of $500,000 for information that leads to the successful arrest and prosecution of the people who stole and leaked its data. This sets an alarming precedent of the weaponization of consumer information and the resulting retaliation.
  5. Perhaps the scariest consequence of all is that after the hackers followed through on their threat to make the information public (after AM officials called the hack bogus), enterprising coders created online tools that allowed anyone to easily search the breached Ashley Madison data to see if their friends, family, partners and spouses used the website. That almost guarantees that the breach data will be used to commit fraud (many times breached data is recovered before it is exposed on the open market).

If you are thinking, “serves them all right”, just realize that next time it might be your employer’s or bank’s website. It could be your doctor, your hospital or political organization. It could be the data from your child’s school. And it could be an affair you will never forget.

John Sileo is an an award-winning author and keynote speaker on cyber security, identity theft, internet privacy, and fraud. John specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.

Sony Cyber Attack: A Case Study in Cyber Leadership Failure

,

Cyber Leadership Only Gets Attention AFTER THE ATTACK

I am the first to admit that protecting your company against cyber attacks and the resulting data breach is a daunting task. There are thousands of moving parts connecting your systems, people, customer/employee data and the Internet. Most companies that are breached (e.g., Target, Home Depot, Staples, Chase Bank) take more steps than the average business to protect their customer data. But just taking more steps isn’t always enough; you have to take the right steps.

The recent Sony “Interview” Cyber Attack, in contrast, shows a blatant disregard of basic cyber leadership principals, making it a perfect case study for what you should NOT do as an executive protecting the data on which your business runs. Let’s go back a step. Sony Corporation suffered a crippling cyber security attack (supposedly from North Korea at the hands of a group calling themselves the Guardians of Peace) because of the controversial nature of its movie, The Interview, which depicts the attempted assassination of it’s leader, Kim Jong-un. The consequences of the hack will number in the hundreds, the costs in the hundreds of millions.

Immediate Consequences of the Sony Cyber Attack

  • Sony forced to cancel the 12/25 release of “The Interview” and then suffers massive negative PR for giving in to the cyber criminals
  • Sony’s entire network was shut down for the better part of the week, meaning no one could really work (that had to be costly)
  • Hackers spoil the release of five upcoming Sony movies by leaking them early including Brad Pitt’s Fury and Annie
  • Hackers release pre-bonus salaries of Sony’s Top 17 Executives and 6,000 employees
  • Hackers expose passport and visa PDFs of cast and crew members, including Angelina Jolie and Jonah Hill
  • Hackers divulge 25-page list of employee workplace complaints
  • Hackers share 30,000 Deloitte consultant salaries, and medical information on a number of Sony employees
  • Sony’s former employees file three early class-action lawsuits against Sony because of negligent handling of employee data
  • A trove of embarrassing emails between Sony execs and various recipients expose C-Level racial bias
  • In an embarrassing email, Sony executives out Angelina Jolie as a “spoiled brat”
  • After being reprimanded by President Obama, Sony decides to release “The Interview” (after suffering millions in losses)

Cyber Leadership Lessons of the Sony Cyber Attack

Your organization can learn from the Sony Attack in a way that helps you avoid their costly fate. But you must communicate these lessons to your team:

  • Leverage the Hack. As you might recall, this isn’t the first high-profile hack at Sony. The Sony Playstation Network was attacked and 77 million records were compromised with an early price tag set at over $1 Billion. After their first major data breach, most companies get dead serious about protecting their information assets. Sony apparently did not. Good companies get hacked all the time (yes, yours will too), but wise companies leverage the pain of that first attack to motivate change and minimize the impact of subsequent attacks. If you are the average organization the we work with here at The Sileo Group, you are likely taking only a fraction of the steps you should be prior to an embarrassing cyber attack. As a rule of thumb, you throw a small technology budget at cyber security so that you feel better, but do little to train the humans that are ultimately responsible for getting that technology to work. I can live with that, because it seems to be part of business DNA to ignore a problem until it’s tangible. But to continue to ignore data security after your first wakeup call is arrogant, costly and a sure sign of an ineffective leader. 
  • Start with Executive Ownership. The root of corporate culture begins at the top. As executives behave, so will the employees beneath them. Sony CEO Michael Lynton routinely received copies of his usernames and passwords in unsecured emails for his and his family’s mail, banking, travel and shopping accounts, from his executive assistant, David Diamond. If the CEO of the company doesn’t practice good password habits, safe email procedures and basic cyber-security protocols, he or she CANNOT EXPECT the rest of the company to do so. When we see companies with executives and managers that don’t follow internal security guidelines, we know that we are dealing with an unhealthy culture weakened by hypocrisy, denial and lack of ownership. Before security will work, you MUST CHANGE THE UNDERLYING CULTURE. You’ll know the culture has changed when your executives think about what they write in emails before sending them (or at minimum they securely encrypt any emails with racist, sexist or otherwise abhorrent opinions).
  • Pick the Low-Hanging Fruit First. Companies often spend voraciously on firewalls and anti-virus, threat-detection software and encryption, but forget to solve the simple problems first. They spend because it feels good, even if it’s ineffective. For example, some of the Sony files breached by the Guardians of Peace had filenames like “Passwords” (you guessed it, they contained company passwords).  The attackers were able to obtain such information as movie-star e-mails, confidential mega-deals, payroll information, released and unreleased films, employee medical records, Social Security numbers, photocopies of U.S. passports and driver’s licenses, attachments with banking statements and even aliases actors use when checking into hotels. Security is a bit like picking fruit – some fixes are instant, inexpensive and low-hanging. Just because they are EASY doesn’t make them LESS IMPORTANT. Why import avocados from overseas when you have some hanging in your own back yard? Running a simple system-wide file search on words like “password”, “financials”, “confidential” and a handful of critical terms is the most basic of procedures. Training employees on good password habits (and then holding them accountable), is easy and inexpensive, especially if you make the training entertaining and therefore memorable. Other low hanging fruit: Making regular backups that allow you to recover hacker-sabotaged data; Strong, constantly-updated anti-virus software and OS patches; Default-deny firewalls; Spam malware filtration; secure Wi-Fi networks; protected mobile devices…
  • Don’t make unflattering movies about unstable dictators unless you’re prepared to be the poster-child of 1st Amendment rights. 

As former Defense Secretary Leon Panetta predicted in a speech in October 2012, it would take a cyber “Pearl Harbor”—a power-grid collapse, poisoned municipal water supply, loss of lives—to make Americans appreciate computer vulnerability. Let’s hope that Sony’s casebook example of Cyber Leadership Failure will at least wake up your company, thereby preventing a cyber “Pearl Harbor” in your organization.

John Sileo delivers keynote speeches designed to make security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact The Sileo Group directly on 800.258.8076.

After Dropbox Breach, Is It Safe to Use? (Snowden Would Say No)

,

Did Edward Snowden Actually Comment on the Dropbox Breach? No.

Almost as fast as every media source out there could jump on the “Yet Another Breach” bandwagon and report that Dropbox had been hacked, the company was denying it. So let’s play a little game of true or false to try to sort out fact from fiction:

Statement: Hackers were able to access logins and passwords of Dropbox users and then leaked 400 account passwords and usernames on to the site Pastebin.

True.

Statement: The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox. Attackers then used these stolen credentials to try to log in to sites across the Internet, including Dropbox.

True. (In fact that is a direct quote from the Dropbox blog of October 13, 2014 in which they bluntly proclaim “Dropbox wasn’t hacked”.)

Statement: The post also threatened that 6.9 million further Dropbox account details had been obtained, including photos, videos and other files, which they were prepared to leak for Bitcoins.

True. What is unclear is whether or not they have any valid data. There have been a few more pastes of credentials, but they do not appear to be genuine. Also, Dropbox claims, “We have measures in place to detect suspicious login activity and we automatically reset passwords when it happens.”

Statement: Edward Snowden thinks we should stop using Dropbox because of the breach.

False. Okay, this was a trick question. Snowden does think we shouldn’t use Dropbox, BUT he stated that long before the “breach” made the news. Instead, he said that those who care about their privacy should “get rid of Dropbox” because he considers it “hostile to privacy,” saying it doesn’t support encryption. Again, Dropbox responded to his comments in a June 2014 post, stating, “All files sent and retrieved from Dropbox are encrypted while traveling between you and our servers,” as well as when they’re “at rest on our servers.”

For Snowden, who urges people to consider an alternative like SpiderOak, the difference is that SpiderOak encrypts the data while it’s on your computer, as opposed to only encrypting it “in transit” and on the company’s servers. I have to agree that this is a more secure form of file storage and so, like in everything cyber security related, it is a matter of degrees. 

Ask yourself three questions to determine what’s the right storage solution for you:

  1. Are the files you store in the cloud (e.g. Dropbox) ones that wouldn’t cause you to lose sleep if they were made public? If so, then Dropbox is a good solution. That said, you MUST enable two-factor authentication on the service to keep it as protected as possible.
  2. Are the files sensitive enough that you’d still like a cloud-based solution for convenience sake, but need more security? Then a service like SpiderOak might be right for you. There are many other options out there of varying security levels.
  3. If the files you store in the cloud (e.g., Dropbox) were to be hacked, would the damage be irreparable? If so, DON’T STORE THESE PARTICULAR FILES IN THE CLOUD! Instead, store them on servers that you own, control and constantly monitor. If the files are that confidential, disconnect the server they are stored on from the internet. Then again, that isn’t practical for most situations.

Final Statement: Password re-use is the real culprit in this supposed Dropbox breach.

TRUE, TRUE, TRUE! Remember, even if Dropbox wasn’t technically hacked, the final result is that user accounts have been compromised, and that is something we can’t continue to ignore. I can’t stress enough how important it is to use a strong password and even better, to use a strong password manager, like 1Password. And, as mentioned above, 2-Step Verification is a MUST for all but the most casual Dropbox users.

How is your organization using the cloud?

John Sileo is delivers keynote speeches on cyber security, identity theft, internet privacy and social engineering. He specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.

A Smarter Solution for Thief-Proof Passwords

, ,

Product Review on Password Manager Software

It often amazes me to find out how many people shy away from implementing ideas that they KNOW will make them safer. There are a multitude of reasons I know:

  • Ignorance: “I didn’t know there was a helmet law in this state.”
  • Fear: “But if I put my money in a bank, there could be a run on it.  It’s safer under my mattress.”
  • Misunderstanding:  “Well, I thought that sign meant I could park here for free on Sunday.”
  • Laziness: “It’ll be okay to leave my laptop on the table while I run to the bathroom real quick.”

I could reel off ideas for literally hours, and every one of these reasons relate directly to not safeguarding your passwords as well. But I want to assure you that it may be THE most important thing you do to secure your data. One of the easiest things anyone can do is utilize a password manager program. There are a lot to choose from but the one I personally recommend is the award-winning 1Password, which remembers and securely encrypts all of your passwords so you don’t have to. You merely come up with one secure master password and then train 1Password to log in to sites for you.

So what exactly are the features of 1password?  There are a LOT!  The best:

  • Strong password generator— a single click gives you a random, extremely strong new password using combinations of hyphens, digits, symbols and mixed cases letters.  No more having to think of (and try to remember!) catchy, unhackable passwords for each account.
  • All these strong passwords are saved within 1Password in a highly protected way, and are ready to be automatically accessed when needed by simply typing one master password that only you know.
  • Ease of use– one click can open your browser, take you to a site, fill in your username and password, and log you in.
  • 1Password can sync your data across all your devices automatically through iCloud and Dropbox, or locally over Wi-Fi where your data never leaves your network.
  • The vault will store your credit cards, reward programs, membership cards, bank accounts, passports, wills, investments, private notes and more.  It has been compared to a 21st-century digital wallet.  (But no one can pickpocket you.)
  • 1Password is one of the few password manager options to allow file attachments, so you can safely store related receipts and images, and it will also keep track of your software licenses.
  • 1Password can show all your items with weak, duplicate, and old passwords so you can decide which ones to fortify and update.  No more using five variations of your childhood dog’s name.  It will look at the strength of each password as well as find duplicate passwords and replace them with strong, unique ones.
  • 1Password is fluent in multiple platforms and browsers, including Mac, Windows, iPhone, iPad, Android, and Windows Phone.
  • If your 1Password vault is in Dropbox or a USB thumb drive, you can decrypt and use it from any traditional computer in the world with a modern browser including Safari, Chrome, Firefox and Opera. This has security implications of its own, which I’ll address in a later post.

The prices vary based on the platform used and license purchased, but the prices are reasonable and worth it!

Fully 50% of the corporations that I work with and speak to have had data breaches due to poor password habits. Surprising, given how many of those would have been avoided had they simply used password manager software like 1Password.

John Sileo is an an award-winning author and keynote speaker on identity theft, internet privacy, fraud training & technology defense. John specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.

Facebook Using Your Likes, Browsing History & Mood Manipulation

facebook adsWhen you read the recent blog post from Facebook about how they’re going to “Make Ads Better” and “Give People More Control”, you really want to believe them.  You want to believe that they’re really just trying to make your life easier by providing ads relevant to your “likes” and apps you choose to install.  Sure, if I have the MLB app, why wouldn’t I want to know about a sale on caps for my favorite ball team?  Or if I’m an exercise nut, getting the latest gear for my next triathlon might be really important to me and save me the time of searching for it.

But the bottom line is this: Facebook is going back on something they promised years ago.  Not only are they using our likes and apps to market to us, they’re also using our browsing history to target ads.  They can “only” use information from sites that have Facebook buttons (to like, recommend or share) or that you can login to with your Facebook account, but these days, that’s practically any site!

Of course, we can opt out, but it shouldn’t be our problem in the first place!  And according to a recent survey by Consumer Reports, 76% of consumers said it was of little or no value to them that ads on the websites they visit or in the apps they use show products and services that match their interests.  (Learn how to opt out here.)

When Facebook settled charges with the FTC in 2012 for deceiving consumers, part of the settlement said Facebook is required to get the consent of users before making changes to its privacy settings. Rest assured they will push the limits of what constitutes such changes.  (For more evidence of that, read about the controversial “mood manipulation” experiment they conducted that has recently come to light. By the way, mood manipulation is very different than “split testing” ads, which is Facebook’s excuse. Poor excuse.)

As always, consumers (and information privacy advocates) must continue to monitor their moves.

John Sileo is an an award-winning author and keynote speaker on identity theft, internet privacy, fraud training & technology defense. John specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.

Facebook Privacy Settings Get Needed Update

,

Facebook Privacy Settings… Some may say it’s too little, too late. I’m relieved that Facebook is finally responding to concerns about their confusing and weak privacy settings.  The social media giant (who has been losing customers of late) has recently made several changes to their settings.

Facebook Privacy Settings Update

  1. Additional photo settings.  Your current profile photo and cover photos have traditionally been public by default. Soon, Facebook will let you change the privacy setting of your old cover photos.
  1. More visible mobile sharing settings.  When you use your mobile phone to post, it is somewhat difficult to find who your audience is because the audience selector has been hidden behind an icon and this could lead to unintended sharing.  In this Facebook privacy settings update, they will move the audience selector to the top of the update status box in a new “To:” field similar to what you see when you compose an email so you’ll be able to see more easily with whom you are sharing.
  1. Default settings for new users.  Instead of automatically defaulting to “public”, new users will now have their default set to “friends”.  They will also be alerted to choose an audience when they post for the first time. This is a significant step in the right direction of a business best practice called Privacy by Default.
  1. Privacy checkup tool.   Users may encounter a “privacy dinosaur” (pictured above) that pops up to lead them through a privacy checkup.  (At this time, it is not a consistent feature: Facebook is “experimenting” with it.) The privacy checkup tool will cover a number of settings, including who they’re posting to, which apps they use, and the privacy of their profile information.
  1. Public posting reminder .  The privacy dinosaur will also remind you when you’re about to post publicly to prevent you from sharing an update with more people than you intended.
  1. Anonymous login.   This feature allows you to log into apps so you don’t have to remember usernames and passwords, but it doesn’t share personal information from Facebook. Traditionally, people using Facebook Login would need to allow the website or app to access certain information in their profiles. I’m also happy to see Facebook moving in this direction, as universal logins are one of the easiest backdoors for cyber criminals to exploit.

Facebook has been criticized for having unreasonably complicated privacy settings, had to pay a $20 million settlement for giving away users’ personal information, and frankly never seemed to care very much about personal privacy.

I’m guessing that Facebook has learned a valuable lesson: that by giving their customers the privacy controls they desire, they are creating happier, more loyal users, which is a long-term strategy for success. The need for change hasn’t disappeared, but these Facebook privacy settings are a step forward.

John Sileo is an an award-winning author and keynote speaker on identity theft, social media privacy, fraud training & technology defense. John specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael RayAnderson Cooper & Fox Business. Contact him directly on 800.258.8076.

Internet Privacy Expert Reviews DuckDuckGo Private Search Engine

,

Internet Privacy Expert - DuckDuckGoYou certainly don’t need to be an internet privacy expert to be bothered that Google and Bing track every word you type into your browser, compile that data into a meta-profile of who you are and then sell it downstream to people who want to get to know you intimately (including criminals). Cases of browser surveillance have been documented for years. So, for example, if your daughter types the word “bankruptcy” into your browser while doing a high school report, that information is sold to the credit card company you happen to visit next who serves you to a page with a higher APR since you’ve been “flagged” as a high-risk customer (thanks to your daughter’s innocuous search term).

The implications are even greater for companies, who have a lot to lose when surfing behavior falls into the hands of competitive spies, foreign governments or organized criminals. Case in point: I recently delivered a keynote address as an internet privacy expert to a group of Latin-American journalists at a BlackBerry conference. One of the most common questions the journalists asked was how to keep Google from recording their private (and potentially politically sensitive) search terms.

I told them that completely private browsing is impossible, but that there are  steps you can take to minimize the amount of your personal information being collected. One of those steps is to utilize a private search engine like DuckDuckGo.com.

Log onto DuckDuckGo.com and you are immediately struck by its simple design. Behind the clean design is a fairly sophisticated Internet search engine that emphasizes protecting user privacy. While I don’t get to see behind the magic curtain, I do believe that DuckDuckGo’s mission is to keep your surfing behavior out of the hands of corporations that want to market to you, governments that want to eavesdrop and criminals trying to crack into your net worth. Here are some of the internet privacy advantages of DuckDuckGo:

  • It doesn’t track you by storing your IP addresses (a piece of ID that lets others track your surfing behavior).
  • It does not log user information (and therefore can’t share or sell it!).
  • It only utilizes cookies when necessary. Ok, that’s vague, but solvable with browser settings.
  • It does not create a “filter bubble” based on your previous “likes” and searches, so results aren’t “one-sided”.
  • It does not serve up tons of ads bombarding you – just a simple “sponsored link” at the top of your search results

Though it doesn’t really affect your internet privacy, DuckDuckGo also focuses on getting results from the best sources, not the most sources. I like the “instant answers” box that prunes out the clutter, as well as the lack of “next” pages (it’s just a continuous list of search results). The ability to use “!Bang” commands,  (“kittens!yt” searches only on YouTube) is a nice touch.

If I have one reservation about this private search engine, it’s the graphical simplicity. The results are fairly vanilla with little to distinguish between different types of listings (social media, videos, Ads, etc.). In the images below, the first image is from Google and the second fro DuckDuckGo. Many users appreciate the quieter design, but I find that it requires me to read a bit more before I find the search result I am looking for. DuckDuckGo has said that their newest version (coming out soon) will give users a better graphical interface. In the meantime, this particular online privacy expert will use DuckDuckGo anytime I don’t want my search results tracked, and Google when I need a fancier display.

John Sileo is an internet privacy expert specializing in keynote presentations that make security fun, so that it works. His clients include the Department of Defense, Blue Cross, Visa, Homeland Security and associations of all sizes. Contact John on 303.777.3221.

Screen Shot 2014-05-30 at 9.01.53 AM

Example from Google

DuckDuckGo.com Private Browsing

Example from DuckDuckGo

Microsoft Warns of Internet Explorer Security Gap

,

Internet Explorer bugUntil Microsoft issues a security fix, I recommend discontinuing your use of Internet Explorer, regardless of version. 

A Security Advisory released by Microsoft on April 26, states that the company is “aware of limited, targeted attacks that attempt to exploit a vulnerability” in Internet Explorer versions 6 through 11.

According to the release, the vulnerability would allow an attacker to host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.

An attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an email message or in an Instant Messenger message that takes users to the attacker’s website, or by opening an attachment sent through email.

An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

The company is working on a safety fix that it will provide in an upcoming software update.  Until then, Microsoft encourages customers to enable a firewall, apply all software updates and install anti-malware software. I encourage you to utilize Firefox, Chrome or another browser. 

What to do until Microsoft issues a fix

  1. As always, don’t click on links unless you know and trust the sender.
  2. Download the free security software called the Enhanced Mitigation Experience Toolkit (EMET) from Microsoft
  3. Because the attack will not work without Adobe Flash, disabling the Flash plugin within IE will prevent the exploit from functioning
  4. According to FireEye, the security lab that discovered the vulnerability, Enhanced Protection Mode (EPM) in IE10 and IE11 will prevent the exploit. It is not turned on by default. This article show how to enable EPM in IE.
  5. Security experts say it may be easier to use another browser such as Google Inc’s Chrome, Mozilla’s Firefox or Opera Software ASA’s Opera.